1997 Congressional Hearings
Intelligence and Security

Madam Chairman, Members of the Subcommittee, good afternoon. My name is Stephen Katz, I am Chief Information Security Officer for Citibank.


I would like to thank you for the opportunity to appear before this Subcommittee hearing to discuss "The Role of Computer Security in Protecting the US Infrastructure", and to share with you our views on the appropriate role of government and of the private sector in securing this country’s information and telecommunications infrastructures.


My remarks will focus on:



First, let me begin by saying that the main product offered by banks is trust; We have a trust contract with our customers to assure the integrity, confidentiality and availability of data. And, in today’s world, that is 24 hours/day, from anywhere in the world. Anything that jeopardizes that trust relationship poses a risk to the bank incurring the problem, and any significant compromise occurring at one or more of the money center or super regional banks, poses a substantial risk to the financial services infrastructure of the country.


Further, going forward, we expect to see a virtual explosion of Internet based commerce. While predictions of the dollar value of Internet commerce vary, most, if not all, industry observers believe that billions of dollars of business activity will migrate to the Internet over the next few years. The most significant tool to facilitate this migration is security and confidentiality of information transmitted between banks and their customers, and certainty of knowing with whom we are doing business. Lack of security will all but prevent this migration from occurring.




To put this in a framework, the essence of information security and the key to minimizing the threat to the banking services infrastructure, can be found in the answers to seven fundamental questions:


  1. Do we know who is using the service? – What methods/technologies (e.g., passwords, one time password generators, digital certificates) are being used to verify the identity of someone attempting to use or access a bank service?

  3. Can we control what they do? – Once we have verified a customer’s identity can the security service route the customer to the systems/products which they are authorized to use? And ensure that they are restricted to such systems/products?

  5. Can we ensure the privacy of information? – Are we using an effective level of cryptography to ensure that only authorized systems, or users can read the information?

  7. Can we prevent unauthorized changes to information? – Have we implemented technology that will ensure that we will immediately know that information transmitted to the bank has been changed?

  9. Can we provide for non-repudiation of a transaction? – Have we implemented an effective means to digitally sign a transaction, message, or instruction submitted to the bank that will prevent denial of responsibility for the message?

  11. Do we know if there is a problem and is it soon enough to take appropriate action? – One of the key concerns in the industry is that System Administrators are either unaware of unauthorized attempts to access a system or they find out about it too late to take meaningful action. In fact, this is an issue that has been highlighted in a number of GAO reports.

  13. Can we ensure access to the service? – What tools or technologies have been implemented to reduce the risk of denial of service attacks against a system? And, if access to a system is denied, have effective continuity of business plans been developed and tested?


State of Information Security in the Banking Sector:


First, I would like to take this opportunity to correct a significant misconception. Contrary to what has been reported in the media, banks must and consistently do comply with extensive regulatory requirements for reporting losses resulting from breaches in information security. Further, the minority staff statement coming from the U.S. Senate Permanent Subcommittee on Investigations hearings on Security in Cyberspace, held on June 5, 1996, found no evidence of any financial institutions failure to report, or attempt to cover up, any electronic intrusion.


It is my assessment that banks are leaders in implementing across the board information security programs, and Banks tend to be aware of and take action to minimize threats and vulnerabilities. Banks have been one of the largest users of cryptography to ensure the confidentiality and integrity of customer information, and we are among the earliest adapters and leaders in implementing state of the art technology for verifying identity of customers using our services electronically.


Generally speaking, within Banking, we endeavor to make information security an integral element of risk management and to ensure that senior management is responsible for instituting effective levels of security. In addition, we also tend to assure that information security issues are addressed as part of business and product development efforts. There are multiple reasons for this:





Banks have also been among the leaders in developing, acquiring and implementing self assessment technologies to ensure that we are in compliance with internally developed information security policy and standards. In addition, associations like the American Bankers Association and the New York Clearing House have for years encouraged and facilitated ongoing dialog and sharing of information among Bank Information Security Officers. Bank Information Security Officers have also been leading participants in information security industry associations.


Vulnerabilities and Threats


The banking and financial services industry is undergoing significant change. We are now beginning to implement 24 hour/day, 7 day/week electronic commerce services to our customers from anywhere in the world. And, we as an industry are beginning to do this via the Internet. In addition, increasing numbers of banks are outsourcing operations and technology. Since bank products and services are inexorably intertwined with technology, it is essential that security is a fundamental component of any product offered. As a result, there must be an ongoing assessment of vulnerability and threat.


Some of the specific threats/vulnerabilities we are facing include:



Consider the impact to the financial services infrastructure of a virus that randomly changes numbers on data transmitted to trading rooms, or for that matter the impact of random delays in transmitting information to those trading rooms.






This risk is further exacerbated by the lack of information available about contractors, consultants and outsource vendors, where it is even more difficult to obtain background information about staff authorized to access systems, data and networks.








Sound Practices for Information Security: Approximately a year ago the New York Federal Reserve Bank formed a task force responsible for developing information security "sound practices" for Internet based electronic commerce. The task force was under the aegis of the supervisory wing of the New York Fed; however, they did not use an examiner to lead the effort. They asked the person responsible for internal security at the New York Fed to lead the effort. He was a well known and an active member of a number of banking industry and information security organizations; and well respected in the private/banking sector.


In preparing the standard practices, the task force had numerous meetings with 35 - 40 banks, audit & accounting firms, consulting firms, universities and other private sector companies. As the report was nearing completion, the Fed team asked the participants to vet the document. The result was an outstanding piece of work that will help set the direction for information security policy, standards and practices within the banking sector.


I recommend that the government charter and direct a small task force lead by recognized security professionals with extensive practical experience to develop "sound practices" for information security that would be applicable to both the government and private sectors. Please note that I am not advocating developing best practices, since best is always a moving target. I am also not advocating developing detailed, across-the-board standards. What I am advocating is the development of an information security "sound practices" document.


Risk Awareness: As OCC circular BC 177 holds boards of directors responsible for having effective disaster recovery plans, so too should the boards have overset and responsibility for information security. The state of security and information security issues needs to be routinely addressed at the board of director level.


Privacy and confidentiality: The banking sector is heavily regulated by numerous federal and state authorities. And, data recovery is often part of examinations performed by the regulators. That coupled with the requirement to ensure the privacy of customer information as it transits global networks and as stored on bank systems mandates the need for and justifies the global use of unrestricted, robust cryptography regardless of keylength; without requiring mandatory key escrow or key recovery.


Since electronic commerce is global and borderless, multiple governments around the world would have access to escrowed keys. As a result, each government would be responsible for establishing and implementing auditable processes for securing access to those keys, and guaranteeing that they can prevent unauthorized access to those keys. In addition, they would have to implement an ongoing security assessment process to ensure that security remains effective. This is a monumental effort, and if not effectively done, creates an extraordinary exposure to the banking system.


The risk surrounding any mandatory key escrow/key recovery process is significant. Further, any mandatory key escrow/key recovery process in which numerous governments can access cryptographic keys and decrypt customer information transiting global networks prevents banks from assuring their customers that their information is confidential.


Historically the government has recognized the need for extra security on financial networks and that Banks can be trusted to deploy cryptography in a secure, restricted manner. Consequently, export controls on encryption products used by Banks have included special exemptions. It is essential that these exemptions not only be continued, but that they be broadened to ensure that we can export robust cryptography without any key escrow/key recovery requirements. In addition, when export licenses are required, the process for getting export licenses needs to be made easier and faster.


We also support federal involvement in developing and providing encryption algorithms to the banking system. This is with the proviso that the algorithms are publicly vetted and that there are no built in key escrow/key recovery features.


Digital Signatures - Numerous states have enacted some form of electronic or digital signature legislation. These laws tend to have a great deal of inconsistency and create tremendous uncertainty in this area. In order for there to be secure and effective electronic commerce without an overriding threat of electronic forgery, we need federal regulation to first ensure consistent legal treatment of electronic authentication/digital signatures for banks within the U.S. Since electronic commerce is borderless, we then need international treaties/agreements governing standards for digital signatures.


Education and Awareness: This is a significant area where funds should be invested. For this to be effective, a program stressing computer usage ethics must be put together and reinforced in all grade levels, from kindergarten through university. As an initial step, I would encourage forming a task force consisting of educational professionals with classroom experience, security professionals with practical experience in awareness programs, marketing and public relations professionals and appropriate government representatives to draft a program and approach.


A second effort needs to be aimed at business and government to help them understand their information security risks and their responsibility in addressing those risks.


Vendor Contracts: Public and private sector contracts with hardware and software vendors need to define security requirements. In addition, both sectors need to work together to convince vendors of commercial, off the shelf products that include security functionality, be delivered with security features fully enabled and turned on. In addition, all default passwords and known backdoors must be removed.


University Programs: Government funds need to be invested in helping universities to develop information security curricula in Computer Science programs, Business programs, Liberal Arts and Law programs,


Partnership with Industry/Information Sharing: There is a need to establish an informal partnership between government, industry and education to share information security practices and education and training programs.


We also need greater access to reliable, up-to-date, information from the government and across the industry regarding identification of new threats and vulnerabilities. Private industry is never quite sure whether or not there are threats, risks and vulnerabilities that the government is aware of, but are not shared.


The types of information being shared need to be defined by experienced security practicioners who function in the commercial sector. In addition, once criteria are defined, information sharing needs to be via specific trade organizations, like the American Bankers Association, in a climate of trust, where anonymity is ensured and liability is limited.


Product Certification Labs: When I go to buy an electronic appliance in New York, I look for a certification by the Underwriters Laboratory before I make the purchase. If the certification is there, I assume the product is safe for use. I would recommend that a panel consisting of government and private sector staff develop product certification criteria for evaluating security functionality in commercial products. Private companies/laboratories should then be licensed to certify products meeting various levels of security, for example, a bronze, silver and gold level of certification.


Extended Background Checks: As you are aware, banks routinely perform drug testing, fingerprint and minimal background checks on new employees. However, in order to reduce the risk of insider threat, it would be beneficial if the tools and facilities the government uses in granting security clearances be made available to us in filling sensitive positions. In addition, there needs to be an effective means for limiting liability so that we could obtain meaningful information from past employers regarding performance.


That concludes my testimony. I would be pleased to answer any questions you may have. - Thank you.




Stephen R. Katz, CISSP

Chief Information Security Officer, Citibank, N.A.

Prepared for

House Committee on Science, Technology Subcommittee




Address: Citibank, N.A.

909 Third Avenue

New York, NY 10022


Phone: 212-559-1902





Professional Certification: Certified Information Systems Security Practitioner (CISSP)




Degree: BA Biology, New York University, 1996





Sources of Federal Funding: Citicorp is a large financial services company which has many contracts with government agencies on a regular basis, and on occasion contracts with the government to provide a variety of services. I, am not directly involved with the implementation of any of that business. In addition, to the best of my knowledge, Citicorp has no grants relating to the subject matter of the hearing.