The Department of Homeland Security thinks al-Qaida terrorists might try to land jobs inside U.S. financial institutions, and from there launch attacks on the nation’s economy, MSNBC.com has learned. An “information bulletin” was sent out to the nation’s financial firms late Friday night, warning of “internal cyber threats.” But, as is the case with many Department of Homeland Security notices, the warning is vague and does not indicate an attack is imminent.
Commander David Wray, spokesman for the Department of Homeland security, confirmed the department had issued the bulletin after intelligence officers received “some new information,” but he said he couldn’t elaborate.
“There is some new information, but obviously for classified reasons we can’t get into a lot of the background,” Wray said. “There is new intelligence that indicated specific interest in financial services and indirect indication ... that led us to believe we should provide additional awareness that threats could come from within as well as without.”
But Wray added the intelligence did not suggest al-Qaida members had already infiltrated banks, or that the terrorist group had specific targets in mind.
“We don’t have something that says there are people from al-Qaida infiltrating banks in the Northeast,” he said. “We have indications that there’s interest...but there’s no red flag or imminent danger.”
The bulletin was distributed over the weekend to the nation’s financial institutions through the Financial Services Information Sharing and Analysis Center, a voluntary organization set up by financial companies to share security threat information.
One version of the bulletin obtained by MSNBC.com said it was based on “intelligence gathered over the past several months.”
Mark Merkow, security strategist with American Express Corp. and a board member at the analysis center, confirmed the memo was sent out, but he downplayed its importance. Department of Homeland Security bulletins, many as mundane as virus and vulnerability reports, are sent out nearly every day, he said. But he did not recall discussion of al-Qaida members that may seek jobs within banks.
“The suggested protective measures are things we should be doing anyway,” like doing background checks on employees and insuring employees wear ID tags, he said.
Doug Johnson, senior policy analyst at the American Bankers Association, said this was the first time he recalled a Homeland Security advisory concerning terrorists seeking jobs at financial institutions. But he also downplayed the threat, saying it might simply represent better communication between government agencies and financial firms.
“They are not looking to alert the general public. They are trying to get to financial institutions some generalized threat information they are aware is out there,” he said.
In April of 2002, Attorney General John Ashcroft issued a very public warning to financial institutions in the Northeast, and several closed for one day in reaction. The Financial Services Information Sharing and Analysis Center is meant to distribute threat information in “calmer” ways. “There is a fine line we are all learning between alerting the public of things they need to know and concerning the public by giving them information that’s not actionable,” Johnson said. In this case, “there’s nothing a consumer can do with this information.”
Inside jobs always a problem
Rogue employees and “inside jobs” have long been the weak link in any corporate security system, particularly banks. It is hardly far-fetched to imagine organized criminals planting employees inside banks to facilitate economic crimes. In fact, a little over a year ago, the Treasury Department’s Office of the Comptroller of the Currency issued a similar warning — in this case about bank teller employees who were actually working for organized crime rings.
“Organized gangs are aggressively recruiting bank tellers to cash forged savings account withdrawals from customer accounts,” an OCC memo dated April 25, said. “Individuals are being encouraged by gang members to apply for teller positions at financial institutions for the sole purpose of providing access to the institution’s operating systems and customer access information.”
Rob Douglas, a bank security consultant, says many financial institutions are not as careful as they should be when hiring new workers — particularly temporary workers.
“It’s amazing how many banks don’t do background investigations,” he said. “And when I talk to banks, I ask, ‘How often do you update (the background check). Once a year? Once every 5 years?”
Computer security expert Alan Paller said banks have particular trouble performing background checks on third-party employees.
“Traditionally banks are very careful about the people they hire, but less careful about the people their suppliers hire,” he said. “My guess is a notice like that says, ‘Make sure the people who have the keys to the kingdom, such as access to fund transfers systems, make sure that you really know who those people are, and you aren’t guessing.’”
Wray said the Department of Homeland Security has three levels for its notices: information bulletins, alerts, and warnings. Friday’s notice to financial institutions was a bulletin he said, the lowest threat level.
Such bulletins are hard to interpret, Douglas said, because they are vague.
“It makes you wonder, ‘What the hell do they have, and why aren’t they specific,’ ” he said. “But to the degree that it forces banks to re-examine their internal security policies when it comes to their technology, it’s a good thing.”