The Office of Financial Research, a new federal agency created as part of the Dodd-Frank Wall Street Reform Act, is drawing mounting concern over assumptions that it can safeguard vast amounts of consumer information from cyber attacks.
The Office of Financial Research “represents a hacker’s dream and a civil libertarian’s nightmare,” said Congressman Mike Fitzpatrick (PA) at a House subcommittee hearing July 14.
Experts testifying at the hearing lent validity to his concerns.
“As long as security remains so lax inside government, there is great risk that any data gathered by government would be easy prey for financial criminals and nation-states bent on cyber mischief,” said Alan Paller, founder and research director of the SANS Institute, a security training and research institution.
Dr. Nassim N. Taleb, Distinguished Professor, New York University Polytechnic Institute and author of “The Black Swan” also questioned the ability of OFR to address unforeseen risks. Taleb’s book, about how misjudgments can lead to unexpected catastrophic results, gained visibility following the Fukushima Dai-ichi nuclear plant meltdown in Japan.
“This measure … aims at the creation of an omniscient Soviet-style central risk manager. It makes us fall into the naive illusion of risk management that got us here (to the financial meltdown that prompted the Dodd-Frank Act),” Taleb said in his prepared testimony. “The system needs to be made robust organically, not through centralized risk management,” he said.
Fitzpatrick, the vice chairman of the Oversight and Investigations Subcommittee of the House Committee on Financial Services, raised serious concern about the potential risks of a new federal agency having relatively unfettered access to consumer buying data.
“The Federal government will be able to track what (consumers) buy, where they buy it, and when they buy it,” said Fitzpatrick during the hearing’s opening remarks. He openly questioned the need for the office, saying “I do not see a compelling reason for its existence.”
He also questioned the office’s ability to keep that information from falling into the wrong hands, a view supported by Paller.
“Government computers are being infiltrated and taken over by malevolent organized crime groups and by nation-state actors; they are being infected by malicious code; and they are being retasked to gather and redirect sensitive information so that it can be mined and repurposed,” said Paller in prepared comments.
“The losses from such data theft is massive. Unfortunately, this is generally unknown by the public or by members of Congress because agency and contractor personnel keep these damaging attacks a secret in order to avoid the embarrassment associated with public disclosure,” he added.
“Most federal agencies don’t have (the security controls financial institutions have) in place, despite a common awareness of the value of such measures,” said Paller.
“This concern applies particularly to small agencies that may lack the scale to implement first-class cybersecurity protections. For example, if the Office of Financial Research moves data from well-protected financial sites to less well-protected government or contractor sites, they will put that data at risk,” he said.
Also testifying at the hearing were Dilip Krishna, Vice President of Financial Services, Teradata Corporation and Dr. John Lietchy, Professor of Marketing and Statistics, Director of the Center for the Study of Global Financial Stability, Pennsylvania State University
The Doddâ€ÂFrank Wall Street Reform and Consumer Protection Act (Doddâ€ÂFrank Act) established the OFR within the Treasury Department to improve the quality of financial data available to policymakers and facilitate more robust and sophisticated analysis of the financial system. To execute these functions, the OFR has two primary operational centers: a Data Center to standardize, validate, and maintain the data necessary to help regulators identify vulnerabilities in the system as a whole, and a Research and Analysis Center to conduct, coordinate, and sponsor research to support and improve regulation of financial firms and markets.
Paller recommended that if OFR is empowered to gather sensitive information from financial institutions then “you would sleep a lot better at night if they implement world-class cyber defenses” that would include the following:
1. Continuous (daily) monitoring of the twenty key controls in the Consensus Audit Guidelines (the “CAG”) and the exclusive use of tools that strictly adhere to the automation and interoperability requirements of the security configuration automation protocols developed by NIST and NSA.
2. Implacable adherence to operating system and software configurations defined in the Universal Gold Master configurations approved by the DoD’s Joint Consensus Working Group.
3. Rigorous multi-factor identity validation of every user without exceptions.
4. A team of at least eight “hunters and tool builders” who use constantly updated scripts to monitor OFR system logs and network information continuously to find evidence of penetrations and then reverse engineer, and eliminate malicious programs that make it through the perimeter.
5. Software code analysis and penetration testing for all software that accesses sensitive information and any that allows access to the systems, such as web sites.
6. Auditors who verify these defenses are in place and substantial consequences for auditors if they miss well-known problems.