The Bank of England published the findings of the Waking Shark II exercise, which tested the wholesale banking sector’s response to what the central bank terms a sustained and intensive cyber-attack.
Waking Shark II on Tuesday, November 12, 2013 was organised by the Securities Industry Business Continuity Management Group which had a scenario in which a cyber-attack caused disruption to wholesale markets and the financial infrastructure supporting those markets: namely DDoS attacks, causing the firms’ global websites and certain other internet-facing systems to be unresponsive and ‘APT and PC wipe attacks that penetrated the firms’ networks’.
The report admits that in any cyber-attack, retail parts – that is the high street – of the firms’ businesses would also be affected. This would result in what the report terms ‘significantly greater media pressure’.
One of the lessons after was communication: although there was some communication between the participating firms and the financial market infrastructure (FMIs) and good communications with the authorities, it was identified that there is no formal communication coordination within the wider sector. Nor did some of those taking part know how they were meant to inform regulators.
About 220 took part in the four-hour session about a three-day scenario; from investment banks, financial market infrastructure, the financial authorities such as the Bank of England and government such as HM Treasury; but not law enforcement. Yet as the report pointed out, the types of attack witnessed during the Waking Shark exercise would constitute a criminal offence. The exercise tested the communication between firms, between firms and the authorities, and aimed to improve understanding of the impact of a cyber-attack on the participants and wider financial sector. According to the report, many of those taking part intend to re-use the scenario to run internal exercises. The scenario was set over a three-day period the last day of which happened to coincide with “Triple Witching” (when contracts for stock index futures, stock index options and stock options all expire on the same day).
The Bank of England and other financial authorities will continue to work with the sector to test collective resilience to cyber-attack. The exercise supports the recommendation by the Financial Policy Committee to improve and test resilience against cyber-attacks. The report suggests that considerable progress has been made since the previous exercises in 2011. For the ten-page report visit the bank’s website – http://www.bankofengland.co.uk/financialstability/fsc/Documents/wakingshark2report.pdf
Comment
Richard Horne, cyber security partner at the audit firm PwC, said: “The Government’s initiative in highlighting the risks to critical national infrastructure from digital attacks is welcome. Providers of critical infrastructure need to have strong cyber security defences to match the growing threats that we see. Industry and regulators need to work together not just to raise that capability but also to understand and manage the increasing levels of connectivity and interdependence between organisations. Communication and cooperation are critical and, as today’s report on the Waking Shark 2 exercise shows, the CISP (Cyber security Information Sharing Partnership) platform can play an increasingly important role in helping to identify and communicate threats to industry sectors and also facilitate a coordinated response in times of crisis.”
And KPMG warned that organisations will reduce the chances of successfully defending themselves, if they continue to act in isolation.
Stephen Bonner, a partner in KPMG’s Information Protection and Business Resilience team, said: “Fear of damaged reputations or stuttering share prices are major factors behind many organisations’ decision to keep a low profile when their cyber defences have been breached. But the days of isolationist thinking have long since disappeared, as an attack on one institution can lead to the exposure of commercially sensitive details for another.
“Organisations may like to think of themselves as impenetrable islands, but the reality is that, with so much data stored – and so many relationships managed – online, they are bridged together and only by standing as one can they avoid being breached. When anyone is under attack it’s always too easy to get caught in the moment and focus on self defence, but the onus must be on collaboration. Rather than hide when things go wrong, they should inform those that need to know – doing so will put attackers on the back foot and ensure partners and suppliers can take the necessary steps to ensure waking sharks are put to sleep.
“The fact is that the rising number of attacks shows that cyber vulnerabilities must be taken seriously. We’ve seen requests for help more than doubling in the past 12 months suggesting that the recognition is there, but awareness doesn’t equal resolution. Waking Shark II has shone a welcome light on current vulnerabilities, but that doesn’t mean it is safe to ‘get back in the water’. Hackers see each barrier as a challenge to be beaten, meaning that constant vigilance and testing is vital if financial organisations are to remain secure.”
