By Penny Crosman, American Banker
16 February 2018
Two years ago, dozens of U.S. banks, including Citigroup, JPMorgan Chase and Bank of
America, began working on a secret, ultrasecure data bunker called Sheltered Harbor that would hold a copy of all bank transaction data in the event of a devastating cyberattack. But the banks and industry groups behind Sheltered Harbor have recently changed the plan from a single bunker, itself a possible target of attack, to a backup buddy system. Banks choose “restoration” partners that store a vault of one another’s core data that’s updated each night. If one bank goes down, the other could restore accounts and make customers whole. The goal remains the same: when the worst happens, and even backup systems fail, there will still be a way to give customers access to their bank accounts. “Initially the concept was to create this secure, underground vault,” said Trey Maust, Sheltered Harbor’s CEO. “But as we worked through the logistics of that and the specifications and the initial founding members thought about, Do we want a single point of failure? That’s where the distributed model was born.” More changes could be in the offing. If executives from a company called Synechron have their way, for example, Sheltered Harbor may make another pivot, this time to blockchain technology.
Why the pivot
Sheltered Harbor was altered to eliminate the single point of failure a centralized data bunker would create. “When I first heard about Sheltered Harbor, the first thing that popped into my head was the Bruce Willis movie from about 10 years ago, ‘Live Free or Die Hard,’ ” said Steve Rubinow, a former chief information officer of NYSE Euronext who is currently on the computer science faculty at DePaul University and a consultant. “In the movie, a superhacker causes some event that forces financial institutions and the government to send their data to a bunker. The only problem is the bunker gets compromised. This is a similar premise.” The members decided the safest approach would be a distributed model along with minimum standards everyone adheres to. In the current version of Sheltered Harbor, participating banks, broker-dealers or asset managers each day convert customer account and transaction data into a standardized format, encrypt it and put it in an air-gapped, immutable storage medium on the premises of a restoration partner. “That allows for the retrieval of that information and the ability to bring it back up online, enable customers to access their critical account data, and then transact on that data,” Maust said. A restoration partner could be another bank, a service provider or a platform provider. The storage medium has to be nonvolatile, for instance write-once, read-many devices such as CD-R drives. Large banks pay $50,000 to participate in Sheltered Harbor. Fees for smaller banks and other types of firms range from $250 to $25,000, depending on their size. One question is whether in some markets, competitive forces could make it hard for banks to appoint backup buddies. “In spite of all processes and procedures, is there some way they’re going to be able to see my data and I don’t want them to see it?” Rubinow said. “That’s always going to be a concern.” But Maust says that isn’t a worry for many. When he served as chief financial officer at Merchants Bancorp, a community bank in the Portland, Ore., area, it had reciprocal backup relationships with other banks in its market. “At the community bank level, there’s a fair amount of collegiality,” Maust said. “As banks start getting larger, maybe that dissipates a little.” Where competition is an issue, banks could use their core processors as restoration partners, he said.
What it could look like on a blockchain
But some see a more cutting edge system on the horizon. The New York based technology services firm Synechron has created a blockchain-based model of what Sheltered Harbor could look like in the future. It has not gotten a seal of approval or an agreement with any of the groups behind Sheltered Harbor, which include the Financial Services Information Sharing and Analysis Center; the Financial Services Roundtable; the Credit Union National Association; the American Bankers Association; the Independent Community Bankers of America; and SIFMA. The Sheltered Harbor organization already uses blockchain technology internally to monitor the program, but this doesn’t affect participants, a spokesperson said. The blockchain is proprietary and based on open source code; there’s no vendor involved. Sandeep Kumar, managing director of Synechron, said his company got the idea of building a blockchain for Sheltered Harbor from a custodian bank customer. “Our goal was to demonstrate that emerging tech like blockchain can be used to make it more secure and resilient, which are the two basic goals of Sheltered Harbor,” Kumar said. Synechron’s prototype is based on the Ethereum blockchain. In it, when a financial institution creates or updates a backup file, Synechron’s system will create a hash of it using SSH 256 encryption and a public and private key mechanism. “The financial institution can be guaranteed this cannot be accessed by anybody who doesn’t have access to the network and the public key,” Kumar said. “These hashes cannot be broken unless we are using quantum computing or some very advanced techniques that are not yet invented.” If a bank’s vault were destroyed, the backup at the partner bank would be called into action through the blockchain. Synechron’s Sheltered Harbor prototype runs on Microsoft Azure. But Amazon Web Services or any other cloud could be used, Kumar said. He hopes the groups behind Sheltered Harbor will write Synechron’s technology into their specification.
The concept of using a distributed ledger makes sense, Rubinow said. “With a decentralized approach, there is no single location that becomes a sitting duck for hackers or a single point of failure that could cause the collapse of the whole system,” he said. “I can understand where banks, especially smaller banks that can’t afford the resources to make bulletproof bunkers, would want to come up with a community effect where they cover each other’s backs.” And there are ways to provide decentralized, immutable backup and recovery without using blockchain or distributed ledger, Rubinow said. “What I would say to folks who are evaluating this is, blockchain should be in your consideration set,” he said. “And you should look at other technologies. Then figure out which is the best not only today but for the future.” The system needs to be flexible and able to take advantage of technologies that may become popular in the future. Sheltered Harbor overall has to meet a high bar, Rubinow suggested. “It’s lovely to draw the concept and tell people how it’s going to work, then you have to make it work every day,” he said. “If it doesn’t work every day, it’s not very useful.” There is no unhackable scheme, Rubinow noted. “Whether it’s a hardware or software opening or the weakest of openings, the human being, there’s always a way to compromise a system,” he said. Rubinow also pointed to the need for abundant testing. “I’ve seen too many schemes where people say every backup was successful, every transfer of data was successful, every measurement we have says it works,” he said. “Then when a crisis hits, something isn’t quite right.”