Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command
Inside
'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber
Command
By Chris Bing
A
confidential information-sharing agreement between the Financial Services
Information Sharing and Analysis Center (FS-ISAC) and U.S. Cyber Command
reveals the blurring line between the country’s public and private sectors as
the U.S. government becomes increasingly receptive to launching offensive hacking
operations.
The
pilot program, codenamed “Project Indigo,” recently established an
information-sharing channel for a subunit of FS-ISAC known as the Financial
Systemic Analysis & Resilience Center (FSARC). That subunit shares “scrubbed”
cyberthreat data, including malware indicators, with the Fort Mead-based Cyber
Command, according to current and former U.S. officials.
The
broad purpose of Project Indigo is to help inform U.S. Cyber Command about
nation-state hacking aimed at banks. In practice, this intelligence is
independently evaluated and, if appropriate, Cyber Command responds under its
own unique authorities.
It’s
possible that a bank could tip off the military about a cyberattack against the
financial industry, prompting Cyber Command to react and take action. That
could include providing unique insight back to FSARC or even taking offensive
measures to disrupt the attacker — such as retaliatory hacking — if it’s
appropriate and the Pentagon approves it, according to current and former U.S.
officials.
The
program is currently organized in a fairly informal manner, but participants
have been discussing a more formal arrangement. Eight financial
institutions are involved in FSARC: Bank of America, BNY Mellon,
Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street and
Wells Fargo. Project Indigo also provides data to the Department of Homeland
Security and U.S. Treasury. However, those agencies were already getting data
from the banks that is narrowly leveraged for defensive measures.
In an
emailed statement, a Cyber Command spokesperson acknowledged Project Indigo’s
existence.
“The
pilot began in 2017 with USCYBERCOM personnel receiving sector-specific
exposure to risks facing critical financial payment systems, and observing
exercises related to risk mitigation and recovery around realistic scenarios,” said
Cyber Command spokesperson Col. Daniel King. “Later, two samples of anonymized cyber
threat information were shared with USCYBERCOM to allow the government and its
critical infrastructure partners the ability to jointly assess and address
emerging threats.”
“No
Personally identifiable Information (PII) was shared with USCYBERCOM as part of
this effort,” King added.
The
financial institutions that participate in the arrangement gave consent to
FSARC to share the data with the U.S. government, a person familiar with the
effort told CyberScoop. Sources spoke on the condition of anonymity due to the
sensitive nature of the program.
In one
recent case, FSARC gave Cyber Command a “combo of open-source derived IOCs
[indicators of compromise] associated with DPRK [North Korea] and some
observed,” one source said. “Open source” in this case means from outside a
financial institution, while “observed” refers to internal data.
Under
the agreement, financial institutions share data “considered not exclusive” to
any one financial firm, a former U.S. official said. Another source familiar
with the program said that it was challenged by the simple fact that the banks
weren’t yet “interested in sharing at a level which would be truly useful [for
Cyber Command].”
An October 2016 press release originally announcing
FSARC explained that its mission is to “proactively identify, analyze,
assess and coordinate activities to mitigate systemic risk to the U.S.
financial system from current and emerging cyber security threats through
focused operations and enhanced collaboration between participating firms,
industry partners, and the U.S. government.”
That
announcement specifically described “government partners” as Treasury, DHS and
the Federal Bureau of Investigation, but it did not mention U.S. Cyber Command
or the National Security Agency.
Wells
Fargo, Bank of America and JPMorgan Chase did not respond to multiple requests
for comment. The Office of the Direction of National Intelligence and NSA
deferred to Cyber Command for comment.
It’s
widely known that large financial institutions face a bevy of sophisticated cyberattacks
from both nation states and well-equipped criminal groups. Organized as a
private non-profit organization, the FS-ISAC sits at the center of this
activity, collecting and sharing information between companies so they can be
collectively informed about active cyberthreats.
The
collected data can often be extremely sensitive. Not only does it contain
malware indicators, but sometimes other sensitive information tied to the
targeted institutions. As a result, the intelligence is usually both highly
valuable for defenders and potentially dangerous if it’s ever made public.
In an
emailed statement, an FS-ISAC spokesperson said: “[Project Indigo] focuses
on sharing cyber threat intelligence related to key threats facing systemically
important critical infrastructure operators, with the intention of protecting
our financial institutions, their networks and their clients. No customer
information has been shared with the U.S. Government under Project Indigo.”
While
it’s common for businesses to voluntarily provide federal agencies with
information about incidents in cyberspace, the 2013 Edward Snowden leaks
chilled these types of relationships, especially between private companies and
intelligence agencies. Cyber Command is not an intelligence unit, but it
maintains a close relationship with the NSA, including sharing the same leader and building.
Jason
Healey, a former intelligence officer and current senior research scholar at
Columbia University’s School for International and Public Affairs, told CyberScoop
he believed Project Indigo represented a pragmatic step forward.
“We need
to be prepared for there to be a role, especially in time critical incidents,
for Cyber Command to contribute so long as they are also coordinating with
Treasury and [DHS],” said Healey.
Blurring government boundaries
Project
Indigo raises questions about the existing hierarchy in government and whether
decision-makers see a need for the military to be more integrated with the
private sector on cybersecurity.
Over the
last eight years, the Defense Department’s role in working with private
companies on cybersecurity has fluctuated significantly.
During
the Obama administration, the government took steps to make DHS the lead on
public-private partnerships. This push was boosted in 2015, when Congress
passed the Cybersecurity Information Sharing
Act
(CISA). The law gave certain liability protections to private
companies whenever they shared cyberthreat data with the government through a
portal managed by DHS.
Comments
Post a Comment