FinCyber Year-in-Review

Dear Colleague,

Carnegie’s FinCyber project, focused on cybersecurity in the context of the financial system, expanded considerably in 2020. We are pleased to provide an overview of our upcoming projects and a summary of our major accomplishments last year in this special edition of our newsletter:

INTERNATIONAL STRATEGY TO PROTECT THE FINANCIAL SYSTEM FROM CYBER THREATS

Our major achievement last year was the release of our International Strategy to Better Protect the Global Financial System from Cyber Threats, developed in partnership with the World Economic Forum. The strategy’s recommendations were developed over 18 months in consultation with 200+ stakeholders and with strategic input from an advisory group comprised of senior representatives from governments, central banks, and industry. (Read the Wall Street Journal’s profile of the strategy here.) We will now focus on further advancing the implementation of the recommendations.

In November, we hosted two high-level events on the strategy featuring Andrew Bailey, Governor of the Bank of England, U.S. Congressman Jim Langevin, Amb. Boris Ruge, the Vice-Chairman of the Munich Security Conference, Vincent Loy, Assistant Managing Director of the Monetary Authority of Singapore, Amb. Tobias Feakin, Australian Ambassador for Cyber Affairs and Critical Technology, and leading industry voices including Jen Easterly, Global Head of the Fusion Resilience Center, Morgan Stanley, Jason Witty, Global CISO, JPMorgan Chase, Ramy Houssaini, Global Chief Cyber & Technology Risk Officer, BNP Paribas, and Valerie Abend, Managing Director, Accenture. (Recordings of the launch events are available here and here.)

HIGH-LEVEL EVENTS: DAVOS + MUNICH SECURITY CONFERENCE

In January 2020, Bill Burns, president of the Carnegie Endowment, presented the FinCyber strategy project at the World Economic Forum Annual Meeting in Davos-Klosters to a group of CEOs of financial institutions and central bank governors. In February, Tim Maurer hosted a cyber war game at the Munich Security Conference simulating an Iranian cyber attack against the financial sector together with CrowdStrike’s Dmitri Alperovitch and SAIS’s Thomas Rid—one participant, Thorsten Benner, proclaimed it “the most fun part of [the] official MSC2020 program – and scary in terms of this being realistic & being unprepared.” In 2021, Carnegie hopes to host similar convenings to facilitate further action to address these growing risks.

NEW WORKSTREAM ON FINANCIAL INCLUSION AND CYBERSECURITY

We launched a new workstream dedicated to cybersecurity and financial inclusion, with generous support from the Bill and Melinda Gates Foundation. On December 10, we hosted the FinCyber Conference on Financial Inclusion and Cybersecurity together with the IMF, the World Bank, and the World Economic Forum. With keynote remarks from Her Majesty Queen Máxima of the Netherlands in her role as the UN Secretary General’s Special Advocate for Financial Inclusion, Kristalina Georgieva, Managing Director of the IMF, and Magda Bianco, Senior Economist at the Bank of Italy and incoming chair of the G20’s Global Partnership on Financial Inclusion, the event brought together over 200 stakeholders from around world. (The remarks can be found here, here, and here, respectively.) Carnegie is now building on the momentum coming out of the conference to host quarterly calls with this community to facilitate coordination and to plan for a second conference to take place in India in December 2021.

UPDATED CAPACITY-BUILDING TOOL BOX, INCLUDES NEW GUIDES IN 10 LANGUAGES

In December 2020, Carnegie released an updated version of our Cyber Resilience Capacity-building Tool Box, adding new guides on ransomware and workforce development and making it freely available in ten languages (English, Arabic, Dutch, French, Portuguese, Russian, Spanish, Mandarin, Japanese, and Hindi). Our official partners now include the World Bank and the Independent Community Bankers of America in addition to our original partners, the IMF, SWIFT and the SWIFT Institute, FS-ISAC, Standard Chartered, the Cyber Readiness Institute and the Global Cyber Alliance.

NEW RESEARCH ON EMERGING TECHNOLOGIES: DEEPFAKES AND QUANTUM

In February 2020, we hosted a roundtable focusing on emerging technologies with members of the G7 finance track Cyber Experts Group, representatives from the national security community, and industry experts. The group explored the medium-term impact of quantum computing and deepfakes. Insights from the workshop informed our research paper, released in July, assessing threats posed by deepfakes and other synthetic media. This year, we plan to focus on further exploring the implications of quantum computing.

U.S. CYBERSPACE SOLARIUM COMMISSION

In March 2020, the Congressionally mandated U.S. Cyberspace Solarium Commission issued its report including its recommendation, “the U.S. government […] should: Take a sector-by-sector approach to norms implementation: Prioritize norms against malicious cyber activity targeting elements of critical infrastructure that underpin shared global stability, such as the financial services sector, [emphasis added] building on the existing norm against attacking critical infrastructure.”

WORKFORCE WORKING GROUP

In April 2020, in recognition of the massive shortage of cybersecurity talent worldwide, we convened the FinCyber Working Group on Cybersecurity Workforce comprised of a dozen major financial institutions and a select group of experts. The working group convenes regularly to analyze existing workforce development models and identify best practices for addressing workforce shortages across the financial sector. The working group’s findings will be released early this year.

UPDATED TIMELINE (NOW WITH MAP!)

We revamped our timeline of cyber incidents in association with BAE Systems, which now chronicles 200+ cyber incidents targeting financial institutions since 2007. We added new features including an interactive map and filters that allow users to sort incidents by country, region, year, attribution, incident type, and actor type.

International Strategy to Better Protect the Financial System Against Cyber Threats, by Tim Maurer and Arthur Nelson, November 2020, Carnegie Endowment for International Peace.

“Enduring Cyber Threats and Emerging Challenges to the Financial Sector,” by Adrian Nish, Saher Naumaan, and James Muir, November 2020, “Cybersecurity and the Financial System” Working Paper Series, Carnegie Endowment for International Peace.

“Making finance cybersecure to ensure an inclusive recovery,” by Tim Maurer, Arthur Nelson and Sean Doyle, November 2020, World Economic Forum.

“Deepfakes and Synthetic Media in the Financial System: Assessing Threat Scenarios,” by Jon Bateman, July 2020, “Cybersecurity and the Financial System” Working Paper Series, Carnegie Endowment for International Peace.

“Protecting the financial system against the coming cyber storms,” by Juan Zarate and Tim Maurer, May, 2020, The Hill.

“Cyber Mapping the Financial System,” by Jan-Philipp Brauchle, Matthias Göbel, Jens Seiler, and Christoph von Busekist, April 2020, “Cybersecurity and the Financial System” Working Paper Series, Carnegie Endowment for International Peace.

“COVID-19’s Other Virus: Targeting the Financial System,” by Tim Maurer and Arthur Nelson, April 2020, Strategic Europe.


Sincerely,

Tim Maurer, Arthur Nelson, and the Cyber Policy Initiative Team at the Carnegie Endowment for International Peace