Madam Chairman, Members of the Subcommittee, good afternoon. My name is Stephen Katz, I am Chief Information Security Officer for Citibank.

I would like to thank you for the opportunity to appear before this Subcommittee hearing to discuss "The Role of Computer Security in Protecting the US Infrastructure", and to share with you our views on the appropriate role of government and of the private sector in securing this country’s information and telecommunications infrastructures.

My remarks will focus on:

• Framework; what do we mean by Information Security?
• Background remarks on the state of Information Security in the Banking sector
• Vulnerabilities, Risk and Risk Assessment
• Recommendations on the appropriate role of the government and the private sector in securing both the information and telecommunications infrastructures.

First, let me begin by saying that the main product offered by banks is trust; We have a trust contract with our customers to assure the integrity, confidentiality and availability of data. And, in today’s world, that is 24 hours/day, from anywhere in the world. Anything that jeopardizes that trust relationship poses a risk to the bank incurring the problem, and any significant compromise occurring at one or more of the money center or super regional banks, poses a substantial risk to the financial services infrastructure of the country.

Further, going forward, we expect to see a virtual explosion of Internet based commerce. While predictions of the dollar value of Internet commerce vary, most, if not all, industry observers believe that billions of dollars of business activity will migrate to the Internet over the next few years. The most significant tool to facilitate this migration is security and confidentiality of information transmitted between banks and their customers, and certainty of knowing with whom we are doing business. Lack of security will all but prevent this migration from occurring.

To put this in a framework, the essence of information security and the key to minimizing the threat to the banking services infrastructure, can be found in the answers to seven fundamental questions:

1. Do we know who is using the service? – What methods/technologies (e.g., passwords, one time password generators, digital certificates) are being used to verify the identity of someone attempting to use or access a bank service?

 

2. Can we control what they do? – Once we have verified a customer’s identity can the security service route the customer to the systems/products which they are authorized to use? And ensure that they are restricted to such systems/products?

 

3. Can we ensure the privacy of information? – Are we using an effective level of cryptography to ensure that only authorized systems, or users can read the information?

 

4. Can we prevent unauthorized changes to information? – Have we implemented technology that will ensure that we will immediately know that information transmitted to the bank has been changed?

 

5. Can we provide for non-repudiation of a transaction? – Have we implemented an effective means to digitally sign a transaction, message, or instruction submitted to the bank that will prevent denial of responsibility for the message?

 

6. Do we know if there is a problem and is it soon enough to take appropriate action? – One of the key concerns in the industry is that System Administrators are either unaware of unauthorized attempts to access a system or they find out about it too late to take meaningful action. In fact, this is an issue that has been highlighted in a number of GAO reports.

 

7. Can we ensure access to the service? – What tools or technologies have been implemented to reduce the risk of denial of service attacks against a system? And, if access to a system is denied, have effective continuity of business plans been developed and tested?

First, I would like to take this opportunity to correct a significant misconception. Contrary to what has been reported in the media, banks must and consistently do comply with extensive regulatory requirements for reporting losses resulting from breaches in information security. Further, the minority staff statement coming from the U.S. Senate Permanent Subcommittee on Investigations hearings on Security in Cyberspace, held on June 5, 1996, found no evidence of any financial institutions failure to report, or attempt to cover up, any electronic intrusion.

It is my assessment that banks are leaders in implementing across the board information security programs, and Banks tend to be aware of and take action to minimize threats and vulnerabilities. Banks have been one of the largest users of cryptography to ensure the confidentiality and integrity of customer information, and we are among the earliest adapters and leaders in implementing state of the art technology for verifying identity of customers using our services electronically.

Generally speaking, within Banking, we endeavor to make information security an integral element of risk management and to ensure that senior management is responsible for instituting effective levels of security. In addition, we also tend to assure that information security issues are addressed as part of business and product development efforts. There are multiple reasons for this:

• Sound business practice requires that we ensure public confidence by meeting our trust contract with our customers;

• We are heavily regulated by numerous authorities, including the Federal Reserve Board, OCC, FDIC, OTS, and state banking authorities, all of which require that we implement information security and continuity of business programs;

• Industry operations, and use of security and technology are closely observed by investors, security analysts, customers and the media;

• Banks generally have stringent internal audit programs that monitor compliance with federal and state mandated security programs.
  

Banks have also been among the leaders in developing, acquiring and implementing self assessment technologies to ensure that we are in compliance with internally developed information security policy and standards. In addition, associations like the American Bankers Association and the New York Clearing House have for years encouraged and facilitated ongoing dialog and sharing of information among Bank Information Security Officers. Bank Information Security Officers have also been leading participants in information security industry associations.

Vulnerabilities and Threats

The banking and financial services industry is undergoing significant change. We are now beginning to implement 24 hour/day, 7 day/week electronic commerce services to our customers from anywhere in the world. And, we as an industry are beginning to do this via the Internet. In addition, increasing numbers of banks are outsourcing operations and technology. Since bank products and services are inexorably intertwined with technology, it is essential that security is a fundamental component of any product offered. As a result, there must be an ongoing assessment of vulnerability and threat.

Some of the specific threats/vulnerabilities we are facing include:

• Global availability, via the Internet, of a multitude of hacker bulletin boards, tools and malicious code, (e.g., viruses, Trojan horses, denial of service programs and programs designed to steal or corrupt data or passwords transiting networks).

• Increasing use of electronic commerce requires multiple entry points into Bank systems and potentially new infrastructures to accommodate new products and demand for information. This again, has the potential to introduce new levels of risk. As a result, we must have the effective implementation of firewalls, enhanced forms of access control and robust cryptography to mitigate the risk.

• Risk Assessment Weakness: a fundamental concept for determining risk requires understanding probability of occurrence. However, there is virtually no data available to make this determination. We can determine vulnerability and threat, and we can assess the impact of an occurrence. What we do in Banking, is determine vulnerability, threat, and the financial and reputational impact of a single occurrence, rather than probability of occurrence, and then institute relevant controls.

• Internal threat: It is estimated that the greatest exposure posed to a company is from security breaches caused by insiders. They have the availability, access and knowledge to compromise or shut down systems and networks. However, while banks routinely perform drug testing, submit fingerprints to the FBI, and conduct minimal background checks, we do not have the mechanisms available to thoroughly and openly check the backgrounds and employment history of current and potential employees.

• In addition, concern about liability tends to prevent prior employers from discussing employee performance issues. In fact, all that is usually provided are dates of employment. We don’t have anything that even remotely resembles the type of background check used by the government for security clearances.

• Technology: New and emerging technology either does not have effective security, or vendors tend to deliver hardware and software with security functionality "turned off". In addition, most of this technology is delivered with default passwords enabled. As a result, unless extreme care is taken, backdoors, vulnerabilities and unauthorized entry points into systems, networks and firewalls are left open.

• There are minimal risks and penalties for attacking systems. First, it is extremely difficult to catch someone in the act. Then there is the challenge of tracking and locating the person causing the problem. We then face the difficulty of arresting, possibly extraditing and then actually convicting the person.

• Education and Awareness: There is all but a total absence of public programs needed to make senior management and government officials aware of the need for securing information and detailing their responsibility for ensuring that information security risk is addressed.

• Intrusion Detection: There are few effective tools available today that can function as "real-time" burglar alarms to notify security staffs of any actual or attempted attacks on systems.

• Security Assessment Tools: There are few effective automated tools available that can be used to verify the state of security on processing systems, networks and firewalls.

Sound Practices for Information Security: Approximately a year ago the New York Federal Reserve Bank formed a task force responsible for developing information security "sound practices" for Internet based electronic commerce. The task force was under the aegis of the supervisory wing of the New York Fed; however, they did not use an examiner to lead the effort. They asked the person responsible for internal security at the New York Fed to lead the effort. He was a well known and an active member of a number of banking industry and information security organizations; and well respected in the private/banking sector.

In preparing the standard practices, the task force had numerous meetings with 35 - 40 banks, audit & accounting firms, consulting firms, universities and other private sector companies. As the report was nearing completion, the Fed team asked the participants to vet the document. The result was an outstanding piece of work that will help set the direction for information security policy, standards and practices within the banking sector.

I recommend that the government charter and direct a small task force lead by recognized security professionals with extensive practical experience to develop "sound practices" for information security that would be applicable to both the government and private sectors. Please note that I am not advocating developing best practices, since best is always a moving target. I am also not advocating developing detailed, across-the-board standards. What I am advocating is the development of an information security "sound practices" document.

Risk Awareness: As OCC circular BC 177 holds boards of directors responsible for having effective disaster recovery plans, so too should the boards have overset and responsibility for information security. The state of security and information security issues needs to be routinely addressed at the board of director level.

Privacy and confidentiality: The banking sector is heavily regulated by numerous federal and state authorities. And, data recovery is often part of examinations performed by the regulators. That coupled with the requirement to ensure the privacy of customer information as it transits global networks and as stored on bank systems mandates the need for and justifies the global use of unrestricted, robust cryptography regardless of keylength; without requiring mandatory key escrow or key recovery.

Since electronic commerce is global and borderless, multiple governments around the world would have access to escrowed keys. As a result, each government would be responsible for establishing and implementing auditable processes for securing access to those keys, and guaranteeing that they can prevent unauthorized access to those keys. In addition, they would have to implement an ongoing security assessment process to ensure that security remains effective. This is a monumental effort, and if not effectively done, creates an extraordinary exposure to the banking system.

The risk surrounding any mandatory key escrow/key recovery process is significant. Further, any mandatory key escrow/key recovery process in which numerous governments can access cryptographic keys and decrypt customer information transiting global networks prevents banks from assuring their customers that their information is confidential.

Historically the government has recognized the need for extra security on financial networks and that Banks can be trusted to deploy cryptography in a secure, restricted manner. Consequently, export controls on encryption products used by Banks have included special exemptions. It is essential that these exemptions not only be continued, but that they be broadened to ensure that we can export robust cryptography without any key escrow/key recovery requirements. In addition, when export licenses are required, the process for getting export licenses needs to be made easier and faster.

We also support federal involvement in developing and providing encryption algorithms to the banking system. This is with the proviso that the algorithms are publicly vetted and that there are no built in key escrow/key recovery features.

Digital Signatures - Numerous states have enacted some form of electronic or digital signature legislation. These laws tend to have a great deal of inconsistency and create tremendous uncertainty in this area. In order for there to be secure and effective electronic commerce without an overriding threat of electronic forgery, we need federal regulation to first ensure consistent legal treatment of electronic authentication/digital signatures for banks within the U.S. Since electronic commerce is borderless, we then need international treaties/agreements governing standards for digital signatures.

Education and Awareness: This is a significant area where funds should be invested. For this to be effective, a program stressing computer usage ethics must be put together and reinforced in all grade levels, from kindergarten through university. As an initial step, I would encourage forming a task force consisting of educational professionals with classroom experience, security professionals with practical experience in awareness programs, marketing and public relations professionals and appropriate government representatives to draft a program and approach.

A second effort needs to be aimed at business and government to help them understand their information security risks and their responsibility in addressing those risks.

Vendor Contracts: Public and private sector contracts with hardware and software vendors need to define security requirements. In addition, both sectors need to work together to convince vendors of commercial, off the shelf products that include security functionality, be delivered with security features fully enabled and turned on. In addition, all default passwords and known backdoors must be removed.

University Programs: Government funds need to be invested in helping universities to develop information security curricula in Computer Science programs, Business programs, Liberal Arts and Law programs,

Partnership with Industry/Information Sharing: There is a need to establish an informal partnership between government, industry and education to share information security practices and education and training programs.

We also need greater access to reliable, up-to-date, information from the government and across the industry regarding identification of new threats and vulnerabilities. Private industry is never quite sure whether or not there are threats, risks and vulnerabilities that the government is aware of, but are not shared.

The types of information being shared need to be defined by experienced security practicioners who function in the commercial sector. In addition, once criteria are defined, information sharing needs to be via specific trade organizations, like the American Bankers Association, in a climate of trust, where anonymity is ensured and liability is limited.

Product Certification Labs: When I go to buy an electronic appliance in New York, I look for a certification by the Underwriters Laboratory before I make the purchase. If the certification is there, I assume the product is safe for use. I would recommend that a panel consisting of government and private sector staff develop product certification criteria for evaluating security functionality in commercial products. Private companies/laboratories should then be licensed to certify products meeting various levels of security, for example, a bronze, silver and gold level of certification.

Extended Background Checks: As you are aware, banks routinely perform drug testing, fingerprint and minimal background checks on new employees. However, in order to reduce the risk of insider threat, it would be beneficial if the tools and facilities the government uses in granting security clearances be made available to us in filling sensitive positions. In addition, there needs to be an effective means for limiting liability so that we could obtain meaningful information from past employers regarding performance.

That concludes my testimony. I would be pleased to answer any questions you may have. - Thank you.

Biography

New York, NY 10022