Biden orders spy agencies to share more cyber-threat intel with banks

The White House issued a policy directive Tuesday that will require the U.S. intelligence community to share more cybersecurity threat information with banks and other companies and create a regularly updated list of systemically important entities that are particularly important for national stability reasons to protect from cyberattacks.

Among the other impacts of the national security memorandum, the directive reaffirms the Cybersecurity and Infrastructure Security Agency, or CISA, is the national leader on efforts to secure the nation's critical infrastructure, which includes the financial services sector, and gives the U.S. Department of Treasury influence over which banks receive the new designation of "systemically important."

The new designation is different from similar ones issued by other regulatory bodies — for example, the Financial Stability Board's "systemically important financial institutions" designation. Banking sector trade groups expressed support for how the designation will be implemented.

"These changes will better align risk designations to avoid duplication and ensure they are tailored to the risks facing financial institutions today," said Paul Benda, executive vice president of risk, fraud and cybersecurity for the American Bankers Association.

The list of systemically important entities has been under development since March 2023, when CISA established an office to start creating it. The policy directive issued Tuesday establishes a clear mandate to create and maintain the list, which the order also states will not be available to the public.

On the whole, Benda said the association "welcomes the administration's National Security Memorandum, which incorporates feedback from the financial services industry," saying that it "builds on the successful public-private sector collaboration for cybersecurity and critical infrastructure."

The Bank Policy Institute, a policy advocacy group representing large financial institutions, also "strongly supports" the policy directive and commended the administration of President Joe Biden "for its ongoing commitment to strong public-private partnerships," according to Heather Hogsett, a senior vice president for the institute.

The policy directive "will also support the financial sector by enhancing collaboration with national security agencies to ensure the intelligence community collects, analyzes and disseminates timely information on threats to critical infrastructure to support national-level systemic risk mitigation," Hogsett said.

The U.S. intelligence community — which includes the FBI, CIA, National Security Agency and other agencies — has long provided cybersecurity threat information to companies and trade groups across the U.S. But the Tuesday directive specifically orders the Director of National Intelligence to prioritize issuing intelligence reports and analysis on threats to critical infrastructure "at the lowest possible classification level, consistent with the protection of sources and methods, such as through the robust use of tearlines," which are excerpts of intelligence reports.

Cyber security

What banks need to know about the White House's cybersecurity strategy

The strategy document identifies potential avenues for cutting cybercriminals off from financing, as well as other actions banks can take.

By Carter Pape

March 3

Using the "lowest possible classification level" will mean that more banks can get access to classified information if they have a security clearance obtained through the Department of Homeland Security's private sector security clearance program. Typically only government employees and government contractors can obtain security clearances, but under the program, critical infrastructure owners and operators can apply for "secret" level security clearances.

Bank owners and operators could get a variety of information from these intelligence-sharing efforts. In alerts and advisories about software vulnerabilities and ransomware attacks, government agencies often include IP addresses, attack vectors, file fingerprints and other so-called indicators of compromise to help companies detect and ward off cyber threats. They may also highlight the strategies threat actors use to trick victims into sharing passwords or other information.

The directive, which replaces a similar 2013 policy directive, will also help clear up the roles and responsibilities of federal agencies including CISA, Treasury and the prudential regulators, according to a spokesperson for BPI. In particular, it reaffirms Treasury will remain the primary cybersecurity point of contact for banks and that the Department of Homeland Security (the parent agency of CISA) will lead the government-wide effort to secure U.S. critical infrastructure.

Clearing up these roles, ensuring the intelligence community adequately shares cybersecurity intelligence with banks and other companies and aligning regulatory definitions of which companies are "systemically important" — it all comes in the service of fighting back against state actors that target American critical infrastructure and tolerate or enable malicious activity conducted by non-state actors, according to Caitlin Durkovich, deputy assistant to the president and deputy homeland security advisor for resilience and response.

"The policy is particularly relevant today, given continued disruptive ransomware attacks, cyberattacks on U.S. water systems by our adversaries, and the frequent and repeated testimony of the FBI Director and other senior administration officials who have sounded the alarm about the ways our critical infrastructure is being targeted by our adversaries," Durkovich told reporters Tuesday.

"Resilience, particularly for our most sensitive assets and systems, is the cornerstone of homeland defense and security," Durkovich she added.