In her three years as deputy secretary of the U.S. Treasury Department, Sarah Bloom Raskin feared one thing above all others: a debilitating cyberassault on the country’s financial institutions.
“What I worried about was an attack that would result in a misappropriation of funds — one where you log into your account, go to check your balance, and it reads zero point zero zero,” says Raskin, a presidential appointee who left her position as second in command at Treasury in January after Donald Trump became president. “We’ve yet to experience that on a massive scale in the United States.”
Driven by the specter of such a doomsday scenario, Raskin launched an initiative to tighten web security not only within her 100,000-person bureaucracy but also throughout the global financial industry. She spoke about the details of that effort and the ever-shifting risk of fiscal hacking, among other topics, during a recent visit to Stanford Graduate School of Business as part of a new interdisciplinary Finance and Society Visitor Program. Through the program, financial experts with experience in the financial system, policy debates, and the media spend a week or more on campus sharing their knowledge with students and others.
When she was at the Treasury Department, Raskin’s first order of business was to persuade upper-level executives in both the public and private financial sectors to treat the threat of cyberattack as a policy priority.
“Cybersecurity primarily has been in the province of the IT folks, so traditionally they were the only ones who knew how to talk about it, which means it wasn’t connecting up to the C suite,” she says. “Organizationally, most IT shops report up through the procurement line, but cybersecurity is such a huge exposure that you don’t want to just leave it at your procurement shop. It should be going up through your chief risk officer, with direct avenues to your CEO and your board.”
At the Treasury Department, she forged a collaboration between policy wonks and tech geeks to ensure that people who otherwise never might have met were aligned when it came to security. The threat at Treasury went beyond fiscal concerns, Raskin says, because the agency not only prints all U.S. currency and pays the government’s bills, but also oversees and collects taxes through the Internal Revenue Service, which means it houses private information about every American taxpayer.
When it came to the financial sector, Raskin believed the government should not indiscriminately impose its regulatory muscle as a way to improve security against hacks. She felt instead that it was more optimal to seek ways in which the government and businesses could work together to create more resilient structures and systems.
“It was more collaborative than combative,” she says. “Also, one problem with regulations in this space is that cyber vectors morph quickly. You don’t want a regulation that becomes outdated the moment it’s issued.”
Raskin credits the U.S. financial industry for making “huge investments” in ensuring that its assets, systems, and customer information remain safe from catastrophic hacks. A key to that success, she says, has been the creation of segregated systems that rank digital assets based on risk tolerance, then design safeguards accordingly. Some things don’t have to be guarded by expensive, impenetrable systems, while others must be protected at all costs.
How to secure these “crown jewels,” as she calls them, is the source of debate among bank-security experts: “Do you put all of your crown jewels in one treasure chest, then put a lock on it, put a belt on it, and store it in a sealed container? Or do you take your crown jewels and put some over here, a couple over there, a couple under the desk, so that you mitigate the loss if there’s a breach?”
When she talks to industry executives, Raskin recommends several safeguards that are rapidly becoming common practice:
- Forcing customers to use multi-step authentication, which requires more than a username and password to log in to a system. “A lot of companies have it but don’t insist on it,” she says. “That’s an easy fix.”
- Rapid implementation of patches to known vulnerabilities.
- Participation in information-sharing hubs, so that, for instance, if one company spots an attack from a certain IP address, others in the industry are immediately alerted.
- Frequent reviews and updates of a system’s privileged-access users. “Especially in the early stages, we were finding entities that had hundreds and hundreds of people on these lists who didn’t belong,” she says.
- Closer monitoring of third-party vendor access. Raskin points specifically to the 2014 hack of Target Corp., in which cyber thieves downloaded personal information, including credit card numbers, of up to 110 million of the retail chain’s customers. In that case, hackers cracked into the system using network credentials stolen from a refrigeration, heating, and air-conditioning subcontractor.
As an additional precaution, Raskin recommends that corporate IT departments assemble playbooks and organize simulations so they’ll know how to respond in the case of a serious system breach, just as agencies like the Federal Emergency Management Agency often do to prepare for natural disasters.
“You simulate an attack and you engage in exercises,” she says. “Just like a FEMA drill.”