‘We still don’t do the basics well’ – Chris Gale on cyber security

Chris Gale, a former vice-president of the Federal Reserve Bank of Boston, has said central banks still have a long way to go in improving their IT defences against cyber attacks.

“IT is hard enough without the cyber threat landscape we are in… It is putting an overwhelming stress on central bank’s resources,” says Gale. “There are many things on the technology side which we don’t do well… We still don’t do the basics well.”

Speaking on the sidelines of Central Banking’s Cambridge seminar series, Gale says information sharing is one of the main areas that could be utilised by central banks: “Information sharing across organisations, across legal entities, is still problematic.”

Before Gale left the Federal Reserve in 2014, he was in charge of the Fed’s technology service council – the senior executive IT steering committee for all 12 of the US reserve banks. In this position, he started a “unique programme” that gathered US banks together to share real-time data on their systems on a monthly basis.

“We started with a pilot, but it slowly matured… we have some very strong non-disclosure agreements in place, and we are actually sharing real data,” he says.

“Everybody was afraid to share real information about their systems, about the products they use and about how they secure them because of fear of that being exposed.”

But over time, the former vice-president says, the banks have built a trusting relationship with one another that will stand them in good stead in times of crisis.

“Should there be a real hack coming into your organisation, now you have people you can trust. You can pick up the phone and ask whether they’ve experienced the same thing and how they figured it out,” says Gale.

Striding forward

The former Boston Fed vice-president tells Central Banking there have been some major strides in cyber security in recent years, with a number of major central banks implementing “some aggressive and pretty cool” initiatives to shore up their IT defences: “What was once absolutely taboo, to run breach tests on your live systems during the day, is now happening. That’s fantastic.”

The Bank of England is one institution experimenting with such tools. CBEST, launched in 2016, brings in threat intelligence that is then tested against the BoE’s – and other large banks’ – live systems within a “controlled testing environment”.

Results from the tests reveal where vulnerabilities lie in current systems and highlight where cyber attacks could have the greatest financial stability impact.

Assessing the landscape

In the past couple of years, there have been some major technological advancements in the realm of IT, including big data and blockchain, that have caught the attention of central banks.

For Gale, blockchain is an innovation that will either make or break the future of central banking: “I think blockchain will eventually be so ubiquitous, it won’t be a matter of the central banks saying: ‘We are going to adopt the blockchain’ – it’s going to be you can’t operate with other financial institutions unless you are able to interact with blockchain technology.”

But while a number of central banks are focusing on cryptocurrencies and how blockchain could revolutionise payment and settlement, Gale thinks there are other areas that could also reap the benefit of this innovation.

Some of the success stories you read about in the press are just traditional uses of datasets, only they’ve been dressed up with a big data label

The future of big data, however, is not so certain: “The jury’s still out on that. Big data is not new for financial institutions – certainly not for central banks. Economists have been working with huge datasets for years. So what’s implied by big data is that you use a mix of structured and unstructured data to gain new insights from the traditional applications.”

Unfortunately, the former Boston vice-president has not seen any evidence there have been any successful applications of what he deems big data.

“Some of the success stories you read about in the press are just traditional uses of datasets, only they’ve been dressed up with a big data label… Really, when you talk to all the central banks, they don’t have any success stories to tell,” says Gale.

However, he adds that a lack of success does not mean big data has a lack of potential, it just means central banks are yet to find the right application for it. One area in which he sees merit is communications, where he believes central banks could tap into their social media account data to understand public sentiment: “I’m sure there is magic there – we just haven’t got there yet.”