A Bank of England-sponsored exercise designed to test how well financial firms handle a major cyber attack has uncovered serious communication problems.
The overall results were an improvement on those from the original Waking Shark exercise, which took place in 2011, while still giving plenty of scope for improvement, according to an official report (PDF) on the exercise from the Bank of England.
"The exercise successfully demonstrated cross-sector communications and coordination through the CMBCG [Cross Market Business Continuity Group], information sharing through the use of the CISP [Cyber Security Information Security Partnership] platform and enabled participants to better understand the requirements of the UK Financial Authorities," the report concludes, while adding that banks' communications was hampered by a lack of an overall clearing house (co-ordinator) for cyber threat information.
"Consideration will be given to the identification of a single coordination body from industry to manage communications across the sector during an incident," the report recommends.
Other problems identified during the stress-test exercise, which took place over four hours, but was designed to reflect a three day attack involving denial of service and malware elements, included confusion about the (then) Financial Services Authority. "Attacked" banks were criticised for not calling the police, a breach of agreed procedures.
The Bank of England outlined the scenario played out during the simulated attacks – which, contrary to earlier reports, did not test the cyber resilience of high street banks – for the first time.
The scenario was based on a concerted cyber-attack against the UK financial sector by a hostile nation state with the aim of causing significant disruption/dislocation within the wholesale market and supporting infrastructure. Although the impacts caused by the cyber-attacks would have had an international as well as a UK dimension, for the purposes of the exercise, the scope of the exercise was restricted to management of the UK impacts.
The scenario was set over a three-day period the last day of which happened to coincide with “Triple Witching” (when contracts for stock index futures, stock index options and stock options all expire on the same day).
The three-day period was broken into phases, playing out various technical and business impacts from the scenario. The scenario examined how firms would manage their response to the cyber-attacks both on a technical level (in particular information-sharing amongst the firms via the CISP tool), and from a business perspective.
Elements of the cyberwar exercise included distributed denial of service attacks "causing the firms’ global websites and certain other internet-facing systems to be unresponsive or intermittently available" as well as APT and PC wipe attacks that penetrated the firms’ networks for disruptive and destructive purposes. All this had knock-on effects on trading and reconciliation systems.
This all looks, at least on paper, to be fairly challenging, yet the exercise was criticised by some banks as not challenging enough. Some participants wanted a greater emphasis on cyber-espionage and malware in future exercises. There were also calls to involve telecom service providers, such as BT, in the exercise.
Adrian Culley, technical consultant at anti-botnet firm Damballa and formerly of Scotland Yard’s Computer Crime Unit, said banks had a long way to go before their malware protections were up to scratch.
“UK Financial Institutions have real active infection inside their networks now, Culley said. "Caphaw is an example of one such very prevalent Advanced Attack, there are many others."
"Despite Waking Shark II there appears to be a disconnect between [Business Secretary Vince] Cable's very timely warning, and banks actually holding accessible, actionable intelligence. How they are planning to ever respond decisively without such intelligence? These bodies are part of UK Critical National Infrastructure, and both active attacks, and the threat of attack, are real. Banks need this information to detect active infections and prevent them becoming breaches. It is clear many of them do not have this.”
Breachaholics encouraged to join 10-step programme
After a summit of regulators and intelligence chiefs on Wednesday, Cable warned of the more widespread vulnerability of Britain's critical national infrastructure to cyber-attack. The regulators - which included representatives from the Bank of England, Civil Aviation Authority, Office of the Nuclear Regulator, Ofgem, Ofwat and Ofcom - were briefed on the threat posed to systems by GCHQ boss, Sir Iain Lobban.
Cable called on regulators to oversee the adoption of more robust cyber security measures. Firms were encouraged to "undertake a self-assessment against the ‘10 steps’; take up membership of the Cyber Security Information Security Partnership, or CISP; manage cyber risk in their supply chains by driving adoption of the HMG Preferred Organisational Standard for Cyber Security."
KPMG security expert Stephen Bonner warned that organisations will reduce the chances of successfully defending themselves, if they continue to act in isolation.
“Fear of damaged reputations or stuttering share prices are major factors behind many organisations’ decision to keep a low profile when their cyber defences have been breached," Bonner, a partner in KPMG’s Information Protection and Business Resilience team, commented. "But the days of isolationist thinking have long since disappeared, as an attack on one institution can lead to the exposure of commercially sensitive details for another.
KPMG said the rising number of attacks targeting cyber vulnerabilities presents a growing danger to financial institutions.
"We’ve seen requests for help more than doubling in the past 12 months suggesting that the recognition is there, but awareness doesn’t equal resolution. Waking Shark II has shone a welcome light on current vulnerabilities, but that doesn’t mean it is safe to ‘get back in the water’. Hackers see each barrier as a challenge to be beaten, meaning that constant vigilance and testing is vital if financial organisations are to remain secure.” ®