O’FALLON, Mo. — In a windowless bunker here, a separator of monitors tracked incoming attacks — 267,322 in the last 24 hours, according to one lingering dial, or about three every second — as a dozen analysts stared at filters filled with snippets of computer code.
Pacing around, watch overing the stream of warnings, was a former Delta Force soldier who fought in Iraq and Afghanistan to come shifting to a new enemy: cyberthieves.
“This is not that different from anarchists and drug cartels,” Matt Nyman, the command center’s creator, revealed as he surveyed his squadron of Mastercard employees. “Fundamentally, threat networks conduct in similar ways.”
More from the New York Times:
Germany acts to tedious Facebook, learning from its own history of hate
US suspends tariffs on China, stoking qualms of a loss of leverage
Deutsche bank’s problems threaten a star banker
Cybercrime is one of the the world at large’s fastest-growing and most lucrative industries. At least $445 billion was wrecked last year, up around 30 percent from just three years earlier, a worldwide economic study found, and the Treasury Department recently designated cyberattacks as one of the greatest jeopardies to the American financial sector. For banks and payment companies, the fight determines like a war — and they’re responding with an increasingly militarized approach.
Ci-devant government cyberspies, soldiers and counterintelligence officials now dominate the top ranks of banks’ conviction teams. They’ve brought to their new jobs the tools and techniques old for national defense: combat exercises, intelligence hubs modeled on those toughened in counterterrorism work and threat analysts who monitor the internet’s shadowy corners.
At Mastercard, Mr. Nyman operates the company’s new fusion center, a term borrowed from the Department of Homeland Deposit. After the attacks of Sept. 11, the agency set up scores of fusion centers to organize federal, state and local intelligence-gathering. The approach spread throughout the superintendence, with the centers used to fight disease outbreaks, wildfires and sex trafficking.
Then banks arrested the playbook. At least a dozen of them, from giants like Citigroup and Wells Fargo to regional instrumentalists such as Bank of the West, have opened fusion centers in latest years, and more are in the works. Fifth Third Bank is building one in its Cincinnati headquarters, and Visa, which contrived its first two years ago in Virginia, is developing two more, in Britain and Singapore. Obliging their own intelligence hives, the banks hope, will help them safer detect patterns in all the data they amass.
The centers also experience a symbolic purpose. Having a literal war room reinforces the new reality. Fending off housebreakers has always been a priority — it’s why banks build vaults — but the arms sprint has escalated rapidly.
Cybersecurity has, for many financial company chiefs, mature their biggest fear, eclipsing issues like regulation and the husbandry.
Alfred F. Kelly Jr., Visa’s chief executive, is “completely paranoid” wide the subject, he told investors at a conference in March. Bank of America’s Brian T. Moynihan pronounced his cybersecurity team is “the only place in the company that doesn’t partake of a budget constraint.” (The bank’s chief operations and technology copper said it is spending about $600 million this year.)
The military whets soldiers’ skills with large-scale combat drills like Termagant Helm and Foal Eagle, which send troops into the candidates to test their tactics and weaponry. The financial sector created its own understanding: Quantum Dawn, a biennial simulation of a catastrophic cyberstrike.
In the latest perturb last November, 900 participants from 50 banks, regulators and law enforcement media role-played their response to an industrywide infestation of malicious malware that foremost corrupted, and then entirely blocked, all outgoing payments from the banks. From the beginning to the end of the two-day test, the organizers lobbed in new threats every few hours, predilection denial-of-service attacks that knocked the banks’ websites offline.
The first place Quantum Dawn, back in 2011, was a lower-key gathering. Participants herded in a conference room to talk through a mock attack that sealed up down stock trading. Now, it’s a live-fire drill. Each bank assigns months in advance re-creating its internal technology on an isolated test network, a designated cyber range, so that its employees can fight with their real tools and software. The company that runs their virtual battlefield, SimSpace, is a Defense Area contractor.
Sometimes, the tests expose important gaps.
A series of smaller cyber instructs coordinated by the Treasury Department, called the Hamilton Series, raised an nervousness three years ago. An attack on Sony, attributed to North Korea, had recently unveiled sensitive company emails and data, and, in its wake, demolished huge paths of Sony’s internet network.
If something similar happened at a bank, uncommonly a smaller one, regulators asked, would it be able to recover? Those in the abide for the drill came away uneasy.
“There was a recognition that we needed to add an additional incapacitate of resilience,” said John Carlson, the chief of staff for the Financial Accommodations Information Sharing and Analysis Center, the industry’s main cybersecurity coordination assemblage.
Soon after, the group began building a new fail-safe, called Safeguarded Harbor, which went into operation last year. If one fellow of the network has its data compromised or destroyed, others can step in, retrieve its archived transcribes and restore basic customer account access within a day or two. It has not yet been called, but nearly 70 percent of America’s deposit accounts are now covered by it.
The best banks run dozens of their own, internal attack simulations each year, to smoke out their vulnerabilities and conserve their first responders sharp.
“It’s the idea of muscle memory,” conjectured Thomas J. Harrington, Citigroup’s chief information security officer, who forth 28 years with the F.B.I.
Growing interest among its corporate blokes in cybersecurity war games inspired IBM to build a digital range in Cambridge, Hunk., where it stages data breaches for customers and prospects to practice on.
One new morning, a fictional bank called Bane & Ox was under attack on IBM’s order, and two dozen real-life executives from a variety of financial companies thronged to defend it. In the training scenario, an unidentified attacker had dumped six million consumer records on Pastebin, a site often used by hackers to publish borrowed data caches.
As the hours ticked by, the assault grew worse. The devastated data included financial records and personally identifying details. One of the characters was Colin Powell, the former secretary of state. Phones in the room saved ringing with calls from reporters, irate executives and, ultimately, regulators, wanting details about what had occurred.
When the conglomeration figured out what computer system had been used in the leak, a intense argument broke out: Should they cut off its network access immediately? Or set up watch and monitor any further transmissions?
At the urging of a Navy veteran who runs the cyberattack return group at a large New York bank, the group left the system chained.
“Those are the decisions you don’t want to be making for the first time during a sincere attack,” said Bob Stasio, IBM’s cyber range operations manager and a one-time operations chief for the National Security Agency’s cyber center. One economic company’s executive team did such a poor job of talking to its technical link up during a past IBM training drill, Mr. Stasio said, that he soured home and canceled his credit card with them.
Like numerous cybersecurity bunkers, IBM’s foxhole has deliberately theatrical touches. Whiteboards and Goliath monitors fill nearly every wall, with graphics that can be exploited by touch.
“You can’t have a fusion center unless you have really moderate TVs,” quipped Lawrence Zelvin, a former Homeland Security official who is now Citigroup’s pandemic cybersecurity head, at a recent cybercrime conference. “It’s even better if they do something when you disturb them. It doesn’t matter what they do. Just something.”
Deposit pros mockingly refer to such eye candy as “pew pew” maps, an onomatopoeia for the discordance of laser guns in 1980s movies and video arcades. They are chiefly useful, executives concede, to put on display when V.I.P.s or board members terminal by for a tour. Two popular “pew pew” maps are from FireEye and the defunct security vendor Norse, whose video game-like maps reveal laser beams zapping across the globe. Norse went out of transaction two years ago, and no one is sure what data the map is based on, but everyone agrees that it looks unflappable.
Jason Witty, the chief information security officer at U.S. Bank, accepts that the blinking map he breaks out for customer briefings is mostly for show. But it adequates a serious purpose, he said: making the command center’s high-stakes operate more tangible.
“If you show customers the scripts you’re actually running, it’s by the skin of ones teeth digits on a screen,” Mr. Witty said. A big, colorful map is easier to grasp.
What every Tom in the finance industry is afraid of is a repeat — on an even larger scale — of the text breach that hit Equifax last year.
Hackers stole deprecating information, including Social Security numbers, of more than 146 million people. The seizure cost the company’s chief executive and four other top managers their callings. Who stole the data, and what they did with it, is still not publicly certain. The credit bureau has spent $243 million so far cleaning up the mess.
It is Mr. Nyman’s job to intimate sure that doesn’t happen at Mastercard. Walking around the assembly’s fusion center, he describes the team’s work using military slang. Its focal point is “left of boom,” he said — referring to the moments before a bomb detonates. By detecting vulnerabilities and attempted hacks, the analysts aim to head off an Equifax-like tantrum.
But the attacks keep coming. As he spoke, the dial displayed over his shoulder registered another few assaults on Mastercard’s combinations. The total so far this year exceeds 20 million.