The national security risk no one is talking about

By CHRISTOPHER A. IACOVELLA

Today’s security threats continue to evolve as foreign adversaries and cyber criminals work tirelessly to influence U.S. elections, target and breach our country’s largest companies, and steal the sensitive personal information of the American people.

The government’s responsibility to protect us from external threats is as important today as it’s ever been. President Trump’s national security strategy reaffirms this guiding principle by stating “[o]ur government's first duty is to its people, to our citizens — to serve their needs, to ensure their safety, to preserve their rights, and to defend their values.”

Policymakers in Washington are modernizing our national security defenses to address today’s growing threats. But a little-known government data collection initiative at the U.S. Securities and Exchange Commission (SEC) threatens to undermine these efforts by creating a target-rich environment for cyber criminals and state actors, such as China, to steal the personally identifiable information (PII) of every American who has money in the stock market. PII includes your name, address, date of birth and financial account information.

After the 2010 stock market “Flash Crash,” the SEC required broker-dealers, trading venues and stock exchanges to report all stock trades and customer information to a single database, known as the Consolidated Audit Trail (CAT). While the SEC argues this expansive new database would allow it to analyze market events quicker, it never considered the national security risks of storing the PII of every American investor in a central location.

Preventing fraud and manipulation in our markets is very important, and we don’t oppose the creation of the CAT to achieve these goals. We do, however, believe this can be done without collecting the PII of every American investor and serving it up to America’s adversaries in a single all-you-can-steal database.

Our concern is justified by the numerous high-profile cyber-attacks at corporations and government agencies across the U.S. Even the National Security Agency was hacked when Chinese agents stole NSA cyber tools so they could re-deploy them against U.S. targets.

A recent U.S. Intelligence Community “Worldwide Threat Assessment” report warned that “[o]ur adversaries and strategic competitors will increasingly use cyber capabilities – including cyber espionage, attack and influence – to seek political, economic, and military advantage over the United States.” The report concludes that adversaries, including China, will “increasingly use cyber operations to threaten both minds and machines in an expanding number of ways—to steal information, to influence our citizens, or to disrupt critical infrastructure.”

Secretary of State Pompeo also warned that the Chinese are using cyberattacks to obtain information on susceptible Americans in order to recruit them as double agents. When foreign adversaries openly use this kind of warfare to advance their political agenda, the U.S. government must do everything in its power to protect its citizens from the threat they pose.

Leaders on both sides of the aisle, including Sens. Chuck Schumer (D-N.Y.) and Marco Rubio (R-Fla.), believe China is playing a zero-sum game and willing to win at all costs. FBI Director Wray put a fine point on that belief, saying China is “determined to steal its way up the economic ladder at our expense.” Hacking into the CAT may represent an opportunity that is too good to pass up.

The SEC has been hacked before, and it knows the CAT will put the PII of millions of American investors at risk. The Chairman said “[w]e expect we will face the risk of unauthorized access to the CAT's central repository and through such access, intruders could potentially obtain, expose and profit from the trading activity and PII of investors and other market participants.” This disclaimer is pointless to the millions of Americans who could have their identity stolen and their lives ruined.

From the halls of Congress to our nation’s highest law enforcement and intelligence agencies, it’s clear the cyber threat China poses to America cannot be ignored. It’s time for the SEC to do the right thing.

American savers and retirees across the country and across party lines overwhelmingly agree that now is the time for leaders in Washington to stop this misguided course of action. The agency can protect American investors and maintain confidence in our capital markets without creating a one-stop-shop for cyber criminals that risks our national security.

Christopher A. Iacovella is the chief executive officer of the American Securities Association.