Toward a New Paradigm for Resiliency and Security
May 3, 2016
Richard Dzina, Executive Vice President
Remarks at SIFMA's 43rd Annual Operations Conference, Miami Beach, Florida As prepared for delivery

Good morning. I’d like to thank SIFMA for the opportunity to participate in today’s program. Speaking before an audience of industry leaders on a matter of such fundamental import for the resiliency and security of our financial system represents both a rare privilege and a tremendous responsibility.

It is an equal honor, and I confess a bit humbling, to follow Secretary Chertoff, upon whose remarks I hope to build with a targeted application for financial market infrastructures. My perspective today will not be that of a Federal Reserve policy maker, or of a supervisor, but decidedly that of a practitioner.

I had the privilege of hearing General Michael Hayden, former head of the NSA and CIA and a member of the Chertoff Group, address a payments symposium hosted by the Federal Reserve Bank of Chicago in late 2014. In that venue, consistent with Secretary Chertoff’s remarks today, General Hayden spoke of the tectonic shifts affecting the global landscape, and their prospective impact on cyber, terror, and geopolitical threats.

His basic message, in two parts: keep your seat belts on, it promises to be a volatile century (yes, century); and when it comes to our critical financial market infrastructure being subject to attack, it is not a matter of “if” but “when”.

As the operator of wholesale services for the Federal Reserve Banks, arguably the foundational element of our nation’s financial market infrastructure, this was a sobering message on which to reflect.

I have titled my remarks today “Toward a New Paradigm for Resiliency and Security”, and intend to address, at a conceptual level, how global realities and an understanding of the escalating threat landscape have transformed our historical approach to these critical subjects. My remarks reflect my own views and do not necessarily represent those of the Federal Reserve Bank of New York or the Federal Reserve System.

The Nature of the Federal Reserve’s Wholesale Services

As context, and to underscore the stakes, please indulge me in a brief reflection on the nature of the Federal Reserve’s wholesale services, consisting of the Fedwire Funds Service, the Fedwire Securities Service, and the National Settlement Service.

I like to frame the wholesale service suite as the “franchise” when it comes to our nation’s financial market infrastructure. It is a bold assertion, but not an unreasonable one, reflecting at least four considerations:

  • Transactional Value

    In 2015 we processed in excess of $1 quadrillion in Funds, Securities, and National Settlement transactions. That is a one followed by 15 zeros. For those like me for whom a quadrillion is a difficult number to conceptualize, it reduces to the Gross Domestic Product of the United States effectively flowing through our pipes every four days. It is not an exaggeration to suggest that the wholesale services represent the central conduit of liquidity, indeed the circulatory system, for our nation’s economy and financial system.

  • Interconnectedness

    In 2012, as I am sure you will recall, the Financial Stability Oversight Council, under Title VIII of the Dodd-Frank Act, designated eight financial market utilities, including the Clearing House as operator of CHIPS, CLS Bank, the Depository Trust Company, the Chicago Mercantile Exchange, ICE Clear Credit, and the Options Clearing Corporation, as systemically important.

    The wholesale services operated by the Reserve Banks were not formally so designated, but the Board of Governors, acting in its oversight capacity, committed at the time to hold us to “as high or higher a standard” as it holds these private sector utilities; I assure you, we are experiencing, appropriately, that “or higher” side of the spectrum.

    For our purposes today, I will merely note the existence of critical dependencies of many of these systemic market infrastructures on the availability of the wholesale services in their daily operational life cycles to fund, defund, or settle positions derived from transactions in other markets. The inverse is not necessarily true, placing the wholesale services at the base of the pyramid on which other systemically important infrastructures, and indeed our financial system, ultimately rest.

  • Role as Central Securities Depository and Fiscal Agent

    As Central Securities Depository for over $70 trillion in par value of Fedwire-eligible securities, the Fedwire Securities Service functions as central repository for the largest, deepest, and most liquid pool of collateral in the world.

    Moreover, in support of the fiscal agent responsibilities of the Reserve Banks, the Fedwire Securities Service facilitates the issuance, maintenance, and redemption of all Fedwire-eligible securities, performing an indispensable role in financing the operations of the U.S. government and those of other issuers.

  • Support for Monetary Policy Execution

    Finally, I will note that the wholesale services function as the platform across which the Federal Reserve ultimately settles its monetary policy operations.

Any one of these elements would likely qualify the wholesale services as “systemic”; in the aggregate they represent a staggering portfolio on which the execution of both our nation’s fiscal and monetary policies absolutely depend. A wholesale service outage, or even a meaningful disruption that impairs public confidence, risks a significant shock to the United States that would have profound, and potentially unpredictable, consequences, for which the only appropriate policy response is “failure is not an option”.

Historical Approach to Resiliency and Security

Consistent with industry best practice, our historical posture to ensure the resiliency and integrity of the wholesale services has principally reflected a post-9/11 construct focused on geographic dispersion of infrastructure and human capital. Like you, we have invested considerable resources to ensure operational redundancy through geographic dispersion of data centers and operating sites, real time data replication, and split operations. These investments have yielded significant resiliency dividends, and deserve to be heralded.

While geographic dispersion of infrastructure and human capital remains an indispensable prerequisite for responding to physical threats, and is likely sufficient for most contingency scenarios we face, it no longer suffices as the central organizing paradigm for resiliency in the wake of the escalating cyber threat. Global realities compel a paradigm shift in how we contemplate the resiliency and security of systemically important infrastructure. To borrow the vernacular of our supervisory colleagues, we must prepare for “extreme but plausible” events.

Consider, for example, a cyber-breach of perimeter security resulting in the insertion of pernicious malware, a severe data corruption in which confidence in account balances is compromised, or even an application failure that propagates itself almost instantaneously across primary, secondary, and tertiary operating sites. An unfortunate byproduct of instantaneous data replication, such a scenario risks rendering a systemic infrastructure functionally inoperable.

Aggravating the cyber challenge, we must recognize, in contrast to traditional resiliency scenarios, the likelihood of facing an adversary that can anticipate and adapt to our contingency response in real time. Moreover, the nature of the challenge is asymmetric: we must defend across an extended front; the adversary need only find a single point of entry or vulnerability. These dimensions add a dynamic to resiliency planning we have not previously contemplated.

Toward a New Resiliency and Security Paradigm

In recognition of these escalating threats, the Committee on Payment and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) have recently published a consultative report providing guidance on cyber resilience for financial market infrastructures. The guidance is designed to supplement CPMI-IOSCO’s Principles for Financial Market Infrastructures, and is unequivocal in its expectation that FMIs establish a two hour resumption objective for critical operations in the event of disruption, even in the case of extreme events, regardless of their nature (cyber or physical).

For most infrastructures, I will suggest, this expectation remains aspirational, with some parallel to the supervisory guidance issued following 9/11 that mandated geographic dispersion of infrastructure and human capital. Just as the industry responded to the prior physical challenge, so will it respond to the current cyber charge, I have every confidence. I would be remiss, especially in recognition of our SIFMA venue, not to herald cross-industry collaboration as an indispensable means to identify the design of alternative solutions to accelerate recovery, contemplate their cost-effective deployment, and strengthen not merely the resiliency and security of individual components but the system as a whole.

Beyond our respective efforts to enhance perimeter security, isolate critical applications, rotate more nimbly across data centers, guard against insider threats, and bolster detection and readiness, I will suggest that the central question for systemic market infrastructures to consider in response to the present cyber challenge relates to third site capacity.

Historically, third site solutions have been integrated into a data replication scheme and scaled to restore only critical functionality in traditional doomsday scenarios in which primary and secondary data centers are lost. But the iron triangles on which market infrastructures have relied may be suffering from corrosion in recognition of the escalating cyber threat. Prospectively, I will suggest that market infrastructures need to contemplate technologically diverse, off-network third site solutions, representing an impregnable firebreak, and a platform for recovery, if the core of an application suite or data set becomes corrupted. A technical point of nomenclature: perhaps one day we will refer to these solutions as “third level” rather than “third site”, recognizing that technology increasingly is liberating us from “physical” limitations (such as data centers) to consider “metaphysical” alternatives (such as cloud or hosted solutions).

The prospect of a technologically diverse third level of resiliency raises several important questions:

  • Reflecting the law of diminishing returns and increasing costs, where does a market infrastructure draw the line on resiliency? How much insurance is enough when the odds of invoking a technologically diverse third level of resiliency may be remote, but the costs of a severe disruption from which one cannot recover are incomprehensibly large?
  • How can a market infrastructure ensure the absolute integrity of its data and software from which to resume operations if the core is compromised?
  • For how long should an infrastructure be prepared to operate in a degraded mode, and how should that assumption inform the business requirements for critical third level functionality?

Financial market infrastructures will likely respond differently to these questions, and just as surely they will come up with a range of technical solutions to respond to CPMI-IOSCO’s clarion call, reflecting their unique circumstances and their respective assessments of the threat. In fact, it may be preferable for market infrastructures to develop alternative solutions for responding to the cyber challenge, lest a monolithic solution result in an unintended concentration risk or an unhealthy “groupthink”. I do not intend to suggest a prescription to be applied universally across market infrastructures; I do intend to inspire a necessary reflection on an issue of fundamental import.

It is worth noting that the CPMI-IOSCO cyber guidance also exhorts financial market infrastructures to develop contingency plans for events in which the two hour resumption objective is not met. We are therefore compelled to consider not merely “star wars” resiliency but also “stone age” contingency.

Like many of our peers, this charge has already encouraged my colleagues in the Wholesale Product Office and across the Federal Reserve System to consider our remedial actions to mitigate customer and market impacts in the event of a wholesale service disruption from which we cannot recover on a same day basis, our best efforts to ensure resiliency notwithstanding.

This work proceeds across multiple fronts, including analyzing and parsing our transaction flow to identify systemic activity, exploring alternative constructs to process that activity via other channels and service providers, and (later this year) conducting table top exercises with systemically important customers and interfacing financial market infrastructures to test our hypotheses and procedures.

But let us not delude ourselves: no matter how mature our framework for responding to protracted outage scenarios, no matter how sound our procedures, no matter how tested our protocol, we never want to rely or rest on these measures from a contingency perspective. The lesson for any market infrastructure, especially one at the epicenter of the financial system, is to so invest in resiliency and security that we never find ourselves in this position.

A Concluding Analogy and Aspiration

As a former Army officer, I cannot resist concluding with a military analogy. In responding to the present challenge, let us be sure not to construct an inflexible Maginot line whose rigidities are easily subverted by a creative and nimble adversary. Let us instead develop a coherent and integrated system that relies upon the classical elements of defense, but none of them exclusively: perimeter security to keep the adversary outside of the environment; defense in depth to safeguard our most critical assets; sophisticated intelligence to understand the adversary’s tactics; robust surveillance to monitor for intrusion and ensure environmental integrity; rapid response to fend off attack; effective collaboration with allies to enhance collective security; and, occupying the central position in my remarks today, a strategic reserve to respond deftly in the event of loss.

An important supplemental point not to be overlooked: not only do these measures enhance security and resilience, they also represent extremely effective deterrents in raising the costs upon and marginalizing the effectiveness of our cyber adversaries.

Make no mistake: as it relates to the wholesale services of the Federal Reserve Banks, we aspire not merely to a commercial standard of resiliency, or even a supervisory standard, but something approaching national security grade. We proceed on this trajectory from a position of strength, reflecting a record of experience that has endured the most severe terror attack in our nation’s history, a financial crisis of historic proportion, and extreme weather events such as Super Storm Sandy, among other noteworthy examples. But in this sphere, either intentionally we are progressing, or inevitably we are regressing: there is no idleness.

I trust I have made myself unequivocally clear on the choice we make; the stakes compel it.

Thank you for your generous attention today. I’d be pleased to respond to a few questions.