News Center
Press Room
For Release:
Immediately
Contact:
Crystal Bueno
DTCC
clevy-bueno@dtcc.com
212.855.5473
DTCC's Chairman and CEO Calls for Collaborative Public-Private Effort to Combat Cyber Threats
New York, May 5, 2009 - Donald F. Donahue, Chairman and CEO of The Depository Trust & Clearing Corporation (DTCC), today called on the public and private sectors to establish a more formal effort to collaborate and share information on potential vulnerabilities in the nation's cyber infrastructure, to combat increases in both the sophistication of cyber attacks and the threats they pose to the financial services industry and the nation.
"Today's cyber enemies routinely steal and market passwords and financial information; they've breached well-defended national defense systems; they've infiltrated the very computers that control the power grid in other countries," Donahue said in a keynote address this morning to the Financial Services Information Sharing and Analysis Center (FS/ISAC) spring meeting in Florida. "With all the recent high-profile cyber security incidents, there's no question that we need to make qualitative changes in our strategies to protect the supply chain supporting the financial services infrastructure."
Consumers in the United States have lost close to $8.5 billion over the last two years to cyber crime, according to Consumer Reports, and in April, the Pentagon announced they've spent more than $100 million in the last six months responding to and repairing damage from cyber attacks and other computer network problems.
As the world's largest post-trade infrastructure organization, DTCC operates the critical technology network that supports much of the financial system, across all asset classes. At its core, DTCC is a huge data processing business, involving the safe transfer of billions of dollars in securities and funds under tight deadlines every day. In 2008, DTCC cleared and settled more than $1.88 quadrillion annually in securities transactions.
Software Vulnerabilities
According to research from Carnegie Mellon University, almost 90 percent of reported security incidents result from exploiting defects in software, so ensuring software integrity is critical to protecting the infrastructure and reducing the overall risk of cyber attacks.
Recently, technology executives at DTCC, as well as those at Adobe, EMC, Google and Microsoft, among others, participated in a benchmarking report on software security from Cigital and Fortify Software. DTCC's four-year-old software security program was recognized by the authors of the study, published in March, as one of the most advanced in the world.
"We pay attention to creating more effective software assurance even as we're writing code," said Donahue. "DTCC's developers leverage a pre-established security application architecture that addresses the authentication and entitlement management design issues, enabling them to focus on building new functionality. This has significant economic benefit in terms of productivity saved — and risk mitigation for customers."
Weaknesses in the Supply Chain
Besides software vulnerabilities, another weakness in the supply chain supporting the financial services infrastructure identified by Donahue is the information technology "monoculture."
"The reality is that all of our firms have information technology environments that are largely similar," said Donahue. "We rely on the same software packages, the same hardware vendors, and the same networks to interact with each other, particularly the open networks. Through FS/ISAC, the financial sector is doing an increasingly better job at identifying the concentration risks and vulnerabilities. However, our sector is extremely reliant on other sectors that do not have the same level of awareness, regulation or even organization."
The Public-Private Partnership
Donahue was former sector coordinator and chairman of the Financial Services Sector Coordinating Council (FSSCC) for Critical Infrastructure Protection and Homeland Security from May 2004 through 2006. Under the overall guidance of the Department of the Treasury, FSSCC's mandate is to build and improve public-private partnerships, to facilitate knowledge-sharing and the timely dissemination of critical information among all sector constituencies.
In his role as FSSCC chairman, Donahue experienced firsthand how this group of more than 30 private-sector firms and financial trade associations formed such an alliance with the public sector — the Treasury Department and the regulatory community — to help reinforce the financial services industry's resilience against terrorist attacks and other threats to the nation's financial infrastructure.
"There are multiple pieces to the infrastructure protection puzzle; some of those pieces are held by the private sector and others by the public sector," Donahue said. "The pieces we each hold individually may not seem meaningful in themselves, but when many of them are brought together, the whole picture starts to take shape. Nowhere is that more true than in the context of the cyber threats and the cyber security issues. The public sector and the private sector need to form a relationship that permits us, as partners and collaborators, to put our pieces together to frame a clearer picture."
"If we're going to win this fight against our sophisticated cyber opponents — now, more than ever, we need such an alliance between the public and private sectors," he concluded.
Note to editors:
Donahue's keynote address to FS/ISAC, "The Public-Private Partnership and Supply Chain Resilience" is available from DTCC.com, under "Thought Leadership."
About DTCC
DTCC, through its subsidiaries, provides clearance, settlement and information services for equities, corporate and municipal bonds, government and mortgage-backed securities, money market instruments and over-the-counter derivatives. In addition, DTCC is a leading processor of mutual funds and insurance transactions, linking funds and carriers with their distribution net-works. DTCC's depository provides custody and asset servicing for more than 3.5 million securities issues from the United States and 110 other countries and territories, valued at US$27.6 trillion. In 2008, DTCC settled more than US$1.88 quadrillion in securities trans-actions. DTCC has operating facilities in multiple locations in the United States and overseas.