2025 Public Sector Perspectives

Cyber Winter: Are Central Bankers Ready? Jay Collins Vice Chairman of Banking & Public Sector This article has been edited and updated from a speech delivered inMay 2024 to central bankers from around the globe at Citi’s Annual Central Bank Seminar. A cyber winter has been coming for a very long time. I delivered a speech to a group at the U.S. Department of Homeland Security on the evolution of the cyber threat. This is an excerpt: “The reality of the digital era is that hacking is now a service… IT outsourcing service providers create new vulnerabilities, as do SME service providers to governments and large corporates. Blackhole malware toolkits delivered through software-as-a-service target our networks. Mobile device hackers target the weakest links in the chain, a chain through which citizens and customers increasingly utilize personally identifiable information (PII) and execute financial transactions…The newest technologies, fromnear field communication (NFC) to location-based capabilities, act like a lightning rod for cybercriminals. Nation- state actors are able to fund the modern-day equivalent of a nuclear arms race. Single-tier traditional perimeter security systems are today’s Maginot Line. Supervisory control and data acquisition (SCADA) industrial control systems for managing chemical facilities and public utilities have blurred the lines between cyber and physical security. Hardware is as vulnerable as software. Networks controlling financial markets and hospitals are under siege. Tier V and VI attackers have redefined ‘fat tail risk’ not just for the financial systembut for the entire economy. And the red teams are winning.” I gave that speech in July 2013 – more than a decade ago! It should send shivers down your spine at how long we have been discussing cyber winter. At the time, the message was a warning, a call to action. Five years later in 2018, as the situation had only worsened, I gave another chilling speech to government officials called “Preparing for Winter,” where I warned: “The threat has surged, not diminished; cyberattacks have accelerated in frequency and breadth of impact; and successful, material breaches are commonplace. Actors disrupt and destroy, they demonstrate patience and deceptive capabilities, they increasingly commit cyber-enabled extortion and espionage, and they are consistently attacking applications andmobile devices, demonstrating an accelerated and focused ability to compromise business email to commit financial crime, fraud and extortion…One of the most troubling trends is the persistent and dramatically increased role of nation states in cyberattacks against other states and increasingly the private sector…We now live in a world where, as a government or financial institution, we are in the zone of greatest incident concentration. The question is not if we will be cyber victims, but when. This paradigm shift leads us from pure prevention towards detection and response measures.” Citi Perspectives for the Public Sector 31