Why we need cyber war games

The US and UK governments plan to conduct a series of cyber “war games” to test each other’s resilience – but will that really do any good?

After a year of high-profile cyber attacks, the US and UK have agreed to set up a joint cyber squad and conduct a series of cyber “war games” to test each other’s resilience – but will that really do any good?

The cyber security industry response has been largely positive and, if anyone should know, it is this community which is responsible for the cyber safety of business organisations around the world.

“This programme has been needed for some time. Vital services already have regular drills against more traditional methods of attack, but with a growing number of cyber attacks on large companies – most recently Sony – the government has recognised the need for far more comprehensive cyber warfare protection,” said Roy Tobin, threat researcher at security firm Webroot.

“These tests will go beyond the normal scope of internal security testing by using custom malware built specifically to try and bring down a particular service.

“This programme will finally test how banks fare in protecting vital infrastructure from these more complex attacks that require a high level of skill from the attacker – for example, targeted attacks such as spear phishing, botnets, distributed denial of service (DDoS) attacks and advanced persistent threats (APTs).

Tobin said with the threat landscape changing on an almost daily basis, attackers are constantly devising new, more complex techniques to bypass security systems. “Our testing scenarios and defences need to keep pace,” he said.

Other security professionals said the joint exercises will bolster collaboration on cyber security between government, military and business sectors.

Threat to the economy

Although high-profile cyber attacks have raised awareness of the threat of cyber warfare and cyber terrorism among the public, many people still struggle to imagine how cyber conflict could wreak the same havoc as conventional war, according to Andy Settle, chief cyber security consultant and head of practice at Thales UK.

“But as former director of national intelligence Mike McConnell noted, cyber war has the potential to mirror the doomsday nuclear threat – less in the physical sense, but in terms of the economic and psychological effects. The threat posed and potential consequences go beyond one sector’s scope to deal with it effectively. This is why the process for dealing with these threats must take a collaborative approach between the government, civilian world and the military,” he said.

Darren Anstee, director of solutions architects at Arbor Networks, said anything that focuses organisations on their incident-handling processes and capabilities is a good thing.

“The more these are used and tested, the better our people and processes – and thus our defensive capabilities – become,” he said.

The first in the series of joint US-UK cyber testing exercises will be simulated attacks on the City of London and Wall Street amid growing fears about the vulnerability of the financial sector.

Cyber security professionals agree this is a good place to start.

Risk to financial sector

“As the sophistication and regularity of cyber attacks continue to increase, it has never been more important for organisations to have robust cyber defences, and this is particularly important in the financial services sector, with personal data and highly confidential information at risk of falling into the wrong hands,” said Robert Norris, director enterprise and cyber security, Fujitsu UK and Ireland.

According to Norris, research commissioned by Fujitsu revealed that only a third of financial services organisations are "very confident" that they would be able to guarantee security measures in the event of an IT failure.

“Clearly there is a need to address these issues to ensure the finance industry does not fall victim to significant cyber attacks. The collaboration between the US and UK will bring together companies at the forefront of the cyber security industry to share knowledge, skills and technologies which will help to address these growing threats and strengthen the defences already in place,” he said.  

An attack on a country’s financial sector could lead to disastrous consequences around the world, with staggering effects on markets, said Andy Settle of Thales UK.

“To this end, it is promising to see that the first drill is targeting the City of London and Wall Street, taking clear precautions to ensure the security of these countries’ economic infrastructure,” he said.

UK and US joint exercises

Settle said the new round of cyber resilience testing will build on the successes of collaborative cyber conflict simulation, which have been a regular occurrence between the UK and the US for nearly 10 years.

“US exercises, such as Cyber Flag and Cyber Guard which take place every year, have been a crucial factor in developing qualified responses to cyber attacks,” he said.

Others cyber security professionals welcomed the focus on the cyber defences of critical national infrastructure.

“With the majority of their critical national infrastructure running on connected networks, these industries cannot afford to take any liberties,” said Ross Brewer, vice-president and managing director for international markets at LogRhythm.

“The last couple of years have shown it really is a case of when, not if, they will be targeted, and by using the most sophisticated techniques, the US and UK crime agencies will be able to expose any existing weaknesses. Businesses will no longer be able to cross their fingers and hope that their ill thought-out or inadequate security strategies will be sufficient,” he said.

Window dressing?

Despite the general support for the cyber war games in principle, some have expressed concern that the initiative may be little more than window dressing aimed at allaying concerns about cyber attacks.

“Technical teams need to be given the freedom, resources and time to ensure this is more than just a public relations exercise,” said Chris Boyd, malware intelligence analyst at security firm Malwarebytes.

“Today's advanced attacks are carried out by creative, skilled teams who are not burdened by the limitations of Government bureaucracy, something which needs to be replicated for such an initiative to flourish.”

Richard Cassidy, European technical director at Alert Logic, said the success of the exercises will depend on how the information about the lessons learned is shared.

“The goal has to ensure better security posture of the targets and raised awareness across the industry of the real danger organisations face into today’s light-speed evolving threat landscape,” he said.

Cassidy said that, like all security best practice, organisations need to assess and assure their environments constantly against the latest threats and compliance mandates.

“The war games are a great start but, without repeated activity – not just by government led bodies, but by businesses themselves –  it can be case of ‘baton down the hatches’ for the storm and focus moved elsewhere until the next event, but this would be missing the point entirely,” he said.

Security agency collaboration

Ross Brewer of LogRhythm said sharing of intelligence between MI5, GCHQ and the FBI will be key to the initiative’s success.

“While in the UK we have seen the Waking Shark exercise and the Bank of England employee ethical hackers to test its infrastructure in recent years, it is only worthwhile if the lessons learned are acted on and shared with a wider audience. It doesn’t matter which industry you are in, or which country you live, it’s still us against the bad guys," he said.

Brewer said many industries are still failing to take a proactive approach to cyber security.

“Businesses need to be constantly prepared for an attack and any of those in this programme who aren’t doing this should expect to be exposed,” he said.

Darren Anstee of Arbor Networks said the fact that determined, well-resourced and persistent attackers will usually find some way into an organisation means the speed with which an organisation’s tools and processes enable it to detect and contain a problem is becoming increasingly important.

And, although data breaches can have a devastating impact on businesses, the risk of cyber attack is not an unmanageable one, said Richard Horne, cyber security partner at PricewaterhouseCoopers (PwC).

“While attacks are becoming more sophisticated, so too are defences. With focused investment, preparation and the right skills, companies can defend themselves by both preventing the vast majority of breaches, and reacting rapidly and appropriately when incidents do happen,” he said.

But, due to the global nature of cyber risk, Horne said collaboration between the UK and the US is paramount to combating the threat.

Read more on Hackers and cybercrime prevention