CHIPS recently interviewed Dr. Cathy Allen regarding the security of financial transactions on the Internet. BITS was formed by the Chief Executive Officers (CEOs) of the largest bank-holding institutions in the United States as the strategic "brain trust" for the financial services industry in the e-commerce arena.
CHIPS: In your opinion what is the role of government and public organizations in security issues?
BITS has thought from the beginning that there should be public and private partnership in this area. Next to the government, the financial industry has the most interest in security. BITS has been working with the Department of the Navy, specifically the DON Chief Information Officer and the former Undersecretary of the Navy, and we are supportive of the Government identifying security as a critical issue. With top-level changes taking place in the Administration, it is important to have continuity on the issue of security.
CHIPS: What is the role of private industry in security issues?
First, private industry should partner with government, as stated earlier. Second, the financial industry must provide a safe and secure environment, gaining the trust of their customers. Third, they need to educate each other on what the issues are. The Department of Treasury and financial institutions created the Financial Services Sharing and Analysis Center as a way to share anonymously, breaches and hacks, and ways to alleviate them. Currently 54 financial institutions are members. This center was the first one to be formed in response to the Clinton Administration's Policy on Critical Infrastructure Protection: Presidential Decision Directive 63. The three objectives of the center are information sharing, testing (using the BITS lab), and education (briefing others on findings and best practices).
CHIPS: In the near future what security issues need more attention?
There are several security issues that will need more attention in the future. They include:
•Internet fraud (viruses, etc., that impact electronic transactions)
•The liability of outsourcers who host Web sites and processing centers
•Wireless communications, which are more challenging in terms of security
•The growing need for insurance or gap analysis because you cannot guarantee security when transactions and processing are so distributed
•Authentication
•The next generation of viruses
•Speed to market. There is enormous pressure, driven by Internet time, to bring products quickly to market. It used to be that two years was the average time to get a new product to market; now it's six to nine months. In introducing products to market quickly, we must be aware of the risks above, and government and private industry must work together
CHIPS: What steps or procedures have you taken to guard against "insider threat?"
Insider threat is the number one issue in security today. Insider threat involves someone who works on the inside of an organization doing something he is not supposed to be doing. The BITS lab is very active in researching this issue and has described minimum security criteria that financial services companies can use as baseline criteria for access control. In addition, the BITS Fraud Working Group deals with check and Internet fraud, sharing best practices on what we are doing in these areas. We are working on a certification program that would consist of verifying employees, background checks, and training employees on internal security practices.
CHIPS: The Internet has removed geographic borders. What is the United States' role internationally?
BITS has taken the lead internationally on security issues. BITS is working with the Office of the Comptroller of the Currency (OCC) and the BASEL Committee (a committee headquart