Nathan Howard/Bloomberg/Getty Images
The US Treasury building in Washington, DC, US, on Saturday, June 3, 2023.
New York CNN  — 

The federal government is teaming up with Wall Street in a new cybersecurity alliance aimed at defending the US financial system from a nightmare attack and deterring hackers from even trying, according to a letter sent to bank CEOs by a senior Treasury official and viewed by CNN.

The new public-private partnership, dubbed Project Fortress, underscores the real danger US officials and bank executives believe cyberattacks pose to the economy.

“The message to bad actors who want to use cyberspace to go after US financial institutions is: We are watching, we are protecting the system and we will come after you if you go after the US financial system,” a US official told CNN.

Project Fortress includes protective measures such as a new cyber hygiene tool that automatically scans companies for vulnerabilities and a new automated threat feed, according to the letter, which was sent to bank trade groups earlier this week.

But Project Fortress is not just about playing defense.

Deputy Treasury Secretary Wally Adeyemo said in the letter that the alliance also includes “offensive actions” that employ Treasury’s national security tools as well as US law enforcement to “make clear to our adversaries that they will face consequences for their attacks.”

Those national security tools include deploying Treasury’s sanctions team, a person familiar with the matter told CNN.

Project Fortress has been in the works for several months, with Treasury rolling out various parts of the alliance in pieces, the source said.

Treasury Secretary Janet Yellen and Adeyemo discussed the new cybersecurity alliance with bank CEOs during a meeting Wednesday afternoon, a second person familiar with the matter told CNN.

The top two Treasury officials huddled in Washington with the Bank Policy Institute’s board members, which include JPMorgan Chase CEO Jamie Dimon, Bank of America CEO Brian Moynihan and Citigroup CEO Jane Fraser.

Disruption risk is a ‘danger’

One of those bank bosses in attendance, BNY Mellon CEO Robin Vince, told CNN he is “proud to be an early adopter” in Project Fortress.

“Anything that is a disruption risk is a danger and needs to be defended against,” Vince said in a phone interview.

Vince stressed that investing in resilience, including a strong cyber defense, is good for business and that maintaining a very strong financial system is a “shared” responsibility among both the private and public sectors.

“There has always been fraud and crime. In the past, it might have been a stagecoach robbery. This is the modern-day equivalent,” Vince said.

Federal Reserve Chair Jerome Powell has said cyberattacks are the biggest danger to the global financial system — even greater than the lending and liquidity troubles that set off the 2008 financial crisis.

Wake-up call for Washington

The cyberattack last year against the New York arm of the Industrial and Commercial Bank of China (ICBC) served as a wakeup call to US officials. That hack created ripples on Wall Street, disrupting trading in the extremely important US Treasury market.

Worse, there are signs that the hack could have been stopped with better information sharing.

A source familiar with the matter confirmed to CNN that the ICBC hackers exploited three vulnerabilities that had been previously flagged to US officials.

One of the key elements of Project Fortress is the cyber hygiene tool run by the Cybersecurity and Infrastructure Security Agency (CISA).

According to the Treasury letter to bank executives, banks can opt into this feature, which will automatically “scan firms for significant cyber vulnerabilities” and provides an update to companies tailored to their own vulnerabilities.

More than 800 financial sector participants have already signed up for the CISA cyber hygiene tool, a person familiar with the matter told CNN.

Importantly, this feature is free for banks to join. That could be particularly helpful to small and regional banks — many of which are struggling due to real estate and interest rate troubles.

These smaller lenders typically don’t have the financial resources that the biggest banks do. JPMorgan has said it is investing $15 billion a year and employing 62,000 technologists in part to defend against cyber crime.

“We know we have historically been oriented towards supporting larger critical infrastructure institutions,” Adeyemo wrote. “Through Project Fortress we made sure that our options support every financial institution – large or small – including community banks and credit unions.”

Information sharing

Project Fortress also includes an information-sharing program, known as the Automated Threat Information Feed, that gathers indicators from US agencies, international partners and participating financial firms.

“By pooling together this information in an open-source feed, we can detect threats far better and far more quickly,” Adeyemo told bank executives in the letter.

The federal government has recently flexed its offensive capabilities, including ones that are part of Project Fortress.

Earlier this week, US officials and allies announced sanctions and criminal charges against a 31-year-old Russian man alleged to be the mastermind of LockBit, a ransomware gang that extorted $500 million in payments from thousands of victims.

Interestingly, US and European law enforcement agencies used LockBit’s own websites to taunt its members and even set up a countdown clock promising to reveal the gang’s ringleader.

- CNN’s Sean Lyngaas contributed to this report