Cyrus Amir-Mokri, the assistant secretary for financial institutions at the U.S. Treasury, stressed this week the importance of a collective cybersecurity effort with a partnership between the public and private sectors.
“[I]t is important for the government to share information and provide technical assistance to the private sector,” Amir-Mokri said before the SIFMA conference on cybersecurity. “At the same time, as [President Obama’s] executive order also implies, it is important for the private sector, including firms both small and large, to do its part in maintaining robust cybersecurity resilience and readiness. The private sector should also continue to expand its various collaborations on these issues, whether it is technical collaboration, identifying weak points in the overall system, or sharing threat information.”
Amir-Mokri said “vigilance must be persistent and sophisticated” because of the persistent nature of cybersecurity threats that have increasingly emerged.
“The combination of the treat actors’ persistence, sophistication and motivation means that, probabilistically, we should think and plan not just in terms of resilience and defense but, as implied by the [NIST] Framework, also in terms of adjustment, reaction, crisis management, recovery and business continuity,” Amir-Mokri said.
Additionally, Amir-Mokri said internal communication between decision-makers and IT personnel within organizations must be seamless to ensure a comprehensive understanding of the risks and consequences of a cyberattack.
“For example, information technology experts need to understand from business decision-makers what levels and kinds of impairment in network function may require interruption of services,” Amir-Mokri said. “Similarly, business decision-makers need to understand from information security experts what kinds of functions are realistic in the face of a cyberattack. Second, and for largely similar reasons, in times of crisis, it is critically important for the lines of communication between the private sector and government to be active and clear.”
He said in scenario planning and design, existing models for physical attacks “may not be very relevant.”
“For example, building and maintaining backup systems in different geographies will not necessarily guard against scenarios in which a backup or recovery system itself might be infected with malware,” Amir-Mokri said. “[B]ecause having backup systems in separate geographies largely addresses problems that arise in paradigms of physical loss, they do not allow us fully to plan for interconnectivity effects in the financial system.”