In the days following the massive breach of JPMorgan Chase’s computers last summer, the bank’s security chief, James Cummings, rarely left his operations center in its Manhattan headquarters. He directed a select group of colleagues to search for links to the Russian government. There was little evidence of a government tie, especially so early in the investigation, but Cummings, a former head of the U.S. Air Force’s cybercombat unit, was confident they’d find more.

Convinced that it faces threats from governments in China, Iran, and Russia, and that the U.S. government isn’t doing enough to help, JPMorgan has built a vast security operation and staffed it increasingly with ex-military officers. Soon after joining the bank in early 2014, Cummings helped hire Gregory Rattray—like Cummings, a former Air Force colonel—as chief information security officer. Together the men oversee a digital security staff of 1,000, more than twice the size of Google’s security group. To make it easier to woo military talent, the bank built a security services facility in Maryland near Fort Meade, home of the National Security Agency.