Cybersecurity leaders urge Congress to enact legislation that would protect senior citizens from online fraudsters, educate American citizens about cyber vulnerabilities, and provide robust mechanisms to keep the financial sector safe.
Today the House Subcommittee on National Security, International Development, and Monetary Policy held a virtual hearing called “Cybercriminals and Fraudsters: How Bad Actors Are Exploiting the Financial System During the COVID-19 Pandemic.”
Witnesses warned Congress about the recent surge in COVID-19-related cyberattacks against private American citizens, government, and businesses while providing potential solutions to keep fraudsters at bay in the financial sector and beyond.
“America is grappling with a cyber insurgency and our financial sector is the number one target” — Tom Kellermann
In his opening testimony, Tom Kellermann, head of cybersecurity strategy for VMware, said that cyber criminals are taking advantage of the COVID-19 pandemic at an alarming rate, with the financial sector being the hardest hit.
“America is grappling with a cyber insurgency and our financial sector is the number one target,” Kellermann testified.
“During the first five months of 2020 alone, cyberattacks against the financial sector have increased by 238 percent, according to VMware Carbon Black data. Cyber criminals are capitalizing on COVID-19, and they are doing so in tandem with the news cycle.”
In his written testimony Kellermann added, “In 2020, cyber crime conspiracies will become increasingly punitive and destructive. As the use of virtual currencies and financial systems continues to increase and innovate, so too does global crime.”
Here we present the cybersecurity problems that the House subcommittee laid out, showing how cyber criminals are exploiting victims and who’s being targeted, along with witness testimony about the potential solutions.
The following is a condensed summary that combines both written and oral testimonies.
According to a House Memorandum filed June 11, 2020 that preceded today’s hearing:
- The number of cybersecurity complaints to the FBI’s Internet Crime Complaint Center (IC3) in the last four months has spiked from 1,000 daily before the pandemic to as many as 4,000 incidents in a day.
- 80% of surveyed banks report a year-on-year increase in cyberattacks against the sector surging 238% during the COVID-19 crisis (February – April 2020).
- These cyber vulnerabilities are exacerbated by the unusually large numbers of employees in the United States working remotely.
- The technology to support remote work – such as Virtual Private Networks, DNS routers, cloud deployments, and videoconferencing platforms – has the potential to introduce new points of exploitable weakness for opportunistic cyber criminals.
- Cyber criminals are utilizing traditional attack strategies, and modifying or increasing them to exploit the unique challenges and anxieties posed by the current COVID-19 pandemic.
How cyber criminals are exploiting victims during the COVID-19 pandemic
- Malware, software intended to gain access or cause damage to a computer or network, often while the victim remains oblivious to the fact there’s been a compromise.
- Ransomware, software designed to deny access to a computer system or data until a ransom is paid.
- Man-in-the-Middle Attacks, cyber eavesdropping on conversations between two parties and intercept data through a compromised but trusted system.
- Phishing, the use of email or text messages designed to trick the victim into giving personal information that allows the criminal to steal passwords, account numbers, Social Security numbers, and access to email, bank, or other accounts.
- Business Email Compromise (BEC), the use social engineering to craft email messages that appear to come from known sources making legitimate requests such as a money transfer or access to a computer network.
- Cyber-supported Fraud Schemes, scams such as benefits fraud, charities fraud, and crowdfunding scams, which leverage email and identification (ID) issues and often typical during disasters.
Who cyber criminals are exploiting
Cyber criminals are targeting every aspect of the financial system, including:
- Government: Government relief funding provided during the crisis has been one target for exploitation
- Financial Institutions: One important shift in such attacks is a move from ‘heists’ (where opportunistic criminals seek to steal data and money before exiting an environment) to ‘hostage situations’ (where cyber criminals aim to remain persistent on a financial institution’s network for the long term).
- Third-party partners and vendors: Bad actors are also targeting third-party partners and vendors to financial institutions.
- Businesses: Business Email Compromise (BEC), which is already the most profitable form of cybercrime, has proliferated during the crisis, especially towards organizations with a role in mitigating the effects of the pandemic.
- Individuals: In the wake of the COVID-19 pandemic, cybercriminals have modified traditional scams targeting individuals to emphasize COVID-19 issues and fears, to steal funds and personally identifiable information or gain access to an employer’s network. Often, these efforts are aimed at the most vulnerable, such as senior citizens, lower-income communities, and those suffering the effects of the pandemic.
“As many as one out of every five citizens over the age of 65 has been victimized by financial fraud” — Amanda Senn
In her written testimony, Amanda Senn, Chief Deputy Director of the Alabama Securities Commission and the Cybersecurity Committee Chair of North American Securities Administrators Association (NASAA), expressed NASAA’s support for two drafts of legislation.
- The Senior Investor Pandemic and Fraud Protection Act
- As many as one out of every five citizens over the age of 65 has been victimized by financial fraud.
- The estimated losses of older adults due to exploitation ranges from $2.9 billion to $36.5 billion annually.
- Congress should assist state regulators in securing resources to combat financial exploitation against those most vulnerable in this crisis.
- The COVID-19 Restitution Assistance Fund for Victims of Securities Violations Act
- The Act would create a fund at the Securities and Exchange Commission to provide restitution payments for individuals in connection with securities fraud related to coronavirus if they do not otherwise receive full payment of restitution.
- NASAA wholeheartedly shares Congress’s interest in the potential establishment of a nationwide investor restitution fund to help victims of investment fraud recover a portion of what they lost when full restitution is not possible.
“Move the Secret Service to the Treasury Department” — Jamil Jaffer
- Move the Secret Service to the Treasury Department and provide it with additional investigative authorities and resources
- It is likewise important that the Committee strongly consider provide additional resources to US Secret Service to investigate and directly address the very real cyber threats to financial institutions identified in this testimony and also consider appropriate modifications to U.S. Secret Service’s investigative authorities to support its work in this area.
- Create an operational capability at the Treasury Department to work with industry to address cyber threats
- Such a capability, if provided by the Committee, would allow Treasury to collaborate directly with the financial sector on active threats and to tip national security organizations to intelligence needs of industry as well as the behaviors of potential threat actors being seen across the industry
- Implement a true collective defense framework for the US financial sector and government and support the creation of a joint collaborative environment
- The Committee should consider supporting this effort and working to provide full funding for the creation and standup of this environment, as well as appropriately resourcing the Treasury Department to play a central role in this environment alongside the financial sector.
- Launch efforts with key allies to strengthen international threat sharing, response and deterrence capabilities
- The United States should work closely with allies in Europe, and specifically NATO
allies to strengthen its deterrence capability when it comes to common threat actors, like China, Russia, Iran, and North Korea.
- The United States should work closely with allies in Europe, and specifically NATO
“Partnerships are our biggest assets” — Kevin Coleman
- Partnerships are our biggest assets: While products and processes are important, I believe we need to focus even more on encouraging and supporting partnerships.
- The private sector is incredibly important in this fight.
- The federal government plays an equally important role in cybersecurity and educational awareness.
- Congress should consider making game changing investments into cybersecurity awareness and education — investments that can benefit the American people as well as the small and medium-sized business community.
- Americans must be equipped with the knowledge to protect themselves, their families, and their communities.
- Congress can and should play an important role in making sure Americans understand the many dangers of inadequately securing their systems, devices, and information.
You can read Coleman’s full written testimony here.
“During the first five months of 2020 alone, cyberattacks against the financial sector have increased by 238 percent” — Tom Kellermann
Kellermann highlighted six opportunities for legislative action:
- Anti-money laundering and forfeiture regulations must be modernized to seize the virtual currencies and digital payments which are used in the cybercrime conspiracies.
- Urge the Senate to pass the COUNTER Act (HR 2514) — this important piece of legislation would empower the US Treasury Department to protect our national security and safeguard our financial systems by codifying an information-sharing program between law enforcement, financial institutions, and the Treasury Department, enabling the detection and capture of illegal activity
- Charge the Financial Stability Oversight Council (FSOC) chaired by the Department of Treasury with the responsibility to create a framework for regulating cryptocurrencies and developing guidelines for strong protections against money laundering and cybersecurity threats to those marketplaces
- Chief Information Security Officers (CISOs) should be elevated to directly report to the CEO of financial institutions.
- Establish a tax credit for financial sector companies that dedicate at least 10 percent of their IT budgets towards cybersecurity and could be administered by the IRS. These companies should also be incentivized to comply with the NIST Cyber Security Framework which could be validated by a third party
- Support the House passage of S. 3636, the US Secret Service Mission Improvement and Realignment Act of 2020. This bill moves the Secret Service back to its original home at the Department of Treasury. The Secret Service is best known primarily for protection; however, it also performs financial, counterfeit currency, and cyber crime investigations.
All in all, the witnesses recommended that more partnerships, education, and investments into cybersecurity and awareness was needed, and that transferring the Secret Service to the Treasury Department, along with legislation to protect those most vulnerable to cyberattacks were ways to move forward in the fight against fraud, which has increased dramatically since the COVID-19 outbreak.