"The banks feel that firewalls and what they have internally is in great shape, but the link is to the consumer and PC environments [where they find security more suspect]," said Catherine Allen, chief executive of the Banking Industry Technology Secretariat, a division of Bankers Roundtable.
BITS is governed by a board of CEOs of the 15 largest U.S. banks, including familiar names like Citibank, Chase Manhattan, Mellon Bank, Wells Fargo, and Bank of America. Edward Crutchfield, First Union chief executive, chairs BITS, a two-year-old group that focuses on technology issues affecting the U.S. banking system.
The BITS Security/Technology Lab, to be run by a new banking-oriented division of government contractor SAIC, is due to be announced in late June or early July, with vice president Al Gore and former U.S. Sen. Sam Nunn invited to speak. A July meeting is planned in the San Francisco area to explain the program to hardware and software vendors.
Security experts from major banks are currently drafting the testing criteria. In addition, the lab oversight group is working with the President's Commission on Critical Infrastructure Protection on ways to protect the nation's financial infrastructure from attacks by terrorist or organized criminal groups. President Clinton formed that group a year ago after a report on threats from cyber-terrorists.
The effort also will involve information sharing among banks to ward off organized attacks, including use of neural networking and other technologies to detect and predict patterns of attacks.
"If it's a terrorist or major criminal activity, we think it will happen in multiple places," Allen said. "They won't hit just one bank but many." Security planners worry that assaults could be mounted near the end of this year, when attackers hope banks might be distracted by the Y2K turnover.
The testing of consumer devices and software will be coupled with educational campaigns urging users to utilize antivirus software and take other precautions to avoid security problems.
Systems that pass the tests can use a special logo in their marketing to signify the products have been deemed safe by BITS. Also to be tested are systems to conduct financial transactions, including personal financial software, online billing and bill-paying packages, and smart cards.
"Vendors want this as much as we do," Allen contended, saying that today vendors may get multiple requests from different banks to make specific changes for that bank's use. Funneling through the BITS lab would simplify that process.
The effort comes as financial institutions are beginning to use the Internet for online banking, stock trading, and other transactions. In the past, online consumer transactions have been routed over private networks that banks regard as more secure. But the explosion of the Internet, which is not such a controlled or secure environment, has bankers looking for safety.
Another reflection of that concern has been the efforts by Visa and MasterCard, on the behalf of their bank-owners, to push the Secure Electronic Transactions (SET) protocol for Internet credit card purchases. Although SET has not been widely adopted in the U.S., the prolonged push to implement it mirrors bankers' worries about their reputation as trusted institutions.
But there's a financial implication too. Banks are heavily regulated, and they are required to reimburse their customers for any losses suffered because of security breaches in online financial transactions. As online banking grows, that could become a big liability.