91����

How Phil Susmann ’81 and his NUARI team are helping U.S. banks build resiliency in the face of cybergeddon

The cyberattack starts with a single email. Sent by a group calling itself DDo$, the message hits the inboxes of brokers and managers at financial firms across the country. It is Sept. 14, 2015, a Monday. “All your servers are going going [sic] under attack unless you pay 100 Bitcoin,” the email demands. While its menace is clear, typos cast doubt on the threat’s credibility. What serious hacker demands a ransom of plus or minus $24,000, anyway? Most of the managers who receive the email simply delete it.

But as the busy trading day progresses, websites of financial companies from Wall Street to San Francisco start crashing. And not just the giants, but the smaller banks, too. Information Technology staff at those firms report widespread customer complaints. Mom-and-pop trades aren’t executed. Meanwhile, the email threats sent by DDo$ continue to ping inboxes. Financial traders and managers begin to suspect that the cyberattack is not only real, but has gone viral. Powered by complex computer infrastructure, trades of stocks, bonds, currency, and commodities serve as the lifeblood of the global financial system. On any given business day, U.S. and international firms move several trillion dollars. But on this particular Monday, the flow threatens to drop to a trickle. Unless they take action, the country’s banks and financial markets will be on the verge of cardiac arrest. But what is the right course to take? Should they trust the extortionists and pay? Who in their company makes that decision? What precedent will that set? Can the country’s financial firms — normally competitors in the contested arena of capital markets — coordinate their response?

Standing in a second-floor office in the Equitable Building on Broadway in lower Manhattan that day is Phil Susmann ’81. A computer geek and former Norwich cadet, Susmann leads the 91���� Applied Research Institutes (NUARI). The skunkworks was founded in 2002 to advance projects critical to national and global security. At 6-foot-2, with sandy hair turning gray at the temples, Susmann looks like a Boeing executive—an engineer in a suit and Bill Gates glasses who worked his way up from the shop floor to the boardroom. Only Susmann rode the wave of the computer, information, and cyber revolutions instead, rising from MBA to consultant to Norwich professor to campus chief information officer and beyond.

Susmann knows that over the next several hours the cyberattack will only get worse. Soon an insider breach will leak confidential client data. Then failures in computerized settlement — the transfer of funds or securities to complete a transaction — will leave billion-dollar orders between buyers and sellers unresolved. The crisis has the potential to push banks to the brink of insolvency if left unchecked, and send 401(k) balances spiraling to stomach-churning lows. But Susmann also knows something else: The cyberattack is not real.  

* * *

In recent years, hackers have infiltrated computer networks at a growing number of large U.S. companies and government agencies. Victims range from Target, Home Depot, and Yahoo! to the federal Office of Personnel Management, the Internal Revenue Service and the U.S. Energy Department. Computer systems at the latter were successfully penetrated 159 times between 2010 and 2014, according to a USA Today investigation of federal government records last year. Nineteen of those breaches were targeted at the National Nuclear Security Administration.

More often than not, hackers target U.S. and international banks and financial firms. After all, as one Forbes blogger wryly noted, that’s where the money is. The rate, according to Infosecurity Magazine, is 300 times greater than in any other business sector. According to the Ponemon Institute, a U.S. bank or financial firm hit by a serious cyber breach can expect to pay, on average, $20.8 million in direct damage, lost business, and cleanup costs. Lloyd’s of London, the British insurance giant, puts the current overall global cost of cybercrime at $400 billion. FBI Director James Comey told “60 Minutes” in 2014, “There are two types of big companies in the United States. Those who’ve been hacked… And those who don’t know they’ve been hacked …”

“Cybersecurity is an increasingly critical threat to the financial market,” says Najiba Benabess, a Norwich economics professor and director of the School of Business and Management. “An attack on a financial institution resulting in the loss of vital data can have a devastating effect on the bank’s reputation, costing significant amounts of time and money to repair.”

Benabess adds that the interdependence of the world’s global financial institutions makes them vulnerable to disruption, putting national security and the stability of the international financial system at risk. “As cyber frauds become more sophisticated, banks must adjust their strategies … to improve cybersecurity,” she says.

Susmann and his NUARI colleagues have been instrumental in helping U.S. banks and financial firms test and harden their resiliency against major cyber events. In 2013, NUARI received a $9.9 million contract from the Cyber Security Division of the Department of Homeland Security. The funding permitted the continuing development of NUARI’s powerful simulation, known as DECIDE-FS, that essentially functions like a massive multi-player video game. But rather than supply flashy graphics and explosions, the tool enables hundreds of players across the country — from broker-dealers, clearing firms, and stock exchanges to U.S. banks, regulators, and law enforcement agencies—to test themselves against lifelike simulated cyberattacks. The Securities Industry and Financial Markets Association (SIFMA) has used the tool since 2013. That was the year that the association, which represents hundreds of U.S. broker-dealers, banks, and asset managers, convened Quantum Dawn 2. SIFMA used DECIDE-FS® (see sidebar) again last year. The exercise has become the largest single-day event of its kind for the industry.

Most Americans over a certain age remember where they were on Sept. 11, 2001. For Susmann it was outside Baltimore, at the National Security Agency (NSA) at Fort Meade. The NSA had recently designated Norwich as a Center of Academic Excellence (CAE) in Information Assurance. The following day, Susmann was slated to join Norwich President Richard W. Schneider, retired Gens. Al Gra H’88 and Gordon Sullivan ’59, and Carl Guerreri ’62, all Norwich trustees. The delegation planned to meet with Sen. Patrick Leahy, D-Vt., to pitch a proposal for a new cybersecurity center 91����. “I was in the basement of the NSA with the CAE group when the Towers came down,” Susmann recalls. “The next day, we were going to be in the Russell (Senate) Building. But, of course, that was all closed.”

Rescheduling their meeting with Leahy until December, Guerreri, Susmann, and Schneider walked the senator through the body of cybersecurity work that had earned Norwich its CAE designation. The Norwich delegates also discussed NU’s various projects with the National Guard on cybersecurity education, training, and operations for the Army and Air Force. “Leahy got it right away,” President Schneider recalls. “We didn’t have to convince him.”

The outcome was an earmark in the Justice Reauthorization Act of 2002, creating the National Center for the Study of Counter-Terrorism and CyberCrime 91����. By 2008, the center had evolved into NUARI. The diverse research enterprise would no longer need to rely on federal budget earmarks in its new incarnation. Instead, it would create and market intellectual property, like the DECIDE-FS software.

Today, NUARI houses four separate institutes: the Cyber Conflict Research Institute, the Institute for the Study of Culture and Language, the Defense Technologies Research Institute, and the Learning Technologies Research Institute. The various nonprofits are headquartered in Northfield, Vermont, and Alexandria, Virginia, just outside Washington, D.C. Staff has ranged from as many as 28 employees to as few as five. Today, NUARI has about 18 employees and generates $4 million to $9 million in annual revenue.

Most recently, NUARI has landed two contracts totaling $24.9 million from the Department of Homeland Security to help protect the U.S. financial sector. “Phil is a rainmaker,” NU President Schneider says. “He can make deals happen, and he has a great sense of how to connect the dots between the needs of the federal government and how Norwich can fill those needs.”    

* * *

A Vermont native, Philip Susmann enrolled 91���� on the recommendation of his junior high civics teacher, Jack Daley ’46, a U.S. Marine who served in WWII and later became Vermont’s lieutenant governor. Susmann initially majored in electrical engineering, until he failed a required course in thermodynamics (he could not master the steam table). So he switched his major to business administration. The change was serendipitous, because what did come naturally to Susmann were computers, and as luck would have it, NU’s School of Business and Management shared Dewey Hall with the university’s computer center. Susmann gravitated there, learning the Job Control programming language in his free time.

Following graduation, Susmann attended Clarkson University on a fellowship, writing stacks of code for faculty while earning his MBA. His projects included an automated grocery store and work on large information systems. After Clarkson, he installed the College of St. Joseph’s first computerized information system in his hometown of Rutland. Following a business venture with his brother in Colorado, he eloped back to Vermont with Julie, his wife.

There he pieced together a living as a consultant and shoe salesman, doing whatever it took, while seeking his dream job as a control systems engineer. But employers in Vermont just weren’t there yet, Susmann says.

In 1987, he joined the Norwich faculty as a professor, teaching statistics in the business school. His teaching portfolio soon included classes in forecasting, management production operations, and the bulk of the computer information systems program. He was granted tenure in six years. A year later, in 1994, President Schneider appointed Susmann as the university’s first full-time chief information officer. Susmann brought all the university’s computing in house and instituted other changes. But two years into his term, he got his comeuppance when students exploited a flaw in the campus-based email system.

The hackers commandeered the School of Architecture + Art’s rendering computers—at the time, the best computers on campus — to crack the usernames and passwords of the entire Norwich email system. Running the system’s shadow password file through a password cracker enabled the students to reveal usernames and passwords.

“We didn’t patch the system,” Susmann says, his rue still apparent. At the time he didn’t know how much data the students stole. Nor was it immediately clear why the situation might be worrisome. Email was still in its relative infancy. The campus system wasn’t used much. Mostly, students sent messages to one another. But, soon enough, Susmann realized that most people on campus, himself included, used one password for all their accounts, including personal ones. Some university administrators even shared their passwords with assistants when delegating responsibility for their email accounts.

Susmann’s solution was to require the entire campus community to walk over to Computer Services to get a new password. Faculty, staff, and students also received tutorials on cybersecurity and password creation. The line stretching out the door was enormous. Shaking his head as he recalls the nightmare, Susmann says, “That was the moment I got security.”    

* * *

Back in lower Manhattan, 60 observers cram around a large table in a SIFMA conference room. Present are bank and finance industry representatives, federal law enforcement agents, and national security types, among others. For their benefit, Susmann has been narrating the Quantum Dawn 3 exercise—or QD3—as the day plays out. The simulation has compressed three days of intensive cyberattacks into five hours. By late morning the exercise has reached “Break Point 4,” or 4 p.m. on Day One. The markets close and players from participating firms, regulators, and law enforcement agencies engage in cross-talk. Large LED screens cover the room’s walls, flashing charts and graphs. Values are down. Activity in the game is up. Someone asks how the FBI is faring. A bureau staffer reports that some firms have been in contact with questions and to share some information about the attacks. The outreach is taken as a sign of progress.

Down the hall, a separate conference room has been turned into the temporary headquarters for the QD3 game directors. Eric Richardson, a NUARI product developer, sits next to Bob Clinton, QD3’s exercise director. Richardson fields questions from 15 facilitators, who are hunkered down in a third room, where they consult via phone and Internet with reps from firms participating in the cyberattack simulation.

Clinton rakes his eyes across various computer monitors and speaks into his headset mic, announcing each new phase of the cyberattacks. The scene evokes “The Hunger Games.” “We are now going to press on forward to Break Point 11,” Clinton tells facilitators. He spins the game clock forward, moving the action ahead. “In the exercise, this will be 0400 simulation time on Day 3 of the exercise.”

Periodically, DECIDE-FS® injects fake communications from regulators, law enforcement, and the news media on a pre-set schedule. The “injects” include grating taunts from hackers, such as a phony DDo$ Twitter post that threatens to shut down Wall Street banks if they don’t agree to demands. Some ersatz news accounts misreport details of the attack, seeding market volatility.

“Market Sees Huge Sell-Off in Face of Coordinated Cyber Attack,” screams one headline from fictional news agency BBN News. “Major market indices are in a frantic sell-off after cybercriminals FIEND and their sympathizers have made clear their intentions to disrupt the financial markets,” the report says. For better or worse, the Quantum Dawn scenarios served up by NUARI’s DECIDE-FS® software platform aren’t fantasy. They are loosely based on actual events.

Participants in today’s QD3 exercise show the strain of five hours of attacks, breakdowns, and hackers’ taunts. But they also buzz with ideas. By late afternoon, Susmann conducts a “hot wash” debrief with players from 25 or so firms and agencies to gather feedback. Sitting in a sparsely occupied conference room, Susmann tents his hands in front of his face as he listens, shifting his gaze from seated colleagues to a speakerphone on the table before him as others conference in. The feedback varies. One player calls the QD3 exercise “very interactive and engaging.” Another says, “We would like even more customization.” “We can work with firms to customize the scenario even more,” Susmann replies. A law enforcement rep describes the exercise as “fantastic,” while someone from a large bank acknowledges major lessons learned which can be taken up as key findings.

It’s been a long day. Finding gaps in crisis protocol is intentionally stressful work. Especially when there are some 500 players.

By the end of the exercise, many have learned more about their own internal protocols and how their systems stand up. Some participants coordinated with unlikely partners. After-action analysis stresses the need for better communication between the public and private sectors, information sharing standards, and tripwires for action.

“America’s financial system is stronger today than it was when we did Quantum Dawn 1,” President Schneider says. “Each time we do an exercise, America’s financial systems become more robust and sustainable.”

“Cybersecurity began as a technical focus,” Susmann says. “The evolution of society now drives the focus to the boardroom and national security.” He credits President Schneider and Trustees Al Gray and Carl Guerreri for building NU capacity and brand in the cybersecurity arena. “NUARI is part of that brand, working both at the core of the financial sector and emerging into other critical infrastructures to build organizational resilience.”

Part of his mission now is to expand the rollout — and revenue — of the DECIDE cybersimulation to more players and industry sectors, such as utilities and telecom. To that end, Susmann meets with financial firms immediately after QD3 to discuss the tool with them. The next day, he leads a cyber-security panel in Massachusetts before traveling to the fall NUARI Board of Directors meeting in Washington, D.C.

A few days later, Susmann boards a flight to Singapore from Virginia. NUARI has been contracted by the Society for Worldwide Interbank Financial Telecommunication (SWIFT). Susmann and his Norwich team will run cyberattack scenarios at the annual SWIFT International Banking Seminar. The demo will introduce DECIDE-FS® to 80 international bankers. Twenty-seven hours and three connections later, his Qatar Airways plane touches down at Changi Airport. His flight has covered more than 10,000 miles. But as he gathers his luggage at baggage claim, Susmann seems to have traveled so much farther.

* * *

More Information

The DECIDE-FS® software has generated seven of NUARI’s ten patents and runs on more than 150,000 lines of code. It enables players to simulate and customize cyberattack scenarios with high degrees of complexity and precision. Options include DNS and DDS attacks, personal data leaks, order-processing disruptions, and clearing systems infected by malware. Days of escalating cyberhacks, systems failures, and market turmoil can be compressed into the span of hours. During that time, DECIDE-FS® throws major-league curveballs at participants, forcing corporate leaders, industry regulators, and IT and cyber staff to address key questions. Whom do they ask for help? When do they close the markets? When do companies share information with their customers and law enforcement? How do firms maintain their reputations and credibility in the face of cyberattacks?

Players are able to fine-tune their crisis scenario, adding extra layers of stress. One participant in the Quantum Dawn 3 exercise in September asked to have a (simulated) storm knock out their company’s coastal operations. (Due to confidentiality agreements, company names have been omitted.)

The goal of Quantum Dawn is to help the financial industry pinpoint areas where it can improve its cyberprotocols and develop and refine best practices, says SIFMA president and CEO Kenneth E. Bentsen. Considerable progress has been made in the last two years, he says, “Yet we know that this work is never done.”

***

About 91����
91���� is a diversified academic institution that educates traditional-age students and adults in a Corps of Cadets and as civilians. Norwich offers a broad selection of traditional and distance-learning programs culminating in baccalaureate and graduate degrees. 91���� was founded in 1819 by Captain Alden Partridge of the U.S. Army and is the oldest private military college in the United States of America. Norwich is one of our nation's six senior military colleges and the birthplace of the Reserve Officers’ Training Corps (ROTC). www.norwich.edu