The One Word That’s Missing From the SEC’s Cybersecurity Statement

WASHINGTON, DC - MARCH 23: Jay Claton testifies before the Senate Banking Committee during his confirmation hearing to be chairman of the Securities and Exchange Commission in the Dirksen Senate Office Building on Capitol Hill March 23, 2017 in Washington, DC. Nominated by U.S. President Donald Trump to lead the SEC, Clayton was questioned by senators about his years representing large banks like Goldman Sachs, Barclays, Deutsche Bank and other Wall Street companies. (Photo by Chip Somodevilla/Getty Images)

SEC Chairman Jay Clayton during his confirmation hearings. He released a statement on cybersecurity last night, following President Trump’s Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Chip Somodevilla/Getty Images

There’s a lot of private documents sloshing around the internet with information that could make a stock trader rich, such as regulatory filings, court cases and memos from accountants. It’s all shooting through the wires. All a trader has to do is find it before the public does.

“Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself,” Securities and Exchange Commission Chairman Jay Clayton wrote in a statement on cybersecurity, released Wednesday evening.

As has been widely reported, the statement discusses a breach of the SEC’s EDGAR system that exposed documents that could have been used for insider trading. It also discusses two other cases: one that targeted a law firm and another that targeted a newswire.

All of these cases are basically the same: criminals wanted to get their hands on information before it was public so that they could trade on it. When significant news hits the press, it typically has an effect on the price of shares related to that company. If a trader can get in early, they can make a lot of money.

“By promoting effective cybersecurity practices in connection with both the Commission’s internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognizes and addresses cybersecurity risks and, in circumstances in which these risks materialize, exhibits strong mitigation and resiliency,” Clayton wrote.

What’s remarkable, though, is that—in a document on cybersecurity that runs to 4,000 words—Clayton never mentions one of the most powerful tools in existence for securing information: encryption.

At essence, we have a story here of cybercriminals who have succeeded in breaching important organizations and stealing key documents. The most popular way to execute such a breach these days is by phishing, sending an email that tricks a recipient into disclosing their password or otherwise providing authentication keys to get into a system.

It wouldn’t actually matter if criminals got in, though, if the data on that system were encrypted at rest. When data is encrypted at rest, a key is required to de-scramble it.

One way to do this is to create decryption keys locally on user devices (what security types call endpoints), keys that never touch the internet. When this is done, documents can be encrypted using the keys of every person who has been authorized to look at one of these sensitive documents. Then, they can only be read on those users’ devices.

In other words, even if one of those users was tricked into revealing his or her password and a cybercriminal could open up their account, it wouldn’t matter because the attacker would not be sitting at that person’s computer or using their mobile device, the only places that have the required keys to do the final unlocking.

Creating a robust and user-friendly encryption system isn’t trivial. The team at Keybase has been working on it for the last three years, but they have open-source software that any organization could look to as a starting point for the kind of arrangement described above.

In fact, Keybase just released its own version of Slack, the intraoffice message board. It makes it easy for the right people to read a given message and all but impossible for anyone else.

So that’s one option, but probably not one that the SEC is going to try. Encrypting data is not something Washington likes these days. Encryption isn’t viewed as the crimestopper it is. D.C. views encryption as a threat.

Former FBI Director James Comey attacked tech companies for encrypting data in such a way that law enforcement can’t spy. Then presidential candidate Hillary Clinton called for a Manhattan Project to defeat encryption. Attorney General Jeff Sessions basically seems to agree with both.

The rationale in each case is the same: terrorism. Their should be no document that the government can’t read because that might hinder investigation into terrorism. So, for that reason, it’s unlikely to see the SEC advocate that regulators and the financial industry invest in technology that could just as easily be used by militants to mask their communications.

Terrorism is terrible, but it’s still relatively rare, in the grand scheme of things.

Cybercrime and insider trading is an every day crime. No one needs to be converted into some dark ideology to have a motive to commit insider trading. All they need is greed, and everyone is greedy.

No one has to face near certain death at the end of an insider trading exploit either. In fact, there’s a good chance they will come out rich on the other side. Everyone wants to be rich.

Clayton deserves credit for this statement, though. Its spirit of disclosure is positive. It’s also good that Clayton acknowledges that the right posture today is to assume breaches will happen and to develop strategies to deal with them and bounce back. That’s positive.

But encryption is a reasonable way to defeat everyday financial crime. It’s too bad that the cops on the investor beat took a pass on this opportunity to promote it.

The One Word That’s Missing From the SEC’s Cybersecurity Statement