Dan Wachtler, CEO, DarkLight
Nov 8, 2023
To further prove my obsession comparing my two industry experiences - AML and Cybersecurity - in this article, I suggest the cybersecurity industry look to the FinCEN model for threat sharing.
As cyber threats continue to evolve, the quest for an effective threat-sharing mechanism grows increasingly urgent. The industry lacks consensus, however, on a robust foundation for this endeavor. While there are commendable threat-sharing groups, such as the ISACs and the Cyber Threat Alliance (CTA), they generally focus on specific industries and have membership limitations. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is a good start from a mandate perspective but also limited in scope. Yet another is the Cyber Safety Review Board (CSRB), modeled after the National Transportation Safety Board (NTSB) but is more about post-mortem lessons learned rather than providing near real-time intelligence. I propose DHS CISA look to the Financial Crimes Enforcement Network (FinCEN) model, with its proven efficacy in combating financial crimes, to provide a superior and scalable framework for cybersecurity.
The FinCEN model, importantly empowered by sections 314a and 314b of the USA PATRIOT Act of 2001, mandates financial institutions to identify and report suspicious activities linked to money laundering or terrorist financing. The institutions submit Suspicious Activity Reports (SARs) to FinCEN and the FBI, enabling FinCEN to generate and share data on financial crime trends and even specific suspects industry-wide. Additionally, the model obliges law enforcement agencies to collaborate with financial institutions during investigations.
Adapting this model to cybersecurity beyond the financial industry is doable. However, the more we fragment our oversight, regulation, and enforcement regimes, the more difficult it becomes to accomplish. Standards are challenging, but they must be embraced. Safe Harbor provisions are also tricky but must be included, as they are at FinCEN.
Below are the six core mandates of FinCEN and their potential to facilitate a practical solution in the cybersecurity realm:
Regulate and collect information from financial institutions. This includes requiring financial institutions to file reports on suspicious activity and to maintain records of their customers' transactions.The regulatory aspects of this mandate, especially for private companies, get tricky. In fact, given the breadth of industries, dropping the “regulate” function and focusing exclusively on information sharing might make this mandate more acceptable. However, utilizing sections 314a and 314b as a model to mandate and promote sharing, combined with motivations via Safe Harbor provisions, should help yield the desired outcome.
Analyze and disseminate financial intelligence. FinCEN analyzes the information that it collects from financial institutions to identify and track financial crime trends. It also shares this information with law enforcement and other government agencies.This mandate would be critical to the entire program. CISA, the NSA, the FBI, and other agencies post various advisories, but coordination would and could be improved. An additional key component is the need for the advisories to be actionable via standards and reports provided in machine-readable formats, e.g., OSCAL.
Promote national security. FinCEN works to protect the U.S. financial system from being used to support terrorism and other national security threats.Expanding this mandate to include cybersecurity explicitly would be beneficial, such as “...works to protect U.S. cyberspace from being used to support criminal activities.” This would need substantial discussion to ensure a mandate that wasn’t overreaching or something beyond reasonable to execute.
Provide guidance and assistance to financial institutions. FinCEN provides guidance and assistance to financial institutions to help them comply with the Bank Secrecy Act (BSA) and other financial regulations.Translation is needed for the different scopes. A cybersecurity example might be specifying the format for sharing information.
Advocate for the use of financial intelligence. FinCEN advocates for the use of financial intelligence to combat financial crime.Translation is needed for cybersecurity, but this mandate may not even be required. Almost everyone understands that cyber threat intelligence is necessary to fight cybercrime.
Conduct research and analysis.FinCEN conducts research and analysis on financial crime trends and best practices.Translation is needed for the different scopes.
The FinCEN model is not without its flaws. It has been criticized for being too reliant on self-reporting by financial institutions and can motivate the sharing of too much information, which can clog the system. However, the model has proven effective in combating financial crimes and can be adapted to address some of the challenges unique to cybersecurity.
Adapting the FinCEN model to cybersecurity will require the cooperation of the public and private sectors. Government agencies, private companies, and non-profit organizations will all need to play a role in making this happen. First, the regulatory aspects must be addressed, especially for private companies. Second, the advisories and information sharing need to be actionable and provided in machine-readable formats.Third, the scope of the model needs to be translated to the different contexts for cybersecurity.
By mandating, or at least encouraging, sharing with a centralized body, law enforcement, and other government agencies, the FinCEN model has substantially helped combat financial crimes. FinCEN’s ability to act to some degree as an intelligence service with a birds-eye and unique view across institutions is powerful. With some adaptation, the model can be used to combat cyber threats as well.
Feel free to reach out if you have interests, thoughts, or even disagreements. I am slowly creating a working group on this topic, and while my day job will prevent a rapid pace, I am committed to helping our industry wherever possible.