Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command

Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command

By Chris Bing

A confidential information-sharing agreement between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and U.S. Cyber Command reveals the blurring line between the country’s public and private sectors as the U.S. government becomes increasingly receptive to launching offensive hacking operations.
The pilot program, codenamed “Project Indigo,” recently established an information-sharing channel for a subunit of FS-ISAC known as the Financial Systemic Analysis & Resilience Center (FSARC). That subunit shares “scrubbed” cyberthreat data, including malware indicators, with the Fort Mead-based Cyber Command, according to current and former U.S. officials.
The broad purpose of Project Indigo is to help inform U.S. Cyber Command about nation-state hacking aimed at banks. In practice, this intelligence is independently evaluated and, if appropriate, Cyber Command responds under its own unique authorities.
It’s possible that a bank could tip off the military about a cyberattack against the financial industry, prompting Cyber Command to react and take action. That could include providing unique insight back to FSARC or even taking offensive measures to disrupt the attacker — such as retaliatory hacking — if it’s appropriate and the Pentagon approves it, according to current and former U.S. officials.
The program is currently organized in a fairly informal manner, but participants have been discussing a more formal arrangement. Eight financial institutions are involved in FSARC: Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street and Wells Fargo. Project Indigo also provides data to the Department of Homeland Security and U.S. Treasury. However, those agencies were already getting data from the banks that is narrowly leveraged for defensive measures.
In an emailed statement, a Cyber Command spokesperson acknowledged Project Indigo’s existence.
“The pilot began in 2017 with USCYBERCOM personnel receiving sector-specific exposure to risks facing critical financial payment systems, and observing exercises related to risk mitigation and recovery around realistic scenarios,” said Cyber Command spokesperson Col. Daniel King. “Later, two samples of anonymized cyber threat information were shared with USCYBERCOM to allow the government and its critical infrastructure partners the ability to jointly assess and address emerging threats.”
“No Personally identifiable Information (PII) was shared with USCYBERCOM as part of this effort,” King added.
The financial institutions that participate in the arrangement gave consent to FSARC to share the data with the U.S. government, a person familiar with the effort told CyberScoop. Sources spoke on the condition of anonymity due to the sensitive nature of the program.
In one recent case, FSARC gave Cyber Command a “combo of open-source derived IOCs [indicators of compromise] associated with DPRK [North Korea] and some observed,” one source said. “Open source” in this case means from outside a financial institution, while “observed” refers to internal data.
Under the agreement, financial institutions share data “considered not exclusive” to any one financial firm, a former U.S. official said. Another source familiar with the program said that it was challenged by the simple fact that the banks weren’t yet “interested in sharing at a level which would be truly useful [for Cyber Command].”
An October 2016 press release originally announcing FSARC explained that its mission is to “proactively identify, analyze, assess and coordinate activities to mitigate systemic risk to the U.S. financial system from current and emerging cyber security threats through focused operations and enhanced collaboration between participating firms, industry partners, and the U.S. government.”
That announcement specifically described “government partners” as Treasury, DHS and the Federal Bureau of Investigation, but it did not mention U.S. Cyber Command or the National Security Agency.
Wells Fargo, Bank of America and JPMorgan Chase did not respond to multiple requests for comment. The Office of the Direction of National Intelligence and NSA deferred to Cyber Command for comment.
It’s widely known that large financial institutions face a bevy of sophisticated cyberattacks from both nation states and well-equipped criminal groups. Organized as a private non-profit organization, the FS-ISAC sits at the center of this activity, collecting and sharing information between companies so they can be collectively informed about active cyberthreats.
The collected data can often be extremely sensitive. Not only does it contain malware indicators, but sometimes other sensitive information tied to the targeted institutions. As a result, the intelligence is usually both highly valuable for defenders and potentially dangerous if it’s ever made public.
In an emailed statement, an FS-ISAC spokesperson said: “[Project Indigo] focuses on sharing cyber threat intelligence related to key threats facing systemically important critical infrastructure operators, with the intention of protecting our financial institutions, their networks and their clients. No customer information has been shared with the U.S. Government under Project Indigo.”
While it’s common for businesses to voluntarily provide federal agencies with information about incidents in cyberspace, the 2013 Edward Snowden leaks chilled these types of relationships, especially between private companies and intelligence agencies. Cyber Command is not an intelligence unit, but it maintains a close relationship with the NSA, including sharing the same leader and building.
Jason Healey, a former intelligence officer and current senior research scholar at Columbia University’s School for International and Public Affairs, told CyberScoop he believed Project Indigo represented a pragmatic step forward.
“We need to be prepared for there to be a role, especially in time critical incidents, for Cyber Command to contribute so long as they are also coordinating with Treasury and [DHS],” said Healey.

Blurring government boundaries

Project Indigo raises questions about the existing hierarchy in government and whether decision-makers see a need for the military to be more integrated with the private sector on cybersecurity.
Over the last eight years, the Defense Department’s role in working with private companies on cybersecurity has fluctuated significantly.
During the Obama administration, the government took steps to make DHS the lead on public-private partnerships. This push was boosted in 2015, when Congress passed the Cybersecurity Information Sharing Act
(CISA). The law gave certain liability protections to private companies whenever they shared cyberthreat data with the government through a portal managed by DHS.


Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

Visualizing The Power Of The World's Supercomputers

BMW traps alleged thief by remotely locking him in car