Dec. 16, 2015
The Securities and Exchange Commission's recent initiatives to gather and analyze more information about the securities markets represent an essential component of being an effective regulator. These initiatives will certainly assist the Commission in achieving its perennial goal of becoming a more informed and astute regulator, and will help the Commission keep pace with our rapidly evolving markets.
These initiatives, however, have led some market participants to express concerns that certain aspects of the Commission's data gathering efforts could have an unfortunate consequence. Specifically, these market participants are worried that at least some aspects of the Commission's data modernization efforts could potentially increase the Commission's cyberattack profile.[2]
There is no question that the Commission needs to collect and analyze substantial amounts of data about the markets and entities it regulates. There is also no question that the Commission must take appropriate steps to protect this data. The following discussion addresses the Commission's data needs, the recent efforts to obtain that data, the cybersecurity threats that the Commission may face, and, importantly, some thoughts on how such threats could be mitigated.
At the outset, I should note that it is difficult to have a meaningful discussion about cybersecurity issues when using only broad or general language. As a result, the following can be somewhat technical at times. But this is likely an unavoidable aspect of offering specific observations on a topic that is itself quite technical.
Our capital markets have undergone a period of aggressive change in recent years, and they are now larger, faster, and more sophisticated than ever before. The advent of modern information technology, coupled with relentless innovation, has provided numerous benefits to our markets. These changes have vastly enhanced liquidity,[3] democratized our markets,[4] and driven trading costs to historical lows.[5] At the same time, modern information technology presents myriad challenges that need to be carefully managed. Among other things, technology has transformed the landscape of our markets by allowing trading to be spread across a sprawling network of trading venues, including 11 exchanges,[6] approximately 44 alternative trading systems,[7] and more than 200 broker-dealers.[8] Clearly, monitoring trading activity in today's more fragmented markets is a far more challenging endeavor than it was just a decade ago.
The rise of algorithmic trading in recent years has proven to be an equally disruptive change. The majority of stock quotations—that is, offers to buy or sell a stock—are now generated by algorithms.[9] This complicates the Commission's efforts to supervise our markets in a number of ways. For example, it has led to a dramatic rise in the number of stock quotations that markets handle each day. According to one analysis, the number of daily stock quotations rose from less than 100 million in 2006 to more than 500 million in 2012, and peaked at an astonishing 2.3 billion during the financial crisis.[10] In addition, the rise of algorithmic trading has allowed our markets to move much more quickly than ever before. In fact, it is estimated that the best quoted price for large company stocks now changes every 50 milliseconds, on average.[11] If the Commission is to monitor markets such as these, it will need an enhanced set of regulatory tools.
Of course, the most useful tool any regulator can possess is accurate and complete information on which to base its decisions. It's well known that, in the past, the Commission has lacked important data it needs to properly supervise our markets. This informational deficit has been felt most keenly with respect to trading activity during severe market disruptions, and this problem has grown even more acute in recent years. In fact, the so-called "Flash Crash" of 2010 revealed just how badly uninformed the Commission can be.[12] It took the staffs of both the SEC and CFTC[13] over four months to acquire the necessary data to analyze the events of those fateful 20 minutes in May 2010.[14] And, as I have previously noted, the staff faced an even more daunting challenge in gathering data to analyze the flash crash in the U.S. Treasury market in October 2014.[15]
To address the Commission's need for broader, deeper, and more timely information about our capital markets, the Commission has embarked upon an ambitious program of enhancing and modernizing its efforts to collect and analyze market data. The Commission's goal is to gather detailed and up-to-date data about our markets, and to perform analyses of this data that yield useful insights into how our markets function. For example, the planned Consolidated Audit Trail, or "CAT," will allow the Commission to track trading activity for all major stocks in the United States.[16] When operational, the CAT will be the world's largest data repository of securities transactions.[17] The CAT should improve market oversight by allowing the Commission to identify and address potential risks before they metastasize into larger problems.[18]
The Commission's Office of Compliance Inspections and Examinations (OCIE) is also pursuing the data it needs in order to fulfill its duties. For example, OCIE has established a Quantitative Analytics Unit to expand the scope of its data collection,[19] and its National Exam Analytics Tool system, or NEAT, allows OCIE staff to review market data within minutes.[20] Finally, OCIE's Risk Assessment and Surveillance Group harvests data from SEC filings and analyzes it to identify activity that may warrant further examination.[21]
Other divisions within the Commission have pursued enhanced data gathering efforts, as well. The Commission's Division of Economic and Risk Analysis (DERA), for example, has established a Quantitative Research Analytical Data Support program, or QRADS,[22] which generates standardized quantitative reports of financial markets and registrant activities to help the Commission better monitor the capital markets and identify potential risks.[23] The Commission has also tasked DERA's recently created Office of Risk Assessment with deploying data-driven analytics to assist in identifying potential market misconduct.[24]
The Division of Enforcement, too, has been working to better understand the activities of market participants. For example, as part of its Aberrational Performance Inquiry,[25] the Division of Enforcement has been using proprietary analytical tools to identify and investigate hedge funds and financial advisory firms that have reported questionably high returns.[26] Similarly, the Enforcement Division's Automated Bluesheet Analysis Project allows Commission staff to gather vast amounts of information about potentially suspicious trading patterns and relationships among traders who may be attempting to profit through illegal insider trading.[27]
These efforts, impressive as they are, still do not provide the Commission with all of the information and analysis it needs in order to be a truly informed and effective regulator. Accordingly, the Commission has proposed and, in some instances, adopted rules to improve its access to timely and accurate information about the assets held by various entities, such as money market funds and mutual funds, as well as about the activities of investment advisers. For example, the financial crisis made clear that the information the Commission received at the time as to money market funds was too stale to be of regulatory use. As a result, the Commission promulgated a rule to require money market funds to provide monthly disclosures of their investment portfolios.[28] This new data has proven invaluable, and earlier this year, the Commission proposed a similar reporting requirement for all other registered funds.[29] The enhanced information will provide a more complete perspective of the market, and allow the Commission to become a more knowledgeable regulator.
This new data and the related analyses will have immense value—but perhaps not just for the Commission. Some of this new information could be valuable to cybercriminals, as well. For example, as one industry group has noted, the data the Commission plans to gather monthly on the portfolio holdings of registered investment companies will "create a vast, unique, single repository of structured data that undoubtedly will attract the interest of cybercriminals" who could use the information to "engage in predatory trading practices," among other things.[30] And, as another industry group has noted, the CAT will aggregate vast amounts of investors' social security and taxpayer identification numbers in a single repository.[31] Experts note that a Social Security Number is "the single most important piece of government-issued identification an American citizen can have, and the most valuable piece of ID cybercriminals can get their hands on."[32] The CAT repository may thus be a prime target for cyberattacks. Although the CAT data would reside on a database maintained by a third-party (which raises its own concerns), the Commission would have direct access to that database, and thus the Commission could potentially serve as an attack vector for cybercriminals seeking access to this highly confidential information.[33]
It is clear that the Commission needs to collect additional information about our markets if it is to remain an effective regulator. But having invoked its authority to collect and analyze this information, the Commission simultaneously acquires a countervailing obligation to protect it from misuse. A key safeguard in this respect will be to ensure that the cybersecurity protocols of the Commission and any of its third-party service providers are commensurate with its risk profile.
This is no easy task. According to the FBI, every major corporation in the United States has been hacked.[34] And the federal government has proven to be an equally alluring target. In his Congressional testimony, the executive assistant director for the FBI's Criminal, Cyber, Response and Services Branch opined that any federal government agencies that believe they have not been hacked are likely mistaken—they just don't realize it yet.[35] The available data on federal cybersecurity incidents paints an equally bleak picture: according to the Governmental Accounting Office (GAO), the number of cybersecurity incidents reported by federal agencies has increased more than 1,000 percent since 2006.[36]
As for the Commission's own efforts, there have been—and are—efforts underway to develop the cybersecurity measures necessary to protect the data it collects, and I commend the staff for their commitment to this critical issue.[37] Importantly, the staff's hard work has paid measurable dividends. For example, the GAO reported in November 2014 that the Commission sufficiently addressed certain deficiencies in its information security procedures so that the GAO no longer considered these deficiencies to be significant.[38] Similarly, a review by the Commission's Office of Inspector General ("Inspector General") completed in February of this year found that the Commission's Office of Information Technology "has made progress in key areas of information security, including in the agency's management of its continuous monitoring, configuration, and identity and access controls."[39] These results demonstrate that the Commission remains committed to the ongoing process of maintaining a robust information security program.
Yet, as with any organization, there appears to be room for improvement. For example, both the GAO and the Inspector General have identified areas where weaknesses persist in the Commission's information security efforts. For example, the GAO noted in April of this year that the Commission has "not consistently implement[ed] effective internal controls over its information systems operations," and found weaknesses relating to "baseline standards" and "security configurations" for "password settings and network services."[40] Similarly, in February 2015, the Inspector General noted a number of specific weaknesses, including a "lack of full implementation of continuous monitoring," a lack of "multi-factor authentication for external systems," and "outdated procedures and inconsistencies with policies," among others.[41]
It is my belief that the difficulties the Commission has faced in establishing an effective cybersecurity program stem, at least partly, from the fact that the Commission is only one of two financial regulators not to be self-funded.[42] In January 2014, for example, Congress reduced by half the $50 million reserve fund the Commission had set aside for technology initiatives.[43] As Chair White remarked at the time, this cutback affected "the pace and extent of [the Commission's] progress" toward developing needed information technology systems.[44]
The vicissitudes of the annual federal budget process can complicate the sort of long-term planning that is crucial for developing and maintaining well-protected information technology systems. These challenges notwithstanding, the Commission must strive to use its limited—and somewhat unpredictable—resources as effectively as possible.
The findings by the GAO and the Inspector General suggest that the Commission will need to remain focused on cybersecurity issues if it is to meet its obligations to market participants and the public interest. A plethora of guidance is available on the best ways to establish a robust cybersecurity defense, including the National Institute for Standards and Technology's (NIST) Cybersecurity Framework,[45] the nationwide Cyber Hygiene Campaign,[46] and the Center for Internet Security's recently updated Critical Security Controls for Effective Cyber Defense,[47] to name just a few. Fortunately, among other actions being taken, the Commission is already applying a security assessment and authorization framework consistent with NIST's guidance whenever the Commission implements new IT systems, including the new systems described above.[48]
It is beyond the scope of this statement to discuss all of the specific cybersecurity measures the Commission should pursue. Yet, I note that many experts have observed that the constant onslaught of new cybersecurity products, services, guidelines, and training has created a "fog of more," in which "competing options, priorities, opinions, and claims . . . can paralyze or distract an enterprise from vital action."[49] Finding ways to cut through this fog will be one of the Commission's most important tasks in the years ahead.
One strategy that can often be successful when tackling a daunting challenge like cybersecurity is to concentrate on the basics. An effective cybersecurity regime is rooted in such commonsense measures as practicing good cyber hygiene, patching critical vulnerabilities, and using multi-factor authentication.[50] Staff in the Commission's Office of Information Technology have advised my office that the Commission is working diligently to apply these protocols, and that is encouraging, indeed.
The Commission has an overarching obligation to protect the integrity of the markets it oversees. Consequently, in light of the potential harm that could result if certain of the Commission's market-related data were compromised or stolen, it is incumbent on the Commission to develop a cybersecurity program commensurate with this responsibility. To that end, among other things, the Commission's unique needs will have to be identified through a risk-based analysis that incorporates "well-trained personnel, effective and consistently applied processes, and appropriately implemented technologies."[51]
This approach—focusing on people, processes, and products—is consistent with the widely accepted view that the most successful cyber-strategy is to adopt a multi-layered, defense-in-depth methodology, one that includes overlapping and mutually supportive defensive systems.[52] Give the significance of these areas, I will discuss each of them briefly.
It is appropriate to mention personnel first because the single greatest cybersecurity risk that any organization faces comes from within.[53] In fact, a recent IBM study found that the majority of cybersecurity incidents could be traced to the victim organization's own staff.[54] Employees and contractors can exploit legitimate access to an organization's computers for malicious purposes, or can unwittingly create vulnerabilities, such as by misconfiguring a system or falling victim to a spear-phishing campaign.[55]
To address these risks, the Commission should continue to emphasize information security as a core value of this agency, one that all staff and contractors are expected to uphold. In this regard, I note that Chair White and the Commission's Chief Information Officer have acknowledged the importance of cybersecurity on several occasions.[56] Setting the right tone at the top is important, and helps to ensure that the Commission's employees conscientiously follow the Commission's cybersecurity protocols each and every day.
To guard against potential breaches, the Commission needs a rigorous training program that will help its staff to recognize and manage key cybersecurity threats, such as how to prevent misuse of sensitive information by fellow employees or contractors, and how to identify attacks from the outside, particularly spear phishing emails. In this regard, I am encouraged that the Commission conducts cyber-training on an annual basis. But it is certainly worth asking if annual training is sufficient to keep our staff focused on this critical area, where novel threats are constantly emerging. Furthermore, I urge the Commission to develop innovative methods to train its employees on the crucial importance of cybersecurity, such as those being utilized by the Department of Homeland security.[57] To that end, I understand that the staff recognizes the importance of this issue, and is already pursuing new training methods, including role-based training. I hope such initiatives will be implemented in the near future.
Equally vital is that the Commission consistently require its third-party service providers and contractors to implement robust cybersecurity programs that meet explicit security thresholds. It has been reported that cybercriminals are focusing on contractors as a gateway into larger organizations.[58] The need for robust cybersecurity programs should be clearly articulated in the Commission's written agreements with those vendors, if it is not already. It is also a good idea for those contracts to grant the Commission staff the ability to conduct their own assessment as to the efficacy of those cybersecurity programs. The stakes for the capital markets and investors are simply too high to merely rely on a vendor's self-interested representations.
Finally, the Commission must continue to hire qualified cybersecurity staff, and provide them with the resources they need in order to marshal a robust defense against the latest cyber threats. In this regard, I am pleased that the Commission recently appointed a new Chief Information Security Officer (CISO). I look forward to seeing what steps the new CISO will take to continue to hone the Commission's cybersecurity defenses.
Another cornerstone of a successful cybersecurity program is the development and maintenance of a set of well-defined policies and procedures that all employees can understand and implement.[59] Equally important is that these policies and procedures remain current in light of a constantly shifting cyber threat landscape. As the Commission gathers new types of data and develops new systems to store and process it, the Commission should rigorously assess whether its policies and processes need to be updated to address any new information security risks that may arise. In this regard, the Commission should continue to apply a rigorous security assessment and authorization analysis to its systems.
In addition, the Commission should continue to maintain a defense-in-depth strategy. Such a strategy should, where appropriate, incorporate multiple dimensions and a tiered approach, so that the most stringent protocols are targeted at the activities and data that present the greatest degree of risk. As some experts have commented, many organizations, including federal government agencies, have developed a security architecture that is designed to protect their entire network equally.[60] This approach has failed federal agencies repeatedly in recent years,[61] and the Commission should consider whether more effective strategies exist, such as one that focuses greater attention and resources on protecting the most sensitive data—the crown jewels, so to speak.[62]
Furthermore, some experts have argued that most organizations—including federal agencies—have unduly focused their cybersecurity efforts on perimeter defenses.[63] Such defenses are a valuable and critical tool, and they provide important protections every day.[64] Yet, experience has made painfully clear that perimeter defenses will ultimately fail. Indeed, even some of the largest, most technologically savvy organizations have suffered massive data breaches in recent years.[65] No matter how quickly new perimeter defenses are developed and refined, cyber attackers have proven adept at simply pivoting to new tactics, and finding better ways to conceal their presence on networks once they gain access.[66]
Accordingly, to establish a truly robust cybersecurity program, the Commission would do well to consider an approach that acknowledges the inevitability of a breach, and takes appropriate steps to mitigate the resulting damage. The Commission's cybersecurity strategy should remain focused on perimeter defenses, to be sure, but not to the exclusion of other beneficial and necessary safeguards. For example, as a complement to measures that protect its network, it is appropriate for the Commission also to consider methods of ensuring the security of the systems within its network, and the data stored on those systems.[67] The need for such a complementary approach is underscored by the fact that, in virtually every breach of a federal agency's network in recent years, the attackers were apparently able to navigate the agency's network freely once they had breached the network's perimeter security.[68]
Given that the Commission should assume that a breach will occur, it is appropriate for the Commission to consider developing processes that will allow it to identify suspicious activity taking place within its own network. This requires that the Commission have true visibility into the operations of its own systems.[69] The federal government's Continuous Diagnostics and Mitigation (CDM) program is valuable tool in this regard, as it should provide better information about cyber attackers' activities within government agencies' networks.[70] It is therefore encouraging that the Commission is reportedly working on a memorandum of agreement with the General Services Administration to implement the CDM program in the future.[71] Until the CDM program is fully implemented, however, the Commission should maintain its own network monitoring strategies, as other agencies are reportedly doing.[72]
In addition, I would urge the Commission to make an independent assessment of the capabilities of the CDM solution, and determine if CDM needs to be supplemented in any way. For example, if CDM does not provide full visibility into the purpose, length, frequency, volume and, ultimately content, of all communications between the Commission's different systems, then it would be appropriate for the Commission to pursue additional solutions to provide this essential degree of visibility.[73] Similarly, the Commission should consider making its own judgments as to whether the threat intelligence information it receives through CDM and from federal government agencies is sufficient, or needs to be bolstered with intelligence from other, perhaps private, vendors.[74]
Further sharpening the Commission's predicament is the fact that some experts have suggested that strategies like the CDM program, standing alone, may not be sufficient, and that federal agencies should pursue additional protections for their networks and data.[75] For example, some experts have asserted that federal agencies should compartmentalize their networks to prevent attackers from moving freely around those networks if they gain access.[76] As part of this strategy, the Commission may also want to consider segregating the systems where its most sensitive data resides, such as by establishing entirely separate computer networks for such data and isolating these networks from the internet.[77]
Other measures to minimize the damage of a breach could be warranted, as well. Some experts have urged federal agencies to adopt additional solutions that could provide further safeguards for their data. In particular, some experts claim that agencies could essentially immunize their systems against cyberattacks by moving their security measures closer to the data itself. One such strategy is to encrypt the most sensitive data, so that even if an attacker succeeds in removing it from the Commission's systems, that data would nevertheless remain secure.[78] Given that a breach is likely inevitable, safeguards like encryption would seem to be a prudent measure. And, given the near certainty of a breach, it is vital that the Commission's systems are sufficiently resilient to recover from a successful attack.
The Commission may also want to explore possible avenues to make its cybersecurity efforts more proactive. For example, the Commission should consider the possibility of monitoring the so-called dark web for indications that cybercriminals may be targeting the Commission.[79] Cybersecurity experts have observed that the dark web offers "a secure platform for cybercriminals to support a vast amount of illegal activities—from anonymous marketplaces to secure means of communication, to an untraceable and difficult to shut down infrastructure for deploying malware and botnets."[80] It is therefore prudent to focus on this important staging area for cyberattacks. Attempting to monitor the dark web will pose "significant challenges"[81] to be sure, but it is a strategy worth pursuing if the necessary tools become available.[82]
Finally, the Commission must ensure that it has the appropriate technology to keep pace with today's dynamic attacks, which can involve multiple stages and vectors.[83] As noted above, the Commission needs the right tools not only to prevent intrusions, but also to detect and respond to such intrusions if they succeed. Admittedly, this is easier said than done. Selecting the best solutions from the myriad products and services offered by the cybersecurity industry is no simple task.[84] Accordingly, the Commission must continue to devote sufficient resources to this issue (and to ask Congress for the necessary funding).
Equally important, the Commission should strive to understand what software developers are doing to incorporate information security into their products from the very outset. For example, it is appropriate for the Commission to consider requiring software developers to "verify that [their] products remain trustworthy through every point in the supply chain that delivers the product . . . ."[85] More fundamentally, the Commission may want to consider requiring contractual assurances that vendors' software is secure and reliable. As I recommend above, the Commission should consider whether such contracts ought to provide the Commission with the ability to "look behind the curtain" and make its own independent assessment.[86]
To be a responsible steward of the data it collects, the Commission must continue to make information security a paramount goal. This is an agency-wide responsibility. In today's world, cybersecurity can no longer be the exclusive province of information technology professionals, nor can it be a static goal. As I have said before, "[c]ybersecurity is not a problem to be solved, but a continuous threat that demands constant attention."[87] It must therefore be a responsibility that every member of this agency shares, every single day.
I hope the above thoughts will help advance the dialogue on how the Commission can ensure that it has the most effective cybersecurity protocols possible. I recognize, however, that they are by no means comprehensive. Nonetheless, the stakes are high, and so are the expectations the Commission faces from market participants and investors. We simply cannot afford to fall short.
[1] The views I express are my own, and do not necessarily reflect the views of the U.S. Securities and Exchange Commission (the "SEC" or "Commission"), my fellow Commissioners, or members of the staff. Cybersecurity issues have been especially important to me during my tenure as a Commissioner. In fact, this marks the fifth occasion on which I have addressed cybersecurity issues in a public forum. See Commissioner Luis A. Aguilar, The Commission's Role in Addressing the Growing Cyber-Threat, Securities and Exchange Commission Cyber Roundtable (Mar. 26, 2014), available at http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541287184; Commissioner Luis A. Aguilar, Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus, Cyber Risks and the Boardroom Conference, New York Stock Exchange (June 10, 2014), available at http://www.sec.gov/News/Speech/Detail/Speech/1370542057946; Commissioner Luis A. Aguilar, A Threefold Cord: Working Together to Meet the Pervasive Challenge of Cyber-Crime, SINET Innovation Summit (June 25, 2015), available at http://www.sec.gov/news/speech/threefold-cord-challenge-of-cyber-crime.html; Commissioner Luis A. Aguilar, The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses, Cyber Security Review (Autumn 2015), available at http://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html. I want to acknowledge the help of all my counsels who have contributed to these public statements.
[2] Comment Letter from the Investment Company Institute regarding Investment Company reporting Modernization and Amendments to Form ADV and Investment Adviser Act Rules, 6 (Aug. 11, 2015) (noting that "[t]he SEC's storage of immense volumes of monthly fund data would create a vast, unique, single repository of structured data that undoubtedly will attract the attention of cyber criminals. . . . A hack of portfolio holdings information could expose the entire universe of funds to predatory trading practices, including frontrunning of fund trades, "free riding" of fund investment research, and reverse engineering or ‘copycatting' of fund investment strategies—all at the expense of fund shareholders. Such a data breach would cause major financial losses that not only would impact fund shareholders and fund advisers, but also would cause great harm to the SEC itself and the overall capital markets."), available at https://www.sec.gov/comments/s7-08-15/s70815-315.pdf; Letter from James T. McHale, Managing Director and Associate General Counsel, Securities Industry and Financial Markets Association, to Elizabeth M. Murphy, Secretary, Securities and Exchange Commission, 10 (Aug. 17, 2010) (commenting on the Commission's mandate to industry participants to create a consolidated audit trail, and noting that "[a]lthough the SEC has a strong record of protecting investor privacy, the very presence of potentially billions of unique customer identifiers tied to personal information in a central repository would create a substantial risk of misuse and identity theft ."), available at http://www.sec.gov/comments/s7-11-10/s71110-63.pdf.
[3] Terrence Hendershott et al., Does Algorithmic Trading Improve Liquidity?, The Journal of Finance (Feb. 2011) (noting that automated trading "improves liquidity and enhances the informativeness of quotes," particularly for large cap stocks).
[4] John V. Duca, The Democratization of America's Capital Markets, Dallas Federal Reserve Economic and Financial Review (2001).
[5] In fact, automated trading systems have allowed U.S. transaction costs to go from being the highest in the world to the lowest.
[6] See BATS Market Volume Summary, U.S. Stock Exchanges (Apr. 29, 2015), available at http://www.batstrading.com/market_summary/. Of the eleven exchanges, three are operated by the New York Stock Exchange, three are operated by NASDAQ, four are operated by BATS, and the final one is CHX.
[7] See FINRA ATS Transparency Data (Apr. 6, 2015), available at https://ats.finra.org/TradingParticipants. Although 85 alternative trading systems were registered with the Commission as of April 6, 2015, only 36 are currently trading. A list of alternative trading systems registered with the Commission is available at http://www.sec.gov/foia/ats/atslist0415.pdf.
[8] Testimony of Stephen Luparello, Director of the Division of Trading and Markets, Before the United States Senate Subcommittee on Securities, Insurance, and Investment, Committee on Banking, Housing, and Urban Affairs (Mar. 10, 2015), available at http://www.sec.gov/news/testimony/testimony-venture-exchanges.html.
[9] Richard Finger, High Frequency Trading: Is It A Dark Force Against Ordinary Human Traders And Investors?, Forbes (Sept. 30, 2013), available at http://www.forbes.com/sites/richardfinger/2013/09/30/high-frequency-trading-is-it-a-dark-force-against-ordinary-human-traders-and-investors/ (quoting Nanex LLC founder, Eric Hunsader, as stating that "[t]oday, 90 to 95 percent of all quotes emanate from High Frequency machines"); see also World Federation of Exchanges, Understanding High Frequency Trading, 2, available at http://modernmarketsinitiative.org/wp-content/uploads/2013/10/WFE_Understanding-HFT_May-2013.pdf (noting that high frequency trading, which is a subset of algorithmic trading, "was estimated in 2012 by consultancy Tabb Group to make up 51% of equity trades in the US" (internal citation omitted)).
[10] Nanex, The Rise of the HFT Machines, available at http://www.nanex.net/aqck/2804.html.
[11] Jennifer Conrad, Sunil Wahal, and Jin Xiang, High-frequency quoting, trading, and the efficiency of prices, 116 Journal of Financial Economics (May 6, 2015), available at http://ac.els-cdn.com/S0304405X15000240/1-s2.0-S0304405X15000240-main.pdf?_tid=43699724-5af1-11e5-a324-00000aacb362&acdnat=1442242977_c850a099ab35f70dbd5635120a310672.
[12] Report of the Staffs of the CFTC and SEC to the Joint Advisory Committee on Emerging Regulatory Issues, Findings Regarding the Market Events of May 6, 2010, 7, (Sept. 30, 2010), available at http://www.sec.gov/news/studies/2010/marketevents-report.pdf ("Of final note, the events of May 6 clearly demonstrate the importance of data in today's world of fully-automated trading strategies and systems.").
[13] U.S. Commodity Futures Trading Commission
[14] Report of the Staffs of the CFTC and SEC to the Joint Advisory Committee on Emerging Regulatory Issues, Findings Regarding the Market Events of May 6, 2010, 1, 5-6, (Sept. 30, 2010), available at http://www.sec.gov/news/studies/2010/marketevents-report.pdf ("Of final note, the events of May 6 clearly demonstrate the importance of data in today's world of fully-automated trading strategies and systems.").
[15] Commissioner Luis A. Aguilar, Ere Misery Made Me Wise-The Need to Revisit the Regulatory Framework of the U.S. Treasury Market, Public Statement (July 14, 2015), available at http://www.sec.gov/news/statement/need-to-revisit--regulatory-framework-us-treasury-market.html.
[16] SEC Rule 613: Consolidated Audit Trail (CAT) Website, Summary of Consolidated Audit Trail Initiative, 2 (Aug. 6, 2014), available at http://catnmsplan.com/web/groups/catnms/@catnms/documents/appsupportdocs/p571933.pdf.
[17] SEC Rule 613: Consolidated Audit Trail (CAT) Website, Summary of Consolidated Audit Trail Initiative, p. 2 (Aug. 6, 2014), available at http://catnmsplan.com/web/groups/catnms/@catnms/documents/appsupportdocs/p571933.pdf. It will also handle 58 billion records of orders, executions, and quote life-cycles for equities and options on a daily basis, and estimated to grow to an estimated 21 petabyte of data footprint within five years of operation. Id. The CAT, if implemented, will allow the Commission to track efficiently and accurately all trading activities throughout the U.S. securities markets. SEC Website, Rule 613 (Consolidated Audit Trail), available at http://www.sec.gov/divisions/marketreg/rule613-info.htm. But the CAT remains a work in progress. Since the CAT final rule was adopted on July 18, 2012, the Commission has granted two extensions. See Order Granting a Temporary Exemption Pursuant to Section 36(a)(1) of the Securities Exchange Act of 1934 from the Filing Deadline Specified in Rule 613(a)(1) of the Exchange Act, SEC Release No. 34-69060 (March 6, 2013), available at https://www.sec.gov/rules/exorders/2013/34-69060.pdf; Order Granting a Temporary Exemption Pursuant to Section 36(a)(1) of the Securities Exchange Act of 1934 from the Filing Deadline Specified in Rule 613(a)(1) of the Exchange Act, SEC Release No. 34-71018 (Dec. 6, 2013), available at https://www.sec.gov/rules/exorders/2013/34-71018.pdf; see generally, SEC Website, Rule 613 (Consolidated Audit Trail), available at http://www.sec.gov/divisions/marketreg/rule613-info.htm (last visited Mar. 14, 2015). The Consolidated Audit Trail is a necessary tool for the Commission to be effective in the 21st century because it needs to have ready access to timely, detailed, and accurate market information to oversee the capital markets.
[18] Shagun Bali, The Consolidated Audit Trail: Stitching Together the US Securities Markets, Tabb Forum (Mar. 4, 2015), available at http://tabbforum.com/opinions/the-consolidated-audit-trail-stitching-together-the-us-securities-markets. In addition, the Commission's Office of Analytics and Research in the Division of Trading and Markets has developed the Market Information Data Analytics System (MIDAS), which collects and analyzes market data obtained from exchanges to provide the Commission and the public an overview of the market structure, including trading speed, quote lifetimes, trade-to-order volume ratios, hidden volume ratios, and odd lot rates. MIDAS, however, is merely a precursor to the consolidated audit trail (CAT), which will be a much larger data collection effort. U.S. Securities and Exchange Commission, Agency Financial Report, 14, 18 (Fiscal Year 2014), available at http://www.sec.gov/about/secpar/secafr2014.pdf.
[19] U.S. Securities and Exchange Commission, Agency Financial Report, 13 (Fiscal Year 2014), available at http://www.sec.gov/about/secpar/secafr2014.pdf.
[20] Id. at 14.
[21] Id. at 36.
[22] U.S. Securities and Exchange Commission, Agency Financial Report, 36 (Fiscal Year 2014), available at http://www.sec.gov/about/secpar/secafr2014.pdf.
[23] U.S. Securities and Exchange Commission, Agency Financial Report, 36 (Fiscal Year 2014), available at http://www.sec.gov/about/secpar/secafr2014.pdf.
[24] Mark J. Flannery, Chief Economist and Director, Division of Economic and Risk Analysis, Insights into the SEC's Risk Assessment Programs (Feb. 25, 2015) (noting that the Office of Risk Assessment "administers two recently implemented programs" to help identify potential market misconduct, including the "Corporate Issuer Risk Assessment (CIRA) program" and the "Broker Dealer Risk Assessment program"), available at http://www.sec.gov/news/speech/insights-into-sec-risk-assessment-programs.html.
[25] U.S. Securities and Exchange Commission, Agency Financial Report, 153 (Fiscal Year 2014), available at http://www.sec.gov/about/secpar/secafr2014.pdf.
[26] Id.
[27] Id. at 50.
[28] Money market funds are required to submit this information monthly via Form N-MFP. See Money Market Fund Reform, SEC Release No. IC-29132 (Feb. 23, 2010), available at http://www.sec.gov/rules/final/2010/ic-29132.pdf.
[29] SEC Proposes Rules to Modernize and Enhance Information Reported by Investment Companies and Investment Advisers, Press Release No. 2015-95 (May 20, 2015), available at http://www.sec.gov/news/pressrelease/2015-95.html.
[30] Comment Letter from the Investment Company Institute regarding Investment Company reporting Modernization and Amendments to Form ADV and Investment Adviser Act Rules, 6 (Aug. 11, 2015), available at https://www.sec.gov/comments/s7-08-15/s70815-315.pdf.
[31] Letter from James T. McHale, Managing Director and Associate General Counsel, Securities Industry and Financial Markets Association, to Elizabeth M. Murphy, Secretary, Securities and Exchange Commission, 10 (Aug. 17, 2010) (commenting on the proposed consolidated audit trail and noting that "increased concerns about identity theft and client confidentiality have led the securities industry to move away from using social security identification numbers or taxpayer identification numbers as a way to monitor clients and customers. The SEC has affirmed that it would guard access to customer social security and taxpayer identification numbers with even more safeguards than it does other information in the central repository of the consolidated audit trail [but that] the very presence of potentially billions of unique customer identifiers tied to personal information in a central repository would create a substantial risk of misuse and identity theft "), available at http://www.sec.gov/comments/s7-11-10/s71110-63.pdf.
[32] Dan Munro, Assessing The Financial Impact of 4.5 Million Stolen Health Records, Forbes (Aug. 24, 2014), available at http://www.forbes.com/sites/danmunro/2014/08/24/assessing-the-financial-impact-of-4-5-million-stolen-health-records/.
[33] PwC, Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security® Survey 2015, 8 (Sept. 30, 2014) (noting that sophisticated adversaries often target
business partners of their true targets as a means of gaining a foothold in the target's interconnected computer systems), available at http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml. Of course, the Commission will not be the only entity with access to the CAT data repository. The Commission should also take steps to ensure that the exchanges and other entities with access to the repository implement robust cybersecurity protocols to safeguard this valuable information.
[34] James Cook, FBI Director: China Has Hacked Every Big US Company, Business Insider (Oct. 6, 2014), available at http://www.businessinsider.com/fbi-director-china-has-hacked-every-big-us-company-2014-10.
[35] Frank Konkel, Is There Any Part of Government That Hasn't Been Hacked Yet?, Nextgov (Sept. 10, 2014) (recounting the testimony of Robert Anderson, the executive assistant director for the Federal Bureau of Investigation's Criminal, Cyber, Response and Services Branch), available at http://www.nextgov.com/cybersecurity/2014/09/there-any-part-government-hasnt-been-hacked-yet/93704/.
[36] Gregory C. Wilshusen, Director, Information Security Issues, Testimony before the Subcommittee on Research and Technology Oversight, Committee on Science, Space, and Technology, House of Representatives, 7 (July 8, 2015), available at http://www.gao.gov/assets/680/670935.pdf.
[37] Kenneth Corbin, SEC CIO leads efforts to move agency to the cloud, CIO (Aug. 21, 2015) (quoting the Commission's CIO, Pamela Dyson, as noting that the Commission "want[s] to strengthen [its] cybersecurity and continuous monitoring posturing . . . ."), available at http://www.cio.com/article/2974231/cloud-computing/sec-cio-leads-efforts-to-move-agency-to-the-cloud.html.
[38] U.S. Government Accountability Office, Financial Audit: Securities and Exchange Commission's Fiscal Years
2014 and 2013 Financial Statements, GAO-15-166R, 67 (Nov. 17, 2014) (noting that "[d]uring fiscal year 2014, SEC made progress in addressing other internal control deficiencies we reported in fiscal year 2013. Specifically, SEC sufficiently addressed the deficiencies in its information security such that we no longer consider the remaining control deficiencies in this area, individually or collectively, to represent a significant deficiency as of September 30, 2014."), available at http://www.gao.gov/assets/670/667324.pdf.
[39] U.S. Securities and Exchange Commission, Office of the Inspector General, Federal Information Security Management Act: Fiscal year 2014 Evaluation, i (Feb. 5, 2015), available at https://www.sec.gov/oig/reportspubs/oig-information-security-fy-2014-evaluation-report-529.pdf.
[40] U.S. Government Accountability Office, Management Report: Improvements Needed in SEC's Internal Controls
and Accounting Procedures, GAO-15-387R, 14-15 (Apr. 30, 2015)(finding "[w]eaknesses in information security controls, as identified, relate to the maintenance and monitoring of SEC configuration baseline standards and implementation of security configurations based on these standards in the areas of password settings and network services."), available at http://www.gao.gov/assets/670/669952.pdf.
[41] U.S. Securities and Exchange Commission, Office of the Inspector General, Federal Information Security Management Act: Fiscal year 2014 Evaluation, i (Feb. 5, 2015), available at https://www.sec.gov/oig/reportspubs/oig-information-security-fy-2014-evaluation-report-529.pdf.
[42] Dina ElBoghdady, Congress slashes SEC's funding for technology upgrades, The Washington Post (Jan. 16, 2014), available at https://www.washingtonpost.com/business/economy/congress-slashes-secs-funding-for-technology-upgrades/2014/01/16/15ffacaa-7ebc-11e3-9556-4a4bf7bcbd84_story.html.
[43] Id.
[44] Dunstan Prial, Congress Called Out for Cutting SEC Tech Funding, Fox Business (Jan. 17, 2014), available at http://www.foxbusiness.com/industries/2014/01/17/congress-called-out-for-cutting-sec-tech-funding/.
[45] Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology (Feb. 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf. The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency and the Framework is voluntary. Therefore, the Framework does not form the basis for any formal regulations or regulatory action. Nevertheless, the NIST has recently focused outreach efforts to government regulators to discuss how the framework can be used in collaboration with the Federal Information Security Management Act to bolster agencies' defenses. See NIST http://www.nist.gov/cyberframework/.
[46] Press Release, The Center for Internet Security and Council on CyberSecurity Launch a Nationwide Campaign for Basic Cyber Hygiene in Support of NIST Framework Adoption (Apr. 3, 2014), available at http://www.counciloncybersecurity.org/press/1-the-center-for-internet-security-and-council-on-cybersecurity-launch-a-nationwide-campaign-for-basic-cyber-hygiene-in-support-of-nist-framework-adoption/.
[47] The Center for Internet Security, Critical Security Controls for Effective Cyber Defense: Version 6.0 (Oct. 15, 2015), available at http://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015.
[48] Information Security, National Institute of Standards and Technology (Aug. 2008), available at http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf.
[49] Id. at 3; see also Ted Ritter, How Agencies Can Cut Through The ‘Fog Of More' In Cybersecurity, Tech Insider (Apr. 14, 2014), available at http://www.nextgov.com/technology-news/tech-insider/2015/04/how-agencies-can-cut-through-fog-more-cybersecurity/110107/.
[50] Testimony of Dr. Andy Ozment, Assistant Secretary for Cybersecurity and Communications, U.S. Department of Homeland Security, before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, U.S. House of Representatives, 6 (June 24, 2015), available at http://docs.house.gov/meetings/HM/HM08/20150624/103698/HHRG-114-HM08-Wstate-OzmentA-20150624.pdf.
[51] Testimony of Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office, before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, U.S. House of Representatives, 21 (July 8, 2015), available at http://docs.house.gov/meetings/HM/HM08/20150624/103698/HHRG-114-HM08-Wstate-WilshusenG-20150624.pdf.
[52] Id.
[53] Ann M. Caresani, The Greatest Cybersecurity Risk Comes From Within (Sept. 1, 2015), available at http://www.law360.com/articles/697280/the-greatest-cybersecurity-risk-comes-from-within.
[54] 2015 Cyber Security Intelligence Index, IBM (July 2015), available at http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&htmlfid=SEW03073USEN&attachment=SEW03073USEN.PDF.
[55] David M. Upton and Sadie Creese, The Danger Within, Harvard Business Review (Sept. 2014), available at https://hbr.org/2014/09/the-danger-from-within.
[56] See, e.g., Chair Mary Jo White, Keynote Address at the Managed Fund Association: "Five Years On: Regulation of Private Fund Advisers After Dodd-Frank," (Oct. 16, 2015) (noting that cybersecurity is a "universal operational risk"), available at http://www.sec.gov/news/speech/white-regulation-of-private-fund-advisers-after-dodd-frank.html; Chair Mary Jo White, Opening Statement at SEC Roundtable on Cybersecurity (Mar. 26, 2014) (observing that cybercrime is a "global threat" and that "cyber threats are of extraordinary and long-term seriousness."), available at http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541286468; Joe Panettieri, SEC's New CIO: Big Data Opportunities, Cybersecurity Challenges, Information Management (Feb. 17, 2015) (noting that "security will be top of mind for [the Commission's CIO] and the SEC."), available at http://www.information-management.com/news/information-strategy-leadership/SEC-CIO-Pamela-Dyson-Big-Data-Cybersecurity-10026575-1.html.
[57] For example, the Department of Homeland Security recently taught its employees an invaluable lesson by engaging in a mock spear-phishing campaign. DHS employees in were sent a facially suspect email that offered free tickets to a professional football game if they merely clicked on a link. Employees that did so were told to go to a certain room to pick up the tickets, where they received training on proper cybersecurity practices. I believe the Commission should pursue equally inventive approaches to training, and utilize them on a regular basis. Remarks By Secretary Of Homeland Security Jeh C. Johnson at Cybercon 2015 (Nov. 19, 2015), available at https://www.dhs.gov/news/2015/11/19/remarks-secretary-homeland-security-jeh-c-johnson-cybercon-2015. Similarly, the Commission should consider incorporating simulated cyberattacks and other exercises into its training regimen to help its security personnel hone their defensive capabilities. See Symantec, 2015 Internet Security Threat Report, 102 (Apr. 2015) (observing that "[i]n the past year, there has been a growing number of probing and experimental attacks on a range of [internet connected] devices, as well as a few serious attacks."), available at http://know.symantec.com/LP=1123. By going beyond traditional penetration testing and engaging in cyber war games, the Commission will help its security personnel achieve a higher level of readiness. Id. Such training could be done by the Commission itself, or the Commission could seek to participate in exercises conducted by other federal agencies. See Damian Paletta, U.S. Agencies Conduct Cyberwar Games, The Wall Street Journal (July 5, 2016), available at http://www.wsj.com/articles/u-s-agencies-conduct-cyber-war-games-1436069213.
[58] PwC, Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security® Survey 2015, 8 (Sept. 30, 2014) (noting that "sophisticated adversaries often target
small and medium-size companies as a means to gain a foothold on the interconnected business ecosystems
of larger organizations with which they partner."), available at http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml.
[59] As the U.S. Securities and Exchange Commission, Office of the Inspector General, Federal Information Security Management Act: Fiscal year 2014 Evaluation, i (Feb. 5, 2015), available at https://www.sec.gov/oig/reportspubs/oig-information-security-fy-2014-evaluation-report-529.pdf.
[60] ISACA Response to ACT-IAC Challenge 4 (Sept. 2015), available at https://actiaccyberinitiative.ideascale.com/a/dtd/Start-with-the-Crown-Jewels-Stop-Spreading-Peanut-Butter/134997-36810.
[61] Gregory C. Wilshusen, Director, Information Security Issues, Testimony before the Subcommittee on Research and Technology Oversight, Committee on Science, Space, and Technology, House of Representatives, 7 (July 8, 2015), available at http://www.gao.gov/assets/680/670935.pdf.
[62] ISACA Response to ACT-IAC Challenge 4 (Sept. 2015), available at https://actiaccyberinitiative.ideascale.com/a/dtd/Start-with-the-Crown-Jewels-Stop-Spreading-Peanut-Butter/134997-36810.
[63] See Responding to cyber threats in the new reality: A shift in paradigm is vital, Deloitte (2015) (noting that "[t]hroughout the past decade, most organisations' cyber security programs have focused on strengthening
prevention capability," and that "[t]he belief that this is sufficient creates a misguided perception that adversaries will be successfully thwarted . . . ."), available at https://www2.deloitte.com/content/dam/Deloitte/sg/Documents/risk/sea-risk-cyber-thought-leadership-noexp.pdf; RSA President Amit Yoran Keynote Address at RSA Conference in Asia Pacific and Japan (July 22, 2015) (noting the cybersecurity industry's "irrational obsession with perimeter technologies"), available at https://www.emc.com/collateral/corporation/rsa-conference-asia-pacific-japan-ammit-yoran-keynote-2015.pdf; Testimony of Dominick (Dom) Delfino, Vice President World Wide Systems Engineering Networking and Security Business, VMware, Inc. Before the U.S. House of Representatives Committee on Armed Services Outside Perspectives on the Department of Defense Cyber Strategy (Sept. 29, 2015), available at http://docs.house.gov/meetings/AS/AS00/20150929/103985/HHRG-114-AS00-Wstate-DelfinoD-20150929.pdf; Jessica Zucker, Failure of Intrusion Detection Systems, Global Risk Advisors (June 15, 2015), available at http://globalriskadvisors.com/blog/#blog.
[64] Verizon, 2015 Data Breach Investigations Report, 10 (Apr. 13, 2015) (noting that "[v]arious forms of [anti-virus software], from gateway to host, are still alive and quarantining nasty stuff every day."), available at http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/.
[65] Last year, eBay, a sophisticated technology services company, suffered a breach that affected 145 million customers, while breaches at JP Morgan and Home Depot affected 82 million and 56 million customers, respectively. Ponemon Institute, LLC, 2014: A Year of Mega Breaches, 1 (Jan. 2015), available at http://www.ponemon.org/local/upload/file/2014%20The%20Year%20of%20the%20Mega%20Breach%20FINAL3.pdf; Symantec, 2014 Internet Security Threat Report, 7 (Apr. 2014) (dubbing 2013 "the Year of the Mega Breach"), available at http://www.itu.int/en/ITU-D/Cybersecurity/Documents/Symantec_annual_internet_threat_report_ITU2014.pdf.
[66] Cisco 2015 Midyear Security Report, 36, available at http://www.cisco.com/web/offers/pdfs/cisco-msr-2015.pdf. The vulnerabilities of perimeter defenses are further compounded by the fact that many organizations rely on security information and event management (SIEM) solutions to detect and respond to breaches by harvesting threat information from their intrusion detection and prevention systems, anti-virus platforms, and firewall logs. Yet, SIEM systems have proven notoriously difficult to implement properly, and have provided disappointed results in many cases. Oliver Rochford, Overcoming Common Causes for SIEM Deployment Failures, Gartner (Aug. 21, 2014); David Swift, Successful SIEM and Log Management Strategies for Audit and Compliance (Nov. 4, 2010), (noting that "[o]rganizations often spend a great deal of money on Log Management and Security Information and Event Management (SIEM), with disappointing results. Many organizations struggle with and most SIEM vendors fail to provide effective out of the box correlations. Then too, many organizations fail in their vision and process, considering SIEM just another tool to be dropped onto the network."), available at https://www.sans.org/reading-room/whitepapers/auditing/successful-siem-log-management-strategies-audit-compliance-33528. This, in turn, has led some experts to question whether SIEM systems—necessary though they may be—are providing a false sense of security. Responding to cyber threats in the new reality: A shift in paradigm is vital, Deloitte (2015), available at https://www2.deloitte.com/content/dam/Deloitte/sg/Documents/risk/sea-risk-cyber-thought-leadership-noexp.pdf.
[67] The CIS Critical Security Controls for Effective Cyber Defense (Version 6.0), Center for Internet Security, 46 (Oct. 15, 2015) (observing that, "[o]ver the last several years, there has been a noticeable shift in attention and investment from securing the network to securing systems within the network, and to securing the data itself."), available at https://www.cisecurity.org/critical-controls/download.cfm?f=CSC-MASTER-VER%206.0%20CIS%20Critical%20Security%20Controls%2010.15.2015; see also Jessica Zucker, Failure of Intrusion Detection Systems, Global Risk Advisors (June 15, 2015) (noting that intrusion prevention systems failed to prevent the OPM breach, and that "cybersecurity experts are saying that good cybersecurity practices are not just about protecting the system but also protecting the data."), available at http://globalriskadvisors.com/blog/#blog.
[68] Testimony of Dominick (Dom) Delfino, Vice President World Wide Systems Engineering Networking and Security Business,VMware, Inc. Before the U.S. House of Representatives Committee on Armed Services Outside Perspectives on the Department of Defense Cyber Strategy (Sept. 29, 2015), available at http://docs.house.gov/meetings/AS/AS00/20150929/103985/HHRG-114-AS00-Wstate-DelfinoD-20150929.pdf.
[69] In this regard, the Commission should implement processes that cultivate internal threat awareness. For example, the Commission should develop policies that enable its cybersecurity personnel to develop a rich understanding of how the staff utilizes the Commission's systems. Security personnel who are given the time and flexibility to familiarize themselves with how their organizations' systems operate under normal conditions should be able to identify anomalous or suspicious activity far more quickly, and thus mitigate the resulting damage. RSA President Amit Yoran Keynote Address at RSA Conference in Asia Pacific and Japan (July 22, 2015), available at https://www.emc.com/collateral/corporation/rsa-conference-asia-pacific-japan-ammit-yoran-keynote-2015.pdf. The need for such analytical acuity is becoming more vital, as cyber attackers are increasingly relying on stolen credentials to gain access to organizations' systems, and are proving more skillful at evading detection when doing so. Jeremy Kirk, Attacks using stolen credentials are on the rise, Computerworld (Jan. 22, 2015), available at http://www.computerworld.com/article/2874207/attacks-using-stolen-credentials-are-on-the-rise.html.
[70] Sean Lyngaas, Security experts: OPM breach shows Einstein isn't enough, FCW (June 5, 2015) (noting that "CDM, . . . focuses on metrics such as endpoint security and identity management," and that it "seems to give us the additional ability to see these bad actors on the networks, once they're already through the perimeter"), available at https://fcw.com/articles/2015/06/05/opm-einstein.aspx.
[71] Id.
[72] Jason Miller, The CDM quandary many agencies are facing, Federal News Radio (Aug. 24, 2015) (noting that federal agencies are faced with the dilemma of waiting for CDM to be implemented, or pursuing interim strategies and solutions), available at http://federalnewsradio.com/contractsawards/2015/08/cdm-quandary-many-agencies-facing/.
[73] RSA President Amit Yoran Keynote Address at RSA Conference in Asia Pacific and Japan (July 22, 2015) (noting the cybersecurity industry's "irrational obsession with perimeter technologies")(noting that "[w]ithin our networks, we need to know which systems are communicating with which, why, any related communications, their length, frequency & volume, and ultimately the content itself to determine what exactly is happening. These aren't nice-to-haves. They are fundamental core requirements for doing security today. If you don't have that level of visibility and agility in place, you're only pretending to do security."), available at https://www.emc.com/collateral/corporation/rsa-conference-asia-pacific-japan-ammit-yoran-keynote-2015.pdf.
[74] See Responding to cyber threats in the new reality: A shift in paradigm is vital, Deloitte (2015) (emphasizing the importance of supplementing internal threat intelligence from SIEM systems with intelligence from third-party service providers), available at https://www2.deloitte.com/content/dam/Deloitte/sg/Documents/risk/sea-risk-cyber-thought-leadership-noexp.pdf.
[75] Testimony of Daniel M. Gerstein. RAND Office of External Affairs, Before the U.S. House of Representatives Homeland Security Committee, Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies (June 24, 2015), available at http://docs.house.gov/meetings/HM/HM08/20150624/103698/HHRG-114-HM08-Wstate-GersteinD-20150624.pdf; Jessica Zucker, Failure of Intrusion Detection Systems, Global Risk Advisors (June 15, 2015)(noting that "US entities still need a stronger emphasis on detecting and responding to intrusions, rather than focusing too heavily on cyber hygiene and CDM"), available at http://globalriskadvisors.com/blog/#blog.
[76] Testimony of Dominick (Dom) Delfino, Vice President World Wide Systems Engineering Networking and Security Business, VMware, Inc. Before the U.S. House of Representatives Committee on Armed Services Outside Perspectives on the Department of Defense Cyber Strategy (Sept. 29, 2015), available at http://docs.house.gov/meetings/AS/AS00/20150929/103985/HHRG-114-AS00-Wstate-DelfinoD-20150929.pdf; Testimony of Daniel M. Gerstein. RAND Office of External Affairs, Before the U.S. House of Representatives Homeland Security Committee, Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies (June 24, 2015), available at http://docs.house.gov/meetings/HM/HM08/20150624/103698/HHRG-114-HM08-Wstate-GersteinD-20150624.pdf . Such strategies would strictly enforce access controls and automatically log and inspect all traffic, both internal and external. Testimony of Dominick (Dom) Delfino, Vice President World Wide Systems Engineering Networking and Security Business, VMware, Inc. Before the U.S. House of Representatives Committee on Armed Services Outside Perspectives on the Department of Defense Cyber Strategy (Sept. 29, 2015), available at http://docs.house.gov/meetings/AS/AS00/20150929/103985/HHRG-114-AS00-Wstate-DelfinoD-20150929.pdf. According to some experts, these systems can be automated and implemented without negatively impacting user response time on the network. Id.
[77] This separate system would not itself be connected to the Internet, but will receive data from a separate system that is linked to the web. The two systems would be linked only when data is being transferred to the in-house system, and data would be erased from the system connected to the web once it has been successfully transferred. And, of course, access to the most sensitive data should be limited to only those employees who actually need it and have been vetted via an appropriate background investigation. Such protocols represent a significant investment of time and resources, but given the immense value of the information at issue and the tremendous harm that could result if it were stolen, the Commission must consider all reasonable measures likely to be effective.
[78] Jason Hart, The government's costly cybersecurity midlife crisis, Federal Times (Oct. 1, 2015) available at http://www.federaltimes.com/story/government/solutions-ideas/2015/10/01/governments-costly-cybersecurity-midlife-crisis/73141066/; Sean Lyngaas, Security experts: OPM breach shows Einstein isn't enough, FCW (June 5, 2015) (quoting John Cohen, former acting undersecretary for intelligence and analysis at DHS: "If information contained within government and private-sector systems is encrypted, then the harm caused by cyberattacks such as [the OPM breach] would be minimal"), available at https://fcw.com/articles/2015/06/05/opm-einstein.aspx. For such a strategy to be successful, however, it would need to be applied assiduously. Thus, data would need to be encrypted whenever it is in motion, even when being transmitted between the Commission's offices around the country. See Jason Hart, The government's costly cybersecurity midlife crisis, Federal Times (Oct. 1, 2015), available at http://www.federaltimes.com/story/government/solutions-ideas/2015/10/01/governments-costly-cybersecurity-midlife-crisis/73141066/. Furthermore, an encryption strategy would not be successful unless the Commission develops a workable platform for securing and managing its encryption keys. Id.
[79] Michael Chertoff and Toby Simon, The Impact of the Dark Web on Internet Governance and Cyber Security, Global Commission on Internet Governance (Feb. 2015)(noting that the dark web is "the portion of the deep Web that has been intentionally hidden and is inaccessible through standard Web Browsers."), available at https://www.cigionline.org/sites/default/files/gcig_paper_no6.pdf. Dark web reconnaissance need not be limited to general threat surveillance. Instead, it could take many forms, such as identifying stolen security credentials of Commission employees or contractors. Dark web monitoring could also include surveilling forums frequented by notorious individuals, identifying botnet activity, and uncovering newly identified software vulnerabilities, which may require software to be updated. Experts note that "due to its intricate webbing and design, monitoring the dark Web will continue to pose significant challenges." That is undoubtedly true, but such monitoring should nevertheless be a cornerstone of the Commission's cybersecurity defenses.
[80] Id. A botnet, which is short for "roBOT NETwork" is "a large number of compromised computers that are used to generate spam, relay viruses or flood a network or Web server with excessive requests to cause it to fail (see denial of service attack). The computer is compromised via a Trojan that often works by opening an Internet Relay Chat (IRC) channel that waits for commands from the person in control of the botnet. There is a thriving botnet business selling lists of compromised computers to hackers and spammers." PC Magazine Encyclopedia (Nov. 30, 2015, 9:15 AM), http://www.pcmag.com/encyclopedia/term/38866/botnet.
[81] Id.
[82] David Hamilton, Organization Calls for the Development of Tools to Monitor the Dark Web, WHIR (Feb. 18, 2015), available at http://www.thewhir.com/web-hosting-news/organization-calls-development-tools-monitor-dark-web.
[83] FireEye, Cybersecurity Strategies for Small to Medium-Sized Businesses, 3 (2014), available at https://www2.fireeye.com/WEB2013WPCybersecurityStrategiesforSMB_closing-critical-security-gaps.html. An attack vector is "[t]he approach used to assault a computer system or network. A fancy way of saying "method or type of attack," the term may refer to a variety of vulnerabilities. For example, an operating system or Web browser may have a flaw that is exploited by a Web site. Human shortcomings are also used to engineer attack vectors. For example, a novice user may open an e-mail attachment that contains a virus, and most everyone can be persuaded at least once in their [sic] life to reveal a password for some seemingly relevant reason." PC Magazine Encyclopedia (Nov. 30, 2015, 10:05 AM), http://www.pcmag.com/encyclopedia/term/57711/attack-vector.
[84] Live testing and careful comparisons of performance characteristics are helpful in selecting the best cybersecurity products and services, but they can be expensive, and are ultimately constrained by the methodologies that are used to conduct the testing. The Commission should consider whether other approaches could help identify the products that are most likely to meet the Commission's needs, both now and in the future. For example, the Commission could consider evaluating products or services against a defined set of functional security controls, such as the Center for Internet Security's recently updated Critical Security Controls for Effective Cyber Defense. This less costly approach could serve as a threshold for evaluating new security products or services, such that further testing would be pursued only if this initial assessment suggests it is warranted. Ted Ritter, How Agencies Cut Through the Fog of More in Cybersecurity, Tech Insider (Apr. 14, 2015), available at http://www.nextgov.com/technology-news/tech-insider/2015/04/how-agencies-can-cut-through-fog-more-cybersecurity/110107/.
[85] Cisco 2015 Midyear Security Report, 33, available at http://www.cisco.com/web/offers/pdfs/cisco-msr-2015.pdf.
[86] Id.
[87] Commissioner Luis A. Aguilar, A Threefold Cord: Working Together to Meet the Pervasive Challenge of Cyber-Crime, SINET Innovation Summit (June 25, 2015), available at http://www.sec.gov/news/speech/threefold-cord-challenge-of-cyber-crime.html.