Citi cyber chief says AI providing new weapons in hacking wars

Ann Barron-DiCamillo knows all about juggling private enterprise and the public interest. Today, she is global head of cyber security operations at Citi, but she previously worked for well over a decade in the official sector, latterly as director of the US computer emergency readiness team at the Department of Homeland Security, where she led a 24/7 operations center to monitor cyber threats and support incidence-response activities with government and critical industry partners.

In 2002, while Barron-DiCamillo oversaw web development for the national telecommunications and information administration at the Department of Commerce, Congress passed the Federal Information Security Management Act. This was a pivotal framework that requires federal agencies to develop and implement programs to assess and manage information security risks, and her involvement led her into the domain of cyber security.

She therefore has plenty of sympathy with financial regulators’ efforts to strengthen the cyber readiness of the firms they supervise. Top of that list is the proposed cyber security risk management and reporting rule unveiled by the Securities and Exchange Commission in March 2023.

The SEC wants to ensure stockholders and the public are aware of impactful cyber events in publicly traded companies

Ann Barron-DiCamillo, Citi

“The intention is positive. The SEC wants to ensure stockholders and the public are aware of impactful cyber events in publicly traded companies,” says Barron-DiCamillo.

But as with other areas of regulation – and perhaps even more so – the technical details of cyber security rules can make them or break them. The SEC’s package is facing pushback from industry groups ahead of its finalization, which the agency has slated for April 2024 at the earliest. Crucially, as large firms have already developed extensive protocols for handling cyber attacks, Barron-DiCamillo is keen for any new rules to go with the grain of industry best practices.

“The proposal is overly complex. Granular requirements could impede the Commission's intended results, because they don’t have the flexibility that allows market entities to tailor their policies and procedures according to their internal cyber security risk management frameworks,” she says.

Crafted in the wake of the cyber attack on trading systems vendor Ion Group earlier in 2023, the center-piece of the SEC’s package is the new rule 10. This requires SEC-regulated firms to publicly disclose their cyber security risks and significant cyber security incidents experienced in the previous or current year on their websites. Furthermore, they are asked to provide immediate written notice to the SEC after a significant incident and follow up with a more detailed report within 48 hours.

“The difficulty in this rule is two-fold: the mandated reporting period doesn’t allow for a thorough investigation, and making this information public could have an unintended consequence to the impacted firm,” says Barron-DiCamillo.

Drawing on years of experience in handling incident response – she was a leading member of the cyber response team at American Express before joining Citi in 2021 – Barron-DiCamillo emphasizes the initial 48 hours following a cyber security incident are so critical that the incident response team should concentrate solely on the investigation.

“Leveraging limited cyber resources to meet administrative burdens associated with enforcement or potential litigation risks can be a distraction to the incident response team,” she warns.

The other downside to releasing information too early is that it may be incomplete or inaccurate. In the days after the Ion attack, information shared with clients was changed several times. This can lead to a loss of public trust in a company and its cyber security protocols.

“Day one or day two of an investigation is different than what you are going to know on day 14 of an investigation,” says Barron-DiCamillo.

Playing team sport

Ransomware remains the most frequent form of cyber attack faced by the industry. Barron-DiCamillo believes tighter controls and increased law enforcement efforts in recent years have compelled threat actors to adapt their extortion tactics and take them to new heights of sophistication and audacity.

Those tactics include so-called “triple extortion schemes”, where criminals combine locking the victim out of their systems, threatening to leak confidential data online, and launching distributed denial-of-service attacks on the target at the same time.

“Affiliates have also been known to hire translators, professional negotiators, tech support, and even journalists to pressure victims into paying,” says Barron-DiCamillo.

Ransomware gangs have long regarded banks as lucrative targets, enticed by the large amount of sensitive data they manage and their financial capacity to meet ransom demands. As the Ion attack demonstrated, the high levels of investment in cyber security by large banks means third-party providers are often the point of vulnerability for attackers.

A lot of people I work with would be competitors on the business side, but in the cyber security space we have to have more of a teammate-type perspective

More recently, a number of major lenders, including Deutsche Bank and ING, fell victim to a Russia-linked ransomware gang, which exploited a security flaw in the widely used file transfer tool MOVEit to compromise the organizations’ data. Given the shared nature of these threats and the third-party services they exploit, Barron-DiCamillo encourages banks to work together to combat the evolving ransomware landscape.

“Leveraging a defense-in-depth approach to protect against ransomware and other cyber  attacks coupled with information sharing and co-operation, even among competitors, yields far greater success in this space than trying to go it alone,” she says.

And she practices what she preaches. For the past five years, Barron-DiCamillo has served on the board of the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit global intelligence-sharing community for financial institutions, becoming its chair for three years in 2022.

In this role, she works with FS-ISAC chief executive officer Steven Silberstein to facilitate conversations among industry partners to ensure members share and receive trusted and timely information on cybersecurity threats and the latest industry trends. To date, some cyber attack victims have proven reluctant to share details of what weaknesses were exploited, making it more difficult for the industry as a whole to learn from experience.

“Cyber is a team sport. A lot of people I work with would be competitors on the business side, but in the cyber security space we have to have more of a teammate-type perspective,” says Barron-DiCamillo. “Something that’s affecting one firm today can easily be an issue for another firm tomorrow – one person’s protection can be another person’s prevention.”

AI double-edged sword

The threats could well get worse as new technologies become available to increasingly professionalized criminal networks. Barron-DiCamillo highlights generative artificial intelligence tools like ChatGPT as a route to enable the automation and rapid generation of threat campaigns.

“Five years ago, some of the more sophisticated attacks were left in the hands of nation states or advanced persistent threat type actors,” she says. “Fast forward to where we are today, with tools and other aspects of information-sharing that are done on the dark web, a less sophisticated actor can put together a very sophisticated campaign by buying parts and leveraging things like generative AI,” she says.

For instance, threat actors can use generative AI chatbots to quickly produce personalized phishing emails based on companies’ public materials, or to write enhanced malicious code that bypasses security detection. She says generative AI allows “threat actors to maximize the opportunity for profit and create new business models,” as well as giving them new ways to exploit vulnerabilities.

There’s a lot of interest from vendors moving further into this space given generative AI’s ability to automate the identification of attacks

The good news is that the cyber security industry is also actively exploring the potential of generative AI to provide rapid insights on emerging threats, detect new campaigns, combat criminal use of AI, and improve the overall efficiency of cyber defense.

Google, for example, has launched an AI language model named Sec-Palm to help defenders with security research. Microsoft also introduced Security Copilot, which combines a large language model with a security-specific model to enhance threat detection and response.

Barron-DiCamillo says Citi’s cyber security team is testing generative AI internally, while also evaluating the capabilities of relevant third-party tools to determine the optimal approach to leveraging the technology.

“There’s a lot of interest from vendors moving further into this space given generative AI’s ability to automate the identification of attacks as well as the patterns associated with them,” she says. “End-to-end [threat] hunts can now be done through automation with vast improvements and advancements over the last few years, enabling more predictive outcomes.”

However, to make best use of new technology, the financial sector must nurture and retain the necessary talent. Competition is fierce, and firms need to be active and inventive to steer people in the right direction.

Barron-DiCamillo acknowledges the perceived talent gap in the industry, and suggests banks provide opportunities for young individuals lacking experience rather than excluding them during the initial hiring process – her own professional journey as a congressional assistant, with a view to a legal career.

However, an unexpected assignment involving HTML development for a congressman sparked her interest in computer science. This redirected Barron-DiCamillo’s path, leading her to pursue a master’s degree in computer and information sciences, before transitioning into roles as a software and web application developer in 1999.

At Citi, she has launched a cyber security rotational program for new hires, which allows them to gain experience on a different team every six months for two years before settling into one role full-time. She says the program gives apprentices the opportunity to hone their passions, while also helping establish an internal pipeline of future cybersecurity leaders.

“It’s a priority here at Citi to ensure that our people strategies align with continuous training where needed in an ever-evolving cyber threat landscape, as well as aligning with career progression,” she says.