Financial Firms Turn to Ex-Military Talent for More Aggressive Cybersecurity

Earlier this week, firms including JPMorgan Chase & Co., Morgan Stanley and Wells Fargo & Company sent a letter to congressional leaders, urging them to pass cyber threat-sharing legislation. But that’s not all financial firms want from the federal government—they also want its cyber talent.

Specialists with cyber warfare on their resume are in high demand in the private sector as cyber defense efforts move away from traditional, passive forms of protection to a more aggressive approach.

“The traditional secure approaches in terms of prevention and keeping attacks at the perimeters is not working well,” said Jen Weedon, manager of threat intelligence at FireEye Inc., a network security company headquartered in Milpitas, Calif.

Since its inception, cybersecurity has been a preventive pursuit. Firms aimed to build stronger firewalls or more sophisticated encryption protocols to protect sensitive data from would-be attackers. The strategy was almost medieval: pull up the drawbridge, hunker down behind high walls, and hope the marauders look elsewhere for easier prey.

That approach is proving unable to defend against increasingly sophisticated cyber attacks.

In the last several months alone, data breaches at companies such as JPMorgan Chase & Co. and Morgan Stanley have made it clear that cybersecurity remains a critical issue for the U.S. financial sector.

“Preventative controls are failing…on an almost regular basis,” according to a 2013 paper published by the SANS Institute, a cyber research group.

A new method of cybersecurity, known to many in the industry as “active defense,” emphasizes identifying specific data threats facing an organization and then trying to deceive or engage with hackers who are attempting a breach inside a company’s network.

“Let’s say you’ve identified what your major risk factors are,” Weedon said in an interview. “Then you can identify what threat actors are the most likely to pursue those risks. Then you figure out how they behave and look for ways to defend yourself against those mechanisms.”

Stephen P. Corcoran, director of cyber security at Telos Corp., explained further.

“Traditional security professionals are manning walls or static defenses while Active Defenders are beyond the wall developing critical indicators and intervention strategies,” Corcoran, who served for 28 years in the U.S. Marine Corps as an information technology specialist, said in an email. Telos is an IT consulting firm based in Ashburn, Va., that works with the federal government as a contractor.

A recent Deloitte cybersecurity research paper offers an example of what active defense can look like.

An increasingly common form of cyber threat is a distributed denial-of-service (DDos) attack, which attempts to “disable the function of a targeted system or device by flooding it with communication requests,” the 2014 report said. While DDoS attacks come in a multitude of strains, if a firm can identify what strand it is likely to face it can exploit weaknesses that have been identified within the attack protocol to thwart the attack altogether.

At the heart of the active defense approach is a fusing of counter-intelligence theory with traditional cyber operations. This intelligence-focused behavior is imported from the world of the National Security Agency and the Department of Defense, which is why former employees at these and other government security apparatuses are so popular in the private sector.

Lance James, head of cyber intelligence at Deloitte & Touche LLP, says former intelligence professionals are particularly adept at contemplating multiple theories at once.

“The advantage of professionals that come from the intelligence community is their familiarity with ‘ACH’ – the analysis of competing hypothesis – a method for reducing cognitive bias,” James said in an email.

Deloitte provides consulting for financial services and cybersecurity to clients around the world.

Because so much of this particular brand of expertise is developed within the military and intelligence communities, there is a limited pool of technicians available for hire in the private sector. This poses problems for commercial firms, mainly because it drives up costs. Private sector salaries can be at least twice as much as those offered by the federal government, according to industry analysts.

That’s an issue for smaller financial services firms that can’t afford to spend the kind of money available to Wall Street banks. In October, JPMorgan Chief Executive Officer Jamie Dimon said his firm would double its existing $250 million annual cyber defense budget over the next five years.

So they seek protection behind the walls of others.

“Community banks don’t have the resources that major banks have,” Lilly Thomas, vice president and senior regulatory counsel at the Independent Community Bankers of America, said in an interview. “So what they do is work with their third-party core processors”

To minimize costs, smaller banks often contract out cyber protection services, as well as other bank operations, so they don’t have to spend as much on internal security procedures, said Thomas, whose organization represents the interests of more than 6,500 community banks.

“Cost plays a large role in defense techniques for regional or smaller financial institutions,” Steve Horvath, vice president of strategy and vision at Telos, said in an email. He said that’s “why we see so many relying on the security provided by infrastructure service providers, like Amazon Web Services.”

Financial services groups are advocating for measures that would expand the pool of qualified cyber professionals.

In a Wall Street Journal opinion piece last week, Tim Pawlenty, head of the Financial Services Roundtable, said CEOs should call on Congress to take action on a range of cyber issues, including cyber research and development funding and “cyberdefense talent education.” The Financial Services Roundtable represents companies such as Citigroup Inc. and Wells Fargo & Co.

During the 113th Congress, lawmakers in both chambers introduced legislation that would have committed resources to further developing cyber expertise. However, only one bill, H.R. 3696, ever made it to the floor for a vote. The House passed that measure by voice vote.

In January, Rep. Sheila Jackson Lee (D-Texas) introduced H.R. 53, which would establish an Office of Cybersecurity Education and Awareness within the Department of Homeland Security. No action has been taken on the bill.

“There are very few that truly understand how to build a untainted commercial cyber defense initiative,” said Deloitte’s James. “The agendas in the private sector are not the same as the public sector.

And even though counter-intelligence or military experience provides an important component to a cyber defense team, experts say that financial firms cannot rely exclusively on such employees. This is partly because some former military personnel can have difficulty adapting to the private sector.

“For some military personnel, it is difficult to shift from a mindset of mission risk to one of business risk,” said Corcoran.

Other experts expressed concerns that ex-military employees sometimes are primed to assume an attack is part of a larger, geo-political threat when that may not be the case. Corcoran, who again is former military, was the only expert contacted who was willing to speak on the record about these concerns.

But when the transition to the commercial sector is successful, it can make for a powerful combination with the insights and expertise offered by civilian employees.

“When you combine Information Security professionals or ‘White Hat Hackers’ in the mix and pair them up with experts in the tradecraft of classical intelligence,” said James, “it is an unprecedented collaborative weapon against the adversaries we face, now and in the future.”

Overall, though, cyber experts warn that expensive technology and talent is less important than a well-coordinated cyber operation and a proper understanding of the threat-environment a firm faces.

“Technology in and of itself will not prevail in a contested environment,” said Corcoran. “Unless the problem of cybersecurity is understood as the interrelationship between cyber networks, human networks and physical networks and the intersection of an adversary’s intent or goal, we will be constantly responding to events rather than shaping them.”

Morgan Stanley, Capitol One, Wells Fargo & Co., and Bank of America Corp. did not respond to requests for comment. JPMorgan, Citigroup Inc., and BNY Mellon Corp. declined to comment for this story.

“Financial firms, for good reason, tend to hold their cyber defense plans rather tightly,” said Horvath.

CORRECTION: An earlier version of this article misstated Lance James’s title. He is the head of cyber intelligence at Deloitte & Touche LLP.