DHS Invests in Securing Finance Infrastructure
A nascent program could field cyber technologies this year.
Within the next 12 months, a fledgling program at the U.S. Department of Homeland Security will likely begin transitioning cybersecurity technologies to the finance sector in an effort to shore up the nation’s critical infrastructure. Technologies developed under the program ultimately could be made available to other sectors.
The Next Generation Cyber Infrastructure Apex was established last March by the Cyber Security Division of the department’s Science and Technology (S&T) Directorate. The program seeks to identify mostly mature technologies in five key areas identified by finance sector experts. Those areas are dynamic defense, network characterization, malware detection, software assurance and insider threat.
“Our goal is not so much focusing on the research aspect but doing more of the development and transition. We’re going out and doing tech foraging to see what exists out there and then funding a small amount of development to get it ready to transition into the finance sector,” explains Greg Wigton, S&T’s deputy manager for the program.
In the coming months, the program could field solutions in two of those areas: network characterization and dynamic defense. “We have two projects we’ve kicked off. They’re in the middle stages. The first is on network awareness and understanding what exists on the network and what kind of tools may be available to facilitate that,” Wigton reports. The second, he adds, is about “understanding what’s on the network and how information flows and who has access to what types of devices.”
Department officials decided to focus first on the finance sector. It includes thousands of organizations that deposit funds and make payments to other parties, provide credit and liquidity to customers, invest funds for both long and short periods, and transfer financial risks between customers. Among the various critical infrastructure sectors, finance is one of the most high-value targets. “They seem to get a little bit more attention because they are the finance sector, and they do have the money, and their job is to go protect that,” says Doug Maughan, who directs the S&T Cyber Security Division.
Furthermore, the finance sector is broadly considered the most sophisticated in the cybersecurity arena. At the same time, the level of sophistication can vary widely within the financial services domain, Wigton says. “The big banks that you can name on your two hands have a lot of money they can put toward this problem, and they’re a little better situated than some of the others. When you start going down to some of the regional and localized banks, they don’t have quite the same budgets,” he says. “I do think the sector as a whole is more mature than some of the others, but there are varying degrees.”
Despite its resources and relative sophistication, the finance sector needs some help navigating the realm of cybersecurity solutions. “They just don’t have the manpower and facilities to do a lot of test and evaluation of different vendor products throughout the year. This enables some of the financial institutions to actually see more technologies that could provide some impacts for their networks and their enterprises,” Wigton says.
Program officials also seek solutions that are less mature and require more research and development. They do so by allying closely with the Cyber Security Division’s Silicon Valley Innovation Program. “We’re looking at earlier-stage technologies and later-stage technologies, all to help the finance sector,” Maughan says. “We’re actually, to some degree, trying to accelerate the tech development and the marketplace that will be helpful to the finance sector more broadly.”
Last year, the Silicon Valley Innovation and next-generation cyber infrastructure programs together awarded five contracts valued at $70.66 million. Software developer and storage provider NexiTech Incorporated, Woodland Park, Colorado, was awarded a $194,000 contract in October. The NexiTech solution offers a “moving target defense approach to providing critical protection for storage devices and networks,” according to an S&T statement. “It aims to protect storage management and data interfaces by creating multiple abstractions of devices—similar to frequency hopping previously used in radio communication—to confuse potential cyber attackers.”
In addition, Heilig Defense LLC, Philadelphia, was awarded a $67,152 contract for its Memory Sentry solution that “provides runtime application protection against specific memory-safety vulnerabilities” and “offers a defense-in-depth architecture that minimizes exploit opportunities that can be used by potential attackers,” according to a separate press release.
The most sizable award—$70 million—went to Cyber Apex Solutions, an Arlington, Virginia, company that acts as a hub for researching and identifying vendors and technologies to meet the program’s requirements. “For each project, we have a contractor that does tech foraging and identifies promising solutions,” Wigton says. “We’re looking at anything from university research to small businesses to federally-funded research coming down from some of the labs—essentially technologies that could solve the problem but need some polishing or some commercialization before they can actually be integrated into the finance sector.”
Partnering with Cyber Apex Solutions through an “other transaction” contract vehicle allows the Department of Homeland Security (DHS) to more quickly explore a greater number of potential solutions than S&T could on its own. “If DHS is trying to work with 10 or 20 or 50 companies at once, with just the number of government processes, it would be difficult for us to move as quickly as we need to move. They bring a technical expertise to the program and a volume to look at some of these technologies that we probably couldn’t handle on our own,” Wigton adds.
Cyber Apex Solutions helped establish a Cyber Apex Review Team, also known as CART, that includes top players in the financial services sector, such as Bank of America, Goldman Sachs and Citi. “Some great financial service sector institutions are participating, and they’re the ones providing us with the gaps and priorities and needs. It’s not us going to them and telling them what we think their problems are,” Wigton says.
Through monthly teleconferences, financial services organizations participating in CART share their concerns, challenges and needs. Both the DHS and Cyber Apex Solutions sometimes follow up with one-on-one calls to further define needed solutions.
Once that is done, they send out a request for proposals to companies that have joined the Cyber Apex Solutions Consortium. The team anticipated the first round of proposals in December. Once selected, vendors were expected to complete a round of test and evaluation preceding prototype development.
Ultimately, financial services institutions will not be the only ones to benefit from the program. “Once we go through a couple of projects and view the lessons learned from those, we’ll apply the process to other critical infrastructure sectors,” Wigton offers.
By the same token, S&T officials can use lessons learned from other sectors to help the financial services community. Wigton, for example, also is involved in a project related to the oil and gas industry and is applying knowledge gained to this program.
“The benefit will be a more secure critical infrastructure. Cybersecurity is not specific to a single institution or a single sector or the public or private sector. By working with the financial sector and with the private sector, we’re able to solve problems relevant not only to individual institutions but also relevant to the government and other sectors,” Wigton states.