Paul Smocer

To encourage information sharing about cyberthreats, banking institutions need to be protected from liability through the enactment of new federal legislation, says Paul Smocer, president of BITS, the technology policy division of the Financial Services Roundtable.

"The biggest thing we're looking for is the concept of liability protection when it comes to good faith sharing of information," Smocer says an interview with Information Security Media Group [transcript below].

Smocer's comments came after President Obama met with banking executives at the White House recently to discuss cybersecurity strategies. The meeting, which Smocer attended, came on the heels of the National Institute of Technology's issuance of its preliminary version of a cybersecurity framework (see Obama, CEOs Meet on Cybersecurity Framework). The conversation centered on information sharing and protecting organizations that reveal attack and vulnerability information, Smocer says.

"If an organization's sharing information about an attack or an attacker ... and they're doing it to protect others both within and beyond their industry, that act should not result in them somehow bearing liability," Smocer says.

Instead, sharing of information in good faith should provide organizations strong liability protections and protection from disclosures under the Freedom of Information Act, he says.

During this interview, Smocer also discusses:

The investment needed to enhance cybersecurity and information sharing; The role legislation should play in ensuring information sharing is protected; Why cyberintellingence sharing must become more of an accepted cross-industry practice.

At BITS, Smocer leads initiatives to enhance e-mail security and advance practices for identifying and validating online customers. BITS is the technology policy division of The Financial Services Roundtable, which was established to protect and promote the economic vitality and integrity of the United States financial system. Smocer joined the Roundtable in February 2008 as vice president of security. Before BITS, he focused on technology risk management at BNY Mellon and led information security at the former Mellon Financial Corp., where he previously served as the CISO and manager of the Technology Assurance Services Division. Smocer began his career at Mellon in 1974, when he joined its Information Technology Audit Group.

Presidential Meeting on Cybersecurity

TRACY KITTEN: President Obama recently met with key executives from IT, financial services and energy companies to talk about ways we can improve the security of the country's critical infrastructure. How unique was this meeting?

PAUL SMOCER: I think the meeting was unique in the sense that it shows the importance of the subject to the nation and the nation's critical infrastructure. But I don't think it was unique in the sense that this is the first time we have heard the administration speak to the subject. Obviously, it's a key subject for them. It's not the first time they have spoken with CEOs about its importance, and it's certainly not the first time that they've spoken with critical infrastructure industries about the importance. ... It continues to show this is an important issue for our country. ...

Top Representatives

KITTEN: Who were some of the key executives present at this meeting, and what companies did they represent?

SMOCER: There were eight CEOs who were at the meeting. Three of them were from key financial services companies: MasterCard, Bank of America and Visa. The rest were from a combination of the defense industry, companies that deal with cyberintelligence and support, like Symantec and Intel. [It was] a pretty good representation from CEOs in the financial services industry with three out of eight. That probably speaks to the importance that we, as an industry, have put on cybersecurity and the fact that there's an expectation that, as an industry, this will continue to be an extremely important subject to us.

Catalyst for Meeting

KITTEN: What would you say was the catalyst for the president to call this meeting?