Former NSA head Keith Alexander has been tapped up to advise a new cyber war council for government and financial institutions in the US, according to Bloomberg.
The biz news site has seen a proposal from the Securities Industry and Financial Markets Association (SIFMA) that suggests that the industry needs a committee of execs and officials from at least eight US agencies, including the NSA, the Treasury Department and the Department of Homeland Security, led by a White House official, to help it fend off cyber attacks.
SIFMA has apparently already brought Alexander on board to “facilitate” the council with the government. Alexander left the agency late last year and set up his own consultancy, IronNet Cybersecurity, which offers its services for as much as $1m a month, according to reports.
The former NSA director has, in turn, brought in another old face from around the water cooler for the council: Michael Chertoff, who used to be the US Secretary of Homeland Security, and his Chertoff Group.
According to the proposal document, SIFMA is hugely concerned about the financial industry’s dependence on critical infrastructure like the electric grid, which could be attacked online or in person, and does not have an optimistic view of institutions’ ability to stand up to cyber-criminals, terrorists or nation-states.
“The systemic consequences could well be devastating for the economy as the resulting loss of confidence in the security of individual and corporate savings and assets could trigger widespread runs on financial institutions that likely would extend well beyond the directly impacted banks, securities firms and asset managers,” the association wrote in the document, dated June 27.
“We are concerned that the industry may not have the capabilities that we would like to effectively defend against this newer form of potential attack (DDOS), the capability that we would like to stop such an attack once commenced from spreading to other financial institutions, or the capability we would like of effectively recovering if an initial attack is followed by waves of follow-on attacks.”
SIFMA said that although the government and industry already work together on cybersecurity, a council would allow for near real-time sharing of information and ways to protect against attacks if intelligence agencies know they’re coming. The association also wants to establish protocols for institutions to get government help during and after an attack.
The association did not respond to a request for comment from The Register and hasn’t confirmed the proposal, but members of Congress are already concerned about the possible war council. Alan Grayson (D-Fl) tweeted:
Ex-NSA chief Keith Alexander wants to form a joint WH-bank war council. So now Wall Street gets to declare war? http://t.co/pwol9DDqju— Rep. Alan Grayson (@AlanGrayson) July 8, 2014
News of the proposal came just before the Senate Intelligence Committee approved the latest version of the bill on cybersecurity data-sharing. Despite concerns from privacy groups (and two of the opposing members of the committee) that the bill doesn’t do enough to protect privacy and civil liberties, the bill went through in a 12-3 vote.
The Cybersecurity Information Sharing Act (CISA) provides for businesses to share data with the government in an effort to repel and prevent online attacks. As it stands, firms can strip out personally identifiable info from the data they share, but only if they have evidence that the user is a US citizen and isn’t involved in a cyber threat.
The government isn’t just looking for information on infrastructure threats. It could also collect data for terms of service violations, the prosecution of identity theft, aiding prosecutions under the Espionage Act, or even to find the identity of whistleblowers.
The legislation still has to face a vote in the full Senate and needs to be reconciled with CISPA, the bill it is intended to replace. The White House has made noises about disliking the privacy implications of the bill, but it’s unclear if President Obama feels strongly enough to veto the legislation if it makes it through. ®