Digital thieves can operate from anywhere, execute instantly, and have access to immense amounts of money. As financial activities accelerate their migration online it creates a critical need for more robust approaches by innovators, financial institutions, and government to combating financial cybercrime. Peter Ackerson, General Partner at Fin VC, explains in this article why cybersecurity is the weak link in US digital finance.
Bank robber Willie Sutton was once asked why he had robbed 41 banks. He famously replied “because that’s where the money is.” For his pains Sutton got life in prison and became the namesake for Sutton’s Law, which states that when diagnosing a problem one should first consider the most obvious explanation.
Money today may still be in banking, but not physically, or at least not in a form that Sutton would recognise. Whether in bitcoin, digital wallets, online neobanks, or digital trading accounts on Robinhood, the nature and use of money has changed forever – and, per Sutton’s law, this creates an obvious and real challenge.
Globally cybercrime accounts for $6 trillion dollars in losses per year, and are forecasted to increase by 15% or more per year, reaching $10 Trillion by 2025. This places the cybercrime economy as the third-largest in the world after the US and China.
There are still several reasons for optimism in the adoption of digital finance. More than ever before, financial innovations are addressing the needs of the under-served, the overcharged, and the excluded. However, while building the technologies that enable its movement, and real-time access anywhere, there are critical innovations that must first happen to ensure that digital finance remains safe.
As more of our economic activity moves online, there are three areas of cybersecurity policy and technology in particular that need urgent federal priority to ensure that digital finance will remain secure.
Establish a Clear Cyber Authority
America’s policy approach to state-sponsored or sanctioned cyber-attacks remains ineffective because it is underfunded and divided. The current state of cyber response remains entirely reactive and serves more to explain cyber hacking and theft after the fact than to help address or prevent it in real-time.
In the US, regulatory authority is hopelessly divided by legal frameworks that at various times place the burden for cyberattacks on the military, the NSA, the FBI, local police, and elsewhere. The result is an incoherent and ineffective strategy that leaves corporations and banks largely on their own to protect the personal and financial data of their customers. The ongoing cadence of data breaches, including the most recent Solar Winds hack, demonstrate that this is a responsibility that even the most secure and well-funded banking institutions have struggled to protect.
With a new and more assertive Administration in place, the first steps to be taken are to elevate the role of the Cybersecurity and Infrastructure Security Agency (CISA) as a core independent agency with a dedicated mandate, budget, and personnel; and to more actively engage the corporate financial institutions to ensure a coordinated network for prevention, mitigation, and response to cyber hacking.
Mandate Transparency and Identity
From TSA to trolls, tax schemes to shell companies, the ability to identify individuals and corporations has become central to protecting citizens, businesses, and government agencies. Yet, issues resulting from online anonymity and offline identity verification, at both the corporate and individual levels, remain untackled.
Know your customer and know your bank (KYC and KYB respectively) technologies are woefully antiquated, and allow cybercriminals to launder, hide, and redeploy huge sums of money rapidly across large global networks. This effort must be led by governments but include technology companies from around the world in order to develop a framework that can be deployed effectively, and in a manner that is safe and respects human rights and protections.
Technologies developed by companies like Onfido, leveraging advanced AI to prove identities with just an ID and facial scan, are currently already in use as the infrastructure for ClearPass programs at airports and for other security sites. These approaches need to be mandated not just for individuals, but for corporations as well.
Accelerate Cyber Training
Developing next-generation human capabilities not only within our government and military but also within the broader civilian population is urgently needed. Instead of the illusory Space Force to fight fantastical opponents, the US needs to focus on training across the board for government, military, and civilian cyber capabilities. The US has not invested into developing the next generation of cyber talent and capabilities, and is therefore in danger of losing its technology advantage.
Widespread adoption of a Cyber ROTC program, as has been done in several other countries, would fuel a new generation of innovators and provide the foundation for continued global technology leadership by the US. If implemented by the new administration, such a program would identify and train high aptitude candidates as early as high school, providing them with core technological skills that would form the basis of both successful commercial and military careers.
Policymakers and financial corporations in the US stand at a crossroads. As the leading global economy and the headquarters for the largest commercial and financial institutions in the world, we are at significant risk from global cybercrime. However, as a nation the US possesses the largest, most well-funded military and the most advanced financial technology companies in the world.
What we do with the latter will determine the longevity of the former.