Security experts have welcomed the most extensive cyber threat exercise in two years to test the preparedness of the financial infrastructure to withstand a sustained cyber attack.
In a similar move, New York staged Quantum Dawn 2 in July 2013 to simulate how firms would cope with a cyber attack in markets.
On 12 November 2013, Operation Waking Shark 2 will test thousands of staff at London’s major financial institutions with a simulated cyber attack on systems on which the UK’s financial system depends.
The Bank of England, the Treasury and the Financial Conduct Authority will monitor responses to assess the ability of the UK’s core financial services providers to withstand cyber attacks.
The exercise is designed to test the resilience of UK banks, the stock market and payment providers to identify areas where improvement is needed.
Simulations are likely to test how banks ensure the availability of cash from ATM machines; how they deal with a liquidity squeeze in the wholesale market; and how well firms communicate with authorities and each other, with a particular focus on investment banking operations, according to Reuters.
The seventh financial sector cyber exercise by UK authorities comes amid growing international concern about the safety of financial markets in the face of increasingly sophisticated cyber attacks.
Read more about cyber attacks on banks
In September 2013, Scott Borg, chief of the US Cyber Consequences Unit, said he believed manipulation of international financial markets will be the next evolution of cyber crime.
A recent report from the Treasury said the financial system had a number of potential vulnerabilities, reflecting its high degree of interconnectedness, its reliance on centralised market infrastructure and complex legacy IT systems.
In the light of the report, the Bank of England’s Financial Policy Committee (FPC) has given banks and organisations core to the financial system six months to outline their strategies to protect against potential cyber attacks.
Banks are increasingly being targeted by criminals who target financial systems.
In September, Barclays and Santander were targeted by cyber criminals using a keyboard video mouse (KVM) switch to gain remote control of bank computers.
The Santander attempt was foiled, but £1.3m was transferred out of accounts at Barclays before police tracked down the gang.
“It is vitally important that cyber security tops the priority list for IT departments in the UK’s financial service organisations – so the news that capabilities in the UK will be tested is welcome,” said Dorian Wiskow, client managing director, financial services, Fujitsu UK & Ireland.
“Not only are banks operating with legacy systems that in some cases have been in existence for many years, it is also a sector where innovation across new banking channels, such as online and mobile, is creating complex multi-channel IT infrastructures,” he said.
According to Wiskow, CIOs in the banking industry are facing the difficult challenge of securing multi-channel environments, while ensuring customer experience does not suffer.
What is paramount here is that the industry does not overlook or get complacent about security or place it in the ‘too big to fix’ category,” he said.
Barry Shteiman, director of security strategy at Imperva also welcomed the exercise, saying it shows authorities realise that the threat is real, is growing, and is a risk for the UK financial industry.
He said it was important to have a committee planning security controls, cyber attack response steps and a high-level protection plan.
“This means that the different financial cyber security heads in the UK can join forces to strategically plan how to mitigate potential cyber threats. This is threat intelligence in its simplest and most effective form,” said Shteiman.
This also means that the government will potentially have a way to regulate and measure the cyber security state based on an educated study of best practices, he said, which will lead to financial information and estates being secured in a much more focused way.
“This is what the PCI Data Security Standard (PCI DSS) has done with credit card companies and clearing houses to lower the risk of a breach. It had an important effect in making sure that every business that wishes to keep credit card information or transact in high volumes, is required to secure itself or be fined,” said Shteiman.
Adrian Culley, ex-Detective with Scotland Yard's cyber crime unit and global technical consultant at security firm Damballa said banks face advanced threats on a daily basis and often face challenges in dealing with these effectively.
“Early detection and containment is paramount, because the fact is that these are complex systems and threats are designed to bypass even the most secure networks. The threat will remain diverse, blended and sophisticated. So must the response,” he said.
Geoff Webb, director, solution strategy at security firm NetIQ, said was it is good to see banks preparing for cyber attacks, they need to recognise that they are already likely to have been breached.
“It might sound alarmist, but given that no firewall can guarantee to keep out all intruders, banks have to assume that cyber criminals are already inside their network,” he said.
According to Webb, the skill of modern cyber criminals lies in the fact that they can be almost indistinguishable from genuine employees.
“Once inside an organisation’s perimeter they immediately aim to elevate their own authorisation levels to those of a privileged employee, using that clearance to steal valuable information,” he said.
For this reason, Web said talking about inside and outside threats to banking security is an increasingly outdated way of thinking.
“Banks have to assume that they have already been breached and as a result need to act accordingly. Operation Waking Shark 2 helps banks to prepare for the external attacks that are happening on a regular basis, but banks need to address the fact that they are likely to have hackers inside their organisation already by monitoring who accesses what and when, looking for tell-tale signs of hacker activity,” he said.
A report on the outcome of Operation Waking Shark 2 is to expected to be released either in December 2013 or early in 2014.