When it comes to safeguarding the U.S. payments system, the Biden administration is keenly focused on ransomware and infrastructure threats, a top cybersecurity official from the United States Department of Homeland Security (DHS) told an industry trade group yesterday.
Eric Goldstein, an executive assistant director at the department's Cybersecurity and Infrastructure Security Agency (CISA), made the comments in a conversation with the American Transaction Processors Coalition's cyber council. He has been in the post since February, but has experience in both the public and private sectors, including as the former head of cybersecurity policy, strategy and regulation at investment banking giant Goldman Sachs.
Not surprisingly, financial services companies are often the targets of cybercrime. Overall, cybercrime damages are expected to reach $6 trillion this year, according to ISACA, a trade group previously known as the Information Systems Audit and Control Association. Cybercrime as a business, with sales of cyber weapons on the dark web, is a $1.5 trillion industry, according to one cybersecurity expert cited in a 2018 Cleveland Federal Reserve report. In February, U.S. Treasury Secretary Janet Yellen warned of an "explosion of risk" with respect to cybercrime, partly because of the shift to online commerce during the Covid-19 pandemic.
Asked about the biggest threats to the nation's payments system, Goldstein pointed to ransomware risks and the potential for "destructive attacks" on the nation's "critical infrastructure" and industrial assets, without citing any specific threats. He said those are threats to the broader business sphere, and American life generally. The availability of fresh drinking water, the ability to pay employees, and the availability of ATMs for retrieving cash are among the many aspects of the U.S. infrastructure that need to be protected, he said.
Goldstein said the federal government aims to learn as much as possible about threats and risks to critical U.S. infrastructure assets as well as private sector systems by studying recent incursions. Specifically, he cited the SolarWinds cyberattack, in which Russian government agencies reportedly stole data from U.S. government agencies and more than 100 corporate networks. It was undetected for months over the past two years (the hackers infiltrated the systems by way of the Austin,Texas-based software company SolarWinds).
During the online video discussion, he also referenced the multimillion-dollar ransomware attack on Baltimore in 2019 in which anonymous hackers disrupted the city's services and sought payments to end the incursion. Too many entities from municipalities to companies to tribal governments have been impacted by such ransomware attacks, he said, noting that it's a phenomenon that people across the public and private sectors should be concerned about. Goldstein also mentioned the cyberattack on a Florida city's water supply this year.
He told his corporate audience not to consider this solely government work, but rather a chance for corporate collaboration with federal agencies to thwart such attacks. Increasingly, the government will seek to share information in a more targeted way with companies that have been affected by these situations in specific campaigns, he said.
The coalition's members are some of the biggest companies in the U.S. payments system, including FIS, Fiserv, NCR and Evalon. Goldstein addressed the coalition's cyber council, which has a mission to "identify best practices and areas of shared risk to help ATPC members address the evolving cyber threat across America's payments processing ecosystem." Norma Krayem, an attorney and cybersecurity expert at Washington advocacy firm Van Scoyoc Associates, is the council's director.
“It’s critical for the ATPC Cyber Council to have a direct partnership with Eric Goldstein, CISA and DHS," Krayem said in an email comment regarding the presentation. "Our companies are on the global front lines dealing with cybersecurity risks every day."
When asked about forthcoming Biden administration executive orders with respect to government cybersecurity programs, Goldstein said he wasn't able to discuss any such future plans.
Separately, he noted the administration is also focused on spurring more diversity in the government's ranks, and supporting more diversity among professionals generally in the cybersecurity arena.