Five months before the 9/11 attacks, US Secretary of Defense Donald Rumsfeld sent a memo to one of his advisers with an ominous message.
“Cyberwar,” read the subject line.
“Please take a look at this article,” Rumsfeld wrote, “and tell me what you think I ought to do about it. Thanks.”
Attached was a 38-page paper, published seven months prior, analyzing the consequences of society’s increasing dependence on the internet.
It was April 30, 2001. Optimistic investors and frenzied tech entrepreneurs were still on a high from the dot-com boom. The World Wide Web was spreading fast.
Once America’s enemies got around to fully embracing the internet, the report predicted, it would be weaponized and turned against the homeland.
The internet would be to modern warfare what the airplane was to strategic bombers during World War I.
The paper’s three authors — two PhD graduates and the founder of a cyber defense research center — imagined the damage a hostile foreign power could inflict on the US. They warned of enemies infecting computers with malicious code, and launching mass denial of service attacks that could bring down networks critical to the functioning of the American economy.
“[We] are concerned that US leadership, and other decision-makers about Internet use, do not fully appreciate the potential consequences of the current situation,” the report said. “We have built a network which has no concept whatsoever of national boundaries; in a war, every Internet site is directly on the front line. If we do not change course soon, we will pay a very high price for our lack of foresight.”
The US government had a problem on its hands and it seemed a long ways from figuring out how to handle it.
More than 17 years later, that problem seems to have only gotten worse.
Follow the money
Willie Sutton, the notorious Brooklynite who spent his life in and out of prison, once told a reporter he robbed banks because that’s where the money is. Computer hackers aren’t so different.
In 2016, hackers attacked companies in the financial services sector more than companies in any other industry, according to IBM. Over 200 million financial records were breached that year, a 937% increase from 2015. And that’s not including the incidents that were never made public.
As hackers become more sophisticated and cyber attacks more routine, New York is on notice. Home to the most valuable stock exchange on Earth, New York City is the financial capital of the world. When the market moves here, it moves everywhere.
So it was no surprise when in September 2016, Gov. Andrew Cuomo announced that the New York State Department of Financial Services (NYDFS) was gearing up to implement sweeping, first-of-their-kind cybersecurity regulations to protect the state’s financial services industry — an unprecedented move no other state or federal agency had taken anywhere in the US.
Cybersecurity in New York’s financial industry was previously governed by voluntary frameworks and suggested best practices. But the NYDFS introduced, for the first time, regulations that would be mandatory, including charging firms fines if they didn’t comply.
Maria Vullo, the state’s top financial regulator, told Business Insider that her No. 1 job is to protect New Yorkers.
“They’re buying insurance. They’re banking. They’re engaging in financial transactions. And in each of those activities, they’re providing their social security information, banking information, etc.,” she said. “The companies that are obtaining that personal information from New Yorkers must protect it as much as possible because a breach of that information is of great consequence to the average New Yorker.”
On March 1, the regulations turn a year old, although some of the rules are not yet in effect and will phase in over time.
The NYDFS oversees close to 10,000 state-chartered banks, credit unions, insurance companies, mortgage loan servicers, and other financial institutions, in addition to 300,000 insurance licensees.
The combined assets of those organizations exceed $6 trillion, according to the NYDFS — and they’re all in constant danger of being hacked.
Banks are vulnerable
In the summer of 2014, an American, two Israelis, and two co-conspirators breached a network server of JPMorgan Chase, the largest US bank.
They got hold of roughly 83 million customers’ personal information, including names, addresses, phone numbers, and email addresses.
The hackers didn’t steal any money from personal bank accounts, but that wasn’t the point.
They wanted access to a massive trove of emails that they could use for a larger, separate money scam. In just three years, that operation netted the hackers more than $100 million.
The JPMorgan hack wasn’t the end game. It was a piece of the puzzle.
The attack began with the simple theft of a JPMorgan employee’s login credentials, which were located on a server that required just one password.
Most servers with sensitive information like a person’s banking data require what’s called multi-factor, or two-factor authentication.
But JPMorgan’s security team had lapsed and failed to upgrade the server to include the dual password scheme, The New York Times reported at the time.
The attack, the breach, and the reputational damage that followed could have been avoided with tighter security. Instead, the hack went down as one of the largest thefts of customer data in US history.
“Banks are especially vulnerable,” Matthew Waxman, a professor and the co-chair at Columbia University’s Cybersecurity Center, told Business Insider. “Disruption to the information systems on which banks rely could have shockwaves throughout the financial system, undermining public confidence in banking or knocking off line the ability to engage in commercial transactions.”
That’s the kind of catastrophic damage that worried the authors cited in Defense Secretary Rumsfeld’s 2001 memo.
They weren’t only concerned about stolen email addresses and social security numbers. They were worried about the fallout from such activity.
Banking works because consumers trust the system. But what if people lose trust?
Waiting until a catastrophe
News of impending cybersecurity regulations in New York in the fall of 2016 was both welcomed and shunned.
Some companies saw it as a chance to improve their own security standards while others complained of government overreach. Some were relieved to find they wouldn’t have to make any adjustments to the way they operated. Others were overwhelmed by the heavy lifting they would have to do to comply.
How a company views the regulations depends in large part on its size. Bigger institutions with more cybersecurity professionals and more resources at their disposal tend to already have in place much of what the regulations require. Many smaller companies, which tend to be under-staffed and under-resourced, have a lot more work to do to catch up.
The only additional thing Berkshire Bank has to do is sign off on its annual compliance form, which it sends to NYDFS to prove that it’s doing everything it’s supposed to be doing.
“We actually have to do nothing [new] from a compliance standpoint,” the company’s chief risk officer Gregory Lindenmuth told Business Insider.
While several cybersecurity consultants told Business Insider they acknowledge the NYDFS rules as a positive step in the right direction, they also point to a new law in Europe as a leading example of the role government has to play in protecting individuals’ privacy rights and ensuring that companies secure consumers’ personal information.
In 2016, the European Parliament passed a law called the General Data Protection Regulation (GDPR) — landmark legislation that imposes millions of euros in fines on companies that do not adequately protect their customers’ data.
Whereas the NYDFS regulations cover just one industry in one US state, the GDPR affects companies in all industries across all 28 member states of the European Union. Companies that do not report a data breach or fail to comply with the law more generally could be fined up to €20 million or 4% of its global revenue.
Matthew Waxman, the Columbia professor, says it’s not surprising that the implementation of such a law remains far-fetched in the US.
“It’s sometimes very difficult to get the government to take action against certain threats until a catastrophe takes place,” Waxman said. “But that could change very suddenly if the banking system were knocked offline or another very major disruption to everyday life affected the lives and security of citizens on a massive scale.”
But are the deterrents strong enough?
Data protection advocates calling for stricter cybersecurity regulations in the US are generally happy about the NYDFS rules.
For the first time, a state government is taking seriously the protection of consumer data, they say. It’s giving companies in the financial sector an ultimatum: protect New Yorkers or face punishment.
But the nature of that punishment is not entirely clear.
“My big criticism of the regulations is there’s no clear consequence for non-compliance,” Tom Boyden, a cybersecurity expert who helps companies defend against cyber attacks, told Business Insider. “If companies don’t feel like there’s going to be any consequence for any action on their part, companies aren’t going to take [the regulations] seriously.”
In fact, for many companies, Boyden thinks “that’s the default position.”
More reading: Cyber-attack wreaks havoc on US Internet traffic
Vullo, the head of the NYDFS, said she has the ability to fine companies that are not complying and is willing to exercise that authority, although how much that cost may be would depend case-by-case.
“I don’t want this to be a punitive atmosphere, but obviously if institutions are not taking this seriously, then there will be consequences,” she said. “But it’s not the objective.”
If anything, the objective is to make it clear that cyber threats are real and that New Yorkers and the companies that maintain their personal information are facing higher risks of attack.
Cybersecurity affects everyone, and Vullo said she hopes the regulations will help companies prioritize it.
“Everyone is part of our cybersecurity team,” Theresa Pratt, the chief information security officer at a private trust company in New York, told Business Insider. “It doesn’t matter what myself or my colleagues do from a technical perspective. If I have one user who clicks a bad link or answers a phisher’s question over the phone, it’s all for naught.”
New York leading the way
The new rules have far-reaching implications beyond New York. A business in the state that has a parent company based in Germany, for example, still has to comply with the regulations.
This leaves some organizations in the precarious position of having to either restructure company-wide cybersecurity practices or build an entirely new and unique security apparatus that is specific to its New York offices.
“I do think that because of the scope of some of these regulations, they’re kind of blurring the lines between countries and continents. I think we’re going to see more and more of this,” GreyCastle Security CEO Reg Harnish told Business Insider. The New York-based consulting firm is helping companies comply with the new regulations.
Further reading: Why the Pentagon will move its data to the cloud
In the absence of leadership from the federal government on certain issues related to cybersecurity and data protection, states like New York are beginning to fill the void. Several cybersecurity experts told Business Insider that the NYDFS regulations could become a model for other industries or even policies at the national level.
In 2017, at least 42 states introduced more than 240 bills or resolutions related to various cybersecurity issues, according to the National Conference of State Legislatures. And since the NYDFS rules took effect, financial regulators in Colorado and Vermont have followed New York’s lead with cybersecurity regulations of their own.
Indeed, cyber experts have come a long way in better understanding the threats we face since Rumsfeld’s dire cyberwar memo in 2001. But 17 years on, the former secretary of defense’s concerns still seem as relevant as ever.
Perhaps the memo was a prescient warning — a warning that fell on deaf ears, but is not too late to address.