A handful of cyber - five key issues for international cooperation

Speech by Mr Agustín Carstens, General Manager of the BIS, at the conference on "Cybersecurity: coordinating efforts to protect the financial sector in the global economy", Paris, 10 May 2019.

BIS speech  | 
29 May 2019

Conference video by the Bank of France
(Carstens at 7:24:42) 


Many thanks for inviting me to speak here today. Cyber security is in the minds of all of us in the central banking community, and international cooperation is of the essence. As many of you here know, part of the BIS's mission is to foster international cooperation in serving central banks in their pursuit of monetary and financial stability. Cyber security is a more recent concern for the BIS. However, as it has become increasingly important, our contribution to the central banking community's efforts has also grown. We have convened many discussions with experts from the public and private sector and academia. Cooperation is of course not an end in itself: the ultimate aim is to be better prepared for cyber attacks. I want to put five points on the table today.

Criminals are coordinating

First, criminals are mastering the art of international cooperation. Hacktivists, cyber criminals and nation states are coordinating with one another. This coordination is sophisticated and market-based. We have before us a very skilled set of adversaries.

Recent high-profile attacks have shown that attackers are also active in reconnaissance. They gather up seemingly harmless information (such as the online social media profiles of firms' staff) to better plan and execute attacks. Moreover, sophisticated hacking tools can be acquired on the black market at low cost, lowering the level of technical skills required by criminal organisations. This black market, together with the coordination it enables, is international. It brings together cyber criminals and nation states to execute targeted attacks for financial gain. If cyber criminals are embracing the benefits of cooperation, we need to embrace it as well.

International law is not up to speed

Second, international legal arrangements are not up to speed. Detecting criminal activity is not easy, and tracing it back to where it came from is even more difficult. Yet, even if a suspected criminal can be identified, international law may not support any action against them.

The current international legal framework for cooperation on cyber crime is fragmented. Hacking is not necessarily a crime, for example. Differing domestic laws and regulations, uncertainty in establishing which jurisdictions are responsible for what, and ambiguity regarding evidential standards are a significant hurdle. Harmonisation of laws defining criminal behaviour could help here, but laws are not enough on their own. We also need international cooperation among the investigatory agencies. This cooperation would help prevent delays and loss of evidence. Only with cross-border cooperation is it possible to catch cross-border criminals.

There are a number of workstreams currently under way to address this and improve investigation and prosecutions between domestic authorities. One example is the Council of Europe's Convention on Cybercrime - the Budapest Convention. However, it is likely to be some time before current laws catch up with the internet age. This makes adequate defences an even greater imperative. If there is limited risk of being stopped by authorities, then preventing criminals from stealing is the most effective deterrent.

Compliance is not security

Third, compliance is not security. The standard-setting bodies are prioritising cyber. The Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions led the way with their cyber guidance some years ago; the Basel Committee on Banking Supervision (BCBS) recently published a report on a range of cyber resilience practices; and the Financial Stability Board is currently also working on aspects of resilience and recovery.1, 2 Supplementing this work, there are a number of best practice cyber resilience frameworks available, including ISO27000 and the NIST framework.

However, "compliance" is different for cyber. Getting the basics right makes a significant difference. An accurate IT inventory and a strong patching process are the cornerstones of any defence. "Basic" does not imply that this is an easy or simple task. The complexity and diversity of most modern networks create significant challenges. However, at the same time, most of the organisations that have experienced highly publicised breaches were in compliance with some form of control framework. So while compliance is clearly necessary, it is not sufficient for security. Even with every box ticked, an organisation can still be vulnerable. A list of controls simply cannot keep pace with threat developments.

An organisation needs a "cultural shift", driven by a strong governance framework that learns and evolves, to go beyond compliance. An example of this is a cyber security department's engagement with the other staff in an organisation. Users need to be part of the security of an organisation. To achieve this, organisations need to innovate in how they communicate and engage with staff to make them feel like they are the ones tasked with defending their organisation - not that it is someone else's responsibility to do so on their behalf.

For defence, bigger is better

Fourth, to be effective, cyber defence needs scale and it needs to cross borders. The threats we face are international and the financial system we defend is global, and interconnected. We need to cooperate.

One aspect of cooperation is sharing information on threats and incidents. Beyond vulnerabilities, we all have an interest in broad cooperation in this area. Progress is reportedly being made. A BCBS survey found that 75% of banks have mandatory or voluntary cyber risk information-sharing arrangements in place. However, only 30% of their regulators had equivalent arrangements. We need to do more.3 

Another cooperative aspect is in the services, tools and software provided for cyber security. We cannot all be the best at everything. Even larger international companies can struggle to do everything themselves. We need to learn from one another, and we need to know who we can trust to provide services for us. The current pool of service providers is international. Sophisticated IT or security companies do not operate purely domestically, even in the largest countries. Yet the accreditation schemes to help guide people towards the best service are currently domestic. Extending the schemes currently provided by some national governments or agencies internationally could help.

It is also worth noting that economies of scale in this area are not a one-way street. There are challenges to putting all our eggs in one basket. For example, while cloud computing may bring significant efficiency and security benefits, we need to cooperate to ensure that arrangements are safe.

Cyber is not going away

Finally, cyber risk is here to stay. Many risks can be tied to an economic or business cycle, but cyber is not one of them. It will not disappear overnight or be "solved". Therefore we can engage in some longer-term thinking about how to tackle it, and plan for the future.

Central banks realise this, and also appreciate that we need more technical cyber expertise. Yet cyber experts are hard to find and, once hired, they need to keep up to date. Significant training and experience are required to transform new recruits into cyber security professionals.

However, this is not a new problem. We had a similar issue with bank supervisors, which was one of the driving factors behind setting up the Financial Stability Institute at the BIS, which celebrated its 20th anniversary last year.4 Now that we are in a similar situation, the BIS is again helping to coordinate international central bank efforts to train and develop the next generation of central bank staff.

Concluding thought

I close with this thought: Coordinating our efforts is important, but we cannot coordinate work that is not shared. There can be no sharing without trust. That is why central banks - institutions that are experts in trust - have such a vital role to play in bringing people together. Many thanks to our hosts, the Bank of France, who are demonstrating this today.

2  See BCBS (2018), Cyber-resilience: range of practices, December.

3  Ibid.

4  Financial Stability Institute 20th anniversary conference: "A cross-sectoral reflection on the past, and looking ahead to the future"