It’s our pleasure to present an interview with Thomas P. Vartanian, who has been described as “one of the best financial services lawyers in America.” He’s an expert on financial services and technology, including cybersecurity.
Thomas has worked in the public and private sectors, as well as internationally, where he consistently brings rigorous legal and regulatory acumen to bear on some of the toughest technology challenges facing our civilization.
But it’s not all about work: Thomas is a passionate musician and baseball player who, at 75 years old, still gives 40-year-olds a run for their money. He uses his passion to support the Special Olympics: playing with the Washington All Stars, he helped raise nearly $600,000 over the last 30 years.
As an author of numerous books and a frequent columnist, lecturer, and media commentator, Thomas has a thorough command of the cybersecurity issues financial institutions face today. He generously shared his perspective with us in this interview, including:
- How we stumbled into building the insecure global network known as the internet.
- The vulnerabilities and risks that organizations and the public are overlooking.
- What regulators and private corporations can do to fix cybersecurity at a fundamental level.
- Why cybersecurity solutions like .Bank are essential for improving cybersecurity outcomes for banks and consumers.
If you haven’t read them already, our Executive Interview Series has featured other notable guests, including:
- Eric Cook from WSI.
- J. Trent Adams from Proofpoint.
- John Carlson from the American Bankers Association (ABA).
- Lorri Janssen Anessi from BlueVoyant.
Let’s dive into what Thomas shared with us.
Background and Professional Experience
Q: How did you get into the cybersecurity industry?
I backed into cybersecurity because I started as a banking regulatory lawyer at the Office of the Comptroller of the Currency (OCC).
One of the things that I worked on, aside from bank failures (I’ve overseen more than 1,500 bank failures in my career), was the approval of national banks to issue automatic teller machines (ATMs). At the time, I thought ATMs were the greatest development in technology—and that was my introduction to cybersecurity.
Those of us at the OCC who worked on ATMs never spent three seconds on the security effects, because we were still using proprietary networks. There was no opening to the internet.
The next time I worked with cybersecurity was in 1998 when I became Chairman of the American Bar Association’s Cyberspace Law Committee, as Y2K woke us up to the whole cybersecurity issue, and at the same time my clients were asking for help to offer their products and services online.
Most bank customers don’t realize that when they walk through the front door of a bank, many services they use and rely on are coming from outside service providers to the bank. Many banks join ventures to offer different services and obtain their security.
A large bank called me in the early 2000s and said, “We have just been breached. Can you come up and help us figure out what we have to do for the regulators and the public?”
This was prehistoric in terms of dealing with hacking. Today, everybody knows what to do. Back then, none of the executives at the bank knew what had gone wrong.
Eventually, we learned there was some software that had a hole. We laugh about it now, but that software provider was essentially two guys in a garage. As a result of this breach, many individuals at the bank had their information hacked.
That’s when I started to wonder, “If we’re building a world where everybody’s looking for more customers and more profit, without thinking about the security of it, are we building something that’s going to get increasingly dangerous?“
And when I wrote The Unhackable Internet in 2023, it was because I concluded that we had built something incredibly dangerous.
When I first started working with technology, I had decided that if I was going to really help my clients, I needed to understand the underlying science. So, I studied it, learning for example how cryptography and digital signatures work.
We did a lot of technology work for companies and, as a lawyer in financial services, I began to realize that companies were always asking, “Can you help us do this?” But the first question they should have been asking was, “Should we do this?”
Q: Tell us about your current role.
I retired from a large law firm practice in 2018 and went to teach at Antonin Scalia Law School, where we founded a think tank on financial technology. We did that for three years. Then, my former law partner and I decided that we’d be much better off outside of the academic environment, so we set up the Financial Technology & Cybersecurity Center to foster educational efforts on the dangers of cyberspace.
We wanted to teach about the risks of digital insecurity and financial technology. So far, we’ve been the only group playing that educational role, and we’ve collaborated with a number of other large think tanks and groups around the country.
We also work with George Mason University’s Business Schools of Engineering and Computing on issues of cybersecurity and financial services.
We just did a program on the race to regulate the internet. That program underscored that if every state in the country and every country in the world attempts to regulate the internet, it’s not going to work. You can’t have 750 regulators of the internet and have it work efficiently and effectively.
The Tension Between an Open Internet and Insecurity
Q: How should people think about the relationship between information sharing and cybersecurity?
As a rule, competitors don’t like to share.
However, there are some sharing mechanisms in the financial services industry, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). There are also requirements for sharing information that regulators have issued. It is essentially a haphazard system of voluntary and involuntary sharing.
The most significant problem is that regulated companies are always hesitant to share with each other – companies that they are competing with – and with regulators. When a bank shares with its regulators – and there are many dozens not just one – they are always concerned that information could come be used to mount an enforcement action against them or be used in a congressional investigation.
But limited forms of sharing undercut the efficacy of the whole process.
We need to be able to appreciate the risks we’re facing in this insecure online environment and understand how to deal with those risks. It’s difficult because the information that’s being shared isn’t 100% complete, accurate or in real time.
The solutions are difficult because they’re inconvenient, expensive, and users will not like it if it takes eight seconds to get some place online instead of two. But those users can also be the principal sources of the insecurity in networks.
We ended up in this situation by sheer happenstance. In 1969, the internet was handed off to four universities to share research information. It wasn’t built to be secure. And we have piled the entire internet and cyberspace that we see today on that insecure mechanism. All the world’s data and value poured into an insecure system. If you had asked our adversaries what we could have done to make it easy for them to take advantage of us, that would have been it. And we did it voluntarily.
Some cybersecurity experts say we’re creating vulnerabilities at twice the rate we’re creating solutions. And at every level, whether it’s national defense, financial services, or finding my money in the morning, it gets more and more dangerous every day.
Q: What are some of the cybersecurity threats you see emerging?
According to CISA, the Cybersecurity Infrastructure Security Agency, 47% of American adults have had personal data exposed by cybercriminals.
Back in 2015, when the Office of Personnel Management was breached, it should have been a call to fix the problem. The OPM had lost millions and millions of pieces of data about every federal employee, probably myself included, arguably to the Chinese or the Russian governments.
The situation has only gotten worse. Since then, almost every major company in this country has been breached. Almost every major federal agency has been breached.
It took me two years to write The Unhackable Internet, but it took me 45 years to formulate the principles and the concept in it. After all that time, I’ve concluded we’re fighting a losing battle.
Cybercrime has become a huge business. Just look at the 317 million ransomware attacks throughout the world during 2023. Hackers only need a very small percentage of that to make a pretty good business.
But it’s something that will also be used in warfare and is a matter of national security. Another watershed moment was in February when CISA announced that it had found that the Volt Typhoon, which is a proxy for China, had penetrated most of the critical infrastructures in this country.
The public has this funhouse view of the internet, where all information is available, all games are available, all people are available, and all knowledge is available online.
People in the U.S., where everything is regulated, assume, “It must be okay. The government must be letting it happen.” This is precisely wrong because nobody’s watching, nobody’s protecting the user, and it’s not secure.
The Industry Response to Insecurity
Q: Can you unpack a key insight from writing The Unhackable Internet?
First and foremost, there’s a lack of an economic incentive to fix the system.
Let’s say one of the major banks has an incursion, and they’re fined $20 million. Frankly, that’s not even a decimal point on the balance sheet, right? There’s an awful lot of money being made from online activities.
As a business person, you just say, “It’s the cost of doing business.” But take it further.
Why aren’t cybersecurity experts blowing the whistle? The cybersecurity business is approaching a trillion dollars a year in fees. So there’s a conflict of interest inherent in that business.
And the government has limited resources and abilities to control something in the hands of the private sector. But governments are not going to admit that they’ve led us down a path that can cause so much pain and havoc in the future. So they are discouraged from trying to fix it.
Institutions don’t like the message I’m delivering. Businesses don’t like the message, governments don’t like the message, and cybersecurity experts don’t like the message. So, I’ve realized I must be right because my message seems to make everyone nervous.
Q: Did anything else surprise you from the interviews in the book?
I’ve interviewed people who were there at the beginning of the internet, as well as people from the financial services industry who do cybersecurity and technology. Not a single person I interviewed told me I was wrong about the insecurity or the fixes that I proposed in the book.
So I asked myself, “If I’m right, and we have these problems, why aren’t we doing anything?”
I think the problem is inertia. You start down a certain path, and you just stay there, particularly if the economics of inertia work.
There is also a mesmerizing aspect to technology. You take the shrinkwrap off the product and stare into a screen that mesmerizes you. We think, “It must be great because it’s so mesmerizing.” We never stop and say, “Wait a minute, before I get mesmerized, what are the risks here?” It’s just like one big birthday party.
Becoming Proactive About Cybersecurity
Q: What are some of the solutions that financial institutions can implement?
When I’m giving a speech, I recognize the wonderfulness of cyberspace but caution balancing the rewards and the risks. But we’ve lost that sense of balance. We just say, “What a great reward!” and forget the risk.
As far as policy solutions, I use the acronym AGE: authentication, governance, and enforcement.
How is it that everything we do in our lives requires a license, a passport, or identification, except being online where most of our lives now exist? When everybody can be anonymous, there’s no real authentication.
Multi-factor authentication only gets you about 66% of the way there. We are always authenticating a machine, not a person.
So, the first step is to begin real authentication.
Second: How is it that in our real lives we have rules, governance, and more regulation than we can shake a stick at, but in cyberspace we have no rules, governance or regulation? We need governance.
Lastly, is enforcement.
If you went online and saw that your money was gone tomorrow morning, who would you call? I’ve been in financial services for 50 years, and I was a regulator for eight years. I ran an agency, but I don’t know who to call.
That’s a recipe for disaster. Now, if we’re just doing fun things online, it’s one set of risks. But when you’re talking about national defense and running the country, it can cause a massive set of disasters.
We’re trying to solve digital problems with analog thinking. The scale of the risk has changed. We’re not talking about somebody losing $5,000. We’re talking about the entire financial services system being impacted.
In the 1970s the most that could be stolen from a bank was what could be shoved into a valise and thrown into a waiting van.
Today, somebody can sit in their basement and steal the entire bank. The scale and risk/reward balance has changed, but our solutions have not.
On October 2 2024, 20,000 Bank of America customers woke up and saw a zero balance in their accounts for most of the day. And there was no explanation until that evening—people described it as heart-stopping.
Think about no electricity, no money, and no water for one, two, or three days. If those are five percent possibilities, we ought to do something about it.
Cybersecurity dangers are a lot bigger than a five percent possibility. And for us to keep recreating this same system and mistakes over and over again and building on it without fixing the problem is terribly negligent.
The last element of the solutions I propose go back to 1976 when I began my career and everything was done on proprietary networks. For security purposes, high value and data laden transactions should still be done on secure private networks.
The only way users should be able to get on those networks is with a passport and by agreeing to its governance and enforcement rules. If they violate those rules, the network should be able to pull a kill switch on them.
That doesn’t end the internet. It means we change the internet as we know it.
Q: How should we interact with other countries that have different cybersecurity rules?
First off, why would we ever swim in the same cyber waters with China, Russia, Iran, and North Korea? It has been reported that North Korea is funding its nuclear program with the money it makes hacking cryptocurrencies.
We ought to be doing what Russia and China are doing by limiting access. We should reconfigure the internet that democratic nations around the world use. Countries that won’t comply with the rules shouldn’t be on those systems. That takes national leadership, and it takes global leadership because the internet is not owned and operated by one country.
A book I recommend on this topic is The Cuckoo’s Egg by Cliff Stoll.
Back in 1989, Cliff found a breach in the Berkeley lab security system represented by merely 75 cents of unaccounted computer time each month. Everybody else ignored the issue because it meant nothing.
It turned out to be the KGB, penetrating Air Force bases in the country through the Berkeley lab! It showed how the weakest link in the system decides its fate.
I have always been a big fan of financial literacy, but I’m an even bigger advocate of technological literacy. People have no idea how technology works. A business can have the best security in the world in this insecure environment, and users can undo that in one fell swoop.
Q: What do you see as the difference between the private sector and the public sector in terms of cybersecurity?
Fundamentally, the difference is talent. The private sector has a tremendous amount of talent and money. There’s only a limited amount of money in the public sector for cybersecurity, particularly in financial services agencies, and therefore, a limited amount of talent.
Consider a 2017 report done by the Bank Policy Institute, which raised an interesting question: Should the banking regulators be the technology regulators for banks, or is another agency better able? These are important issues when it comes to supervision of banks.
To be clear, I’m not in the business of endorsing companies, but I did write about .Bank in The Unhackable Internet and I thought it was a great starting point for banks that want to be more secure. A .Bank domain gets at the authentication or spoofing issue by telling the consumer, “You are where you think you are.”
I think that regulators should be endorsing—if not products—the underlying security precautions that companies like .Bank are mandating.
Q: What’s your outlook for cybersecurity regulation and the financial services industry?
The ultimate point I make in The Unhackable Internet is that regulation doesn’t have a chance of being successful with respect to technology, cybersecurity, and financial services unless we change the regulatory model from adversarial to cooperative.
We would have to address conflicts of interest in such a system where private and public sector entities sit at the same decision making table, but when it comes to understanding the system, the people, and the business, regulators have a limited view.
If they could sit with the top people in an industry, get their input in a regulatory construct, and then together be able to make policy, it would make all the difference in the world.
I think a new model of regulation has got to be put in place. It is already being put in place in some aspects in other parts of the government. Consider the Cybersecurity Review Board that was established by President Biden in May of 2023.
It’s a panel of the heads of major agencies involved with cybersecurity in the government, with the CEOs and executives of major technology companies. Together, they will investigate major breaches and come up with recommendations about what happened and how to fix it.
Q: If readers want to learn more about you and your work, where should they start?
My book The Unhackable Internet is my first recommendation. They can also check out my personal website and find links to my other writings, such as my columns in The Hill and various other publications.
To learn more about the many benefits of a .Bank domain, schedule a meeting.