WASHINGTON – Today, U.S. Senator Tom Carper (D-Del.), top Democrat on the Senate Homeland Security and Governmental Affairs Committee, expanded his ongoing investigation into efforts by federal agencies and international banking institutions to better protect banks around the world against cybersecurity threats in light of multiple recent attacks on the SWIFT system. Senator Carper sent letters to the Bank for International Settlements (BIS) General Manager Jaime Caruana and U.S. Department of Homeland Security (DHS) Secretary Jeh Johnson requesting that both entities answer questions and brief staff as to how BIS and DHS are addressing these recent attacks as well as safeguarding against other potential threats by June 29^th.

“As the attacks on the SWIFT system raise important questions about the ability of member banks to prevent future attacks, Congress has a responsibility to continue to strengthen cybersecurity in the United States, including ensuring that the system used by our banks to engage in cross-border transactions is secure,” Carper wrote in one letter. “International financial institutions, including central banks, also have a responsibility to ensure that they stay one step ahead of cyber threats to protect the security of the global financial system.”

The letters sent to BIS and DHS today follow letters sent by Senator Carper last month to Federal Reserve Bank of New York President William Dudley and Society for Worldwide Interbank Financial Telecommunication (SWIFT) Managing Director Patrick Antonacci following the reported successful attack on the Bank of Bangladesh involving the SWIFT system. In those letters, Carper requested that both entities answer questions and brief staff on their efforts to address these recent attacks by June 17^th.  

The text of the letter to the Bank for International Settlements General Manager Caruana can be found below and in PDF form here

Dear Mr. Caruana:

            In light of recent cyber attacks involving the Society for Worldwide Interbank Financial Telecommunication (SWIFT), I write today to request information regarding the Bank for International Settlements’ guidance on cybersecurity practices to central banks around the world.

            In February 2016, an anonymous group of cyber criminals reportedly posed as the Central Bank of Bangladesh and used the SWIFT system to fraudulently transfer $81 million from an account at the Federal Reserve Bank of New York to accounts in the Philippines. According to press reports, these criminals exploited weak cybersecurity protections at the Central Bank of Bangladesh to create fully authenticated transfer orders and then used sophisticated malware to hide evidence of the transactions. Similar attacks using SWIFT codes reportedly occurred several months prior at banks in other countries such as Vietnam and Ecuador.

            The Bank for International Settlements provides policy analysis, banking, and internal support services to central banks and plays an important role in coordinating cybersecurity guidance to central banks in response to these attacks. In a November 2015 report prepared for one of the Bank for International Settlements’ standing committees, the authors stated that cyber resilience “can be a decisive factor in the overall resilience of the broader financial system” and that “given the stealthy and sophisticated nature of cyber attacks … advanced capabilities to extensively monitor for anomalous activities are needed.”[1] In addition, Gottfried Leibbrandt, SWIFT’s CEO, was reportedly in recent contact with the Bank for International Settlements regarding the inclusion of cybersecurity within global supervisory standards.

            As the attacks on the SWIFT system raise important questions about the ability of member banks to prevent future attacks, the U.S. Congress has a responsibility to continue to strengthen cybersecurity in the United States, including ensuring that the system used by our banks to engage in cross-border transactions is secure. International financial institutions, including central banks, also have a responsibility to ensure that they stay one step ahead of cyber threats to protect the security of the global financial system.

            To better understand the Bank for International Settlements’ role in preventing future cyber attacks, I ask that you please provide the following information by June 29, 2016:

1. What are the Bank for International Settlements’ protocols and practices for sharing information about cybersecurity threats targeting BIS member central banks?
2. Does the Bank for International Settlements provide any technical, operational, managerial, and procedural support to member central banks related to cybersecurity? If so, please explain.
3. Have member central banks provided comments on the November 2015 report on cyber resiliency? If so, please summarize these comments and describe any further actions the Bank for International Settlements plans to take in response.
4. Does the Bank for International Settlements plan to issue revised cyber security standards to central banks or take any further action in response to the recent attacks involving the SWIFT system?
5. Please describe any additional efforts of the Bank for International Settlements’ working groups, including through its standing committees, to address the recent attacks involving the SWIFT system.

            I also request that you ensure that a briefing is scheduled with my staff regarding these issues. The Committee’s minority staff is authorized to conduct this investigation under the authority of Senate Rule XXV and Senate Resolution 73 (114^th Congress). Thank you for your attention to this matter.

The text of the letter to Homeland Security Secretary Johnson can be found below and in PDF form here

Dear Secretary Johnson:

            In light of recent cyber attacks involving the Society for Worldwide Interbank Financial Telecommunication (SWIFT), I write today to request information regarding the Department of Homeland Security’s (DHS) response to these attacks.

            In February 2016, an anonymous group of cyber criminals reportedly posed as the Central Bank of Bangladesh and used the SWIFT system to fraudulently transfer $81 million from an account at the Federal Reserve Bank of New York to accounts in the Philippines. According to press reports, these criminals exploited weak cybersecurity protections at the Central Bank of Bangladesh to create fully authenticated transfer orders and then used sophisticated malware to hide evidence of the transactions. Similar attacks using SWIFT codes reportedly occurred several months prior at several other banks in countries such as Vietnam and in Ecuador.

            A recent report from the cybersecurity company Symantec suggests the cyber criminals who conducted the attack involving SWIFT, the Central Bank of Bangladesh, and the Federal Reserve Bank of New York may be linked to a group called the Lazarus Group that has previously attacked targets in the United States. According to this report, the malicious code used to hide the evidence of the attack on the Central Bank of Bangladesh had been used previously by the Lazarus Group in an attack of Sony Pictures in 2014.

            In addition, the Federal Financial Institutions Examination Council, an interagency body that prescribes uniform principles and standards to promote uniformity in the supervision of financial institutions, recently issued a statement calling on financial institutions to “actively manage the risks associated with interbank messaging and wholesale payment networks” and “conduct ongoing assessments of their ability to mitigate risks related to information security, business continuity, and third-party provider management.” The statements comes after the Federal Bureau of Investigation reportedly warned financial institutions in the United States to monitor for signs of cyber attacks after “actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorized monetary transfers over an international payment messaging system.”

            Given the importance of SWIFT to the global financial system, these recent attacks raise important questions regarding the security practices of member banks and their ability to prevent future attacks. Congress has a responsibility to continue to strengthen our nation’s cybersecurity, including ensuring that the system used by our banks to engage in cross-border transactions is secure. Only by staying a step ahead of these cyber threats can we ensure the security of our financial system. 

            To better understand DHS’s response to these attacks, I ask that you please provide the following information by June 29, 2016:

1. Has DHS provided assistance to the Federal Reserve Bank of New York or any other entity in response to the attacks on the SWIFT system? If so, please explain.
2. Has DHS reviewed the Symantec report linking the recent attack to the Lazarus Group? If so, please provide DHS’s assessment of this report.
3. DHS has the express goal of leading “the national effort to protect and enhance the resilience of the nation’s physical and cyber infrastructure.” This is carried out by a variety of programs at DHS, including the United States Computer Emergency Readiness Team (US-CERT). How does DHS work with the financial services sector to better prepare for and respond to cyber attacks like those on the SWIFT system? 
4. Does DHS track cyber attacks on financial institutions in the United States? If so, please describe this process.
5. In 2015, Congress passed the Cybersecurity Act of 2015 to enhance the security of private companies and the federal government, including by better sharing of cyber threat information. How is DHS using the authorities under the Cybersecurity Act of 2015 to help secure companies and organizations like SWIFT?

            I also request that you ensure that a briefing is scheduled with my staff regarding these issues. The Committee’s minority staff is authorized to conduct this investigation under the authority of Senate Rule XXV and Senate Resolution 73 (114^th Congress). Thank you for your attention to this matter.

###