High-Tech Heist: Chinese Government IT Vendors and the Threat
to U.S. Banks

3 Key Takeaways

Despite dozens of regulatory policies and a multitude of federal and state agencies charged with overseeing security, cyber attacks on the US financial organizations are increasing in frequency and severity. A cyber attack on a bank can devastate its customers and systems, and a cyber attack on the US Treasury—which SolarWinds came dangerously close to achieving—could bring down the country.

The People’s Republic of PRC (PRC) is the leading adversary and advanced persistent threat (APT) actor against the United States through. It uses cyber attack to conduct theft, espionage, and disruption. The PRC is the only threat actor with a leading information technology (IT) industry which increasingly supplies the IT products and services of US financial organizations.

US cyber policy approach which restricts some PRC-owned IT firms but not others is needlessly complex and invites exploitation. Federal policy restricts some purchases from Huawei, Lenovo, Hikvision, and others for security reasons but does not communicate the threats and mitigation in a way that is actionable for banks or end users. Therefore US financial organizations should be proactive to conduct cyber resilience audits, remove elements with vulnerabilities, and adopt NATO’s risk reduction strategy to avoid sourcing IT from authoritarian countries. This strategy reduces operational and reputational risks of unwittingly purchasing IT inputs deployed in the repression of human rights.

Carnegie Endowment for International Peace and BAE Systems. Timeline of Cyber Incidents Involving Financial Institutions. FinCyber Initiative, Carnegie Endowment for International Peace. https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline (Feb 17, 2021).

Bankers Beware: Restricted Technology From PRC-Owned Companies