Wall Street's biggest trade group has proposed a government-industry cyber war council to stave off attacks that could trigger financial panic by temporarily wiping out account balances, according to an internal document.
The proposal by the Securities Industry and Financial Market Association, known as Sifma, calls for a committee of executives and deputy-level representatives from at least eight US agencies including the Treasury Department, the National Security Agency and the Department of Homeland Security, all led by a senior White House official.
The trade association also reveals in the document that Sifma has retained former NSA director Keith Alexander to "facilitate" the joint effort with the government. Alexander, in turn, has brought in Michael Chertoff, the former Secretary of Homeland Security, and his firm, Chertoff Group.
The document sketches an unusually frank and pessimistic view by the industry of its readiness for attacks wielded by nation-states or terrorist groups that aim to "destroy data and machines." It says the concerns are "compounded by the dependence of financial institutions on the electric grid," which is also vulnerable to physical and cyber attack.
"The systemic consequences could well be devastating for the economy as the resulting loss of confidence in the security of individual and corporate savings and assets could trigger widespread runs on financial institutions that likely would extend well beyond the directly impacted banks, securities firms and asset managers," Sifma wrote in the document, dated June 27.
Liz Pierce, a spokesman for Sifma, declined to comment on the document, adding that the group "is doing everything possible to help the industry prepare for and defend against cyberattacks." Caitlin Hayden, spokeswoman for the White House National Security Council, declined to comment.
Alexander had been pitching Sifma and other bank trade associations to purchase his services through his new consulting firm, IronNet Cybersecurity, for as much as $1 million per month, according to two people briefed on the talks.
He has made much the same argument to Sifma as the association is now making to the government about the emergence of new, more destructive software assaults. For several months beginning in fall 2012, major US bank websites were hit by what is known as distributed denial-of-service attacks, in which hackers flood systems with information to shut them down.
The next wave of attacks "in the near-medium term" is likely to be more destructive and could result in "account balances and books and records being converted to zeros," while recovering the lost information "would be difficult and slow," according to the Sifma document.
"We are concerned that the industry may not have the capabilities that we would like to effectively defend against this newer form of potential attack, the capability that we would like to stop such an attack once commenced from spreading to other financial institutions, or the capability we would like of effectively recovering if an initial attack is followed by waves of follow-on attacks," the document says.
While noting that the coordination between industry and government on cyber threats has improved in recent years, a joint council would produce a more focused response, according to Sifma.
The government-industry group would develop plans for "much quicker, near real-time" dissemination of information from agencies to the private sector and ways to "actively defend the industry" if preparations for a cyber attack are discovered in advance. Sifma is also seeking "pre-discussed and mutually understood protocols" for the industry to request government help during and after an attack.
In addition, Sifma wants greater protection for the US electricity grid, which it says is "vulnerable to physical destruction of transformers and other equipment in a small number of undefended substations."
"The core problem is that if transformers and critical equipment were destroyed at these sites, it could take months to build the replacement equipment," Sifma wrote.
The Senate Intelligence Committee plans today to take up a bipartisan bill - sponsored by Senators Dianne Feinstein, a California Democrat, and Saxby Chambliss, a Georgia Republican - aimed at improving private-sector self-defence. The bill includes rules insulating banks from liability arising from sharing of information for cybersecurity, addressing a point financial institutions have raised in the past.