A Bank of England-led exercise aimed at testing the resilience of UK banks’ cyber defences has highlighted concerns over information-sharing during a real attack.
A report into the findings of ‘Operation Waking Shark II’ has now been published, detailing the four-hour exercise which sought to replicate the effects of a state-sponsored cyber attack on the UK financial sector.
The event took place on 12 November 2013 and involved 12 retail and investment banks, six infrastructure providers and a number of regulators and government agencies.
The report claims that Waking Shark II, which follows a similar exercise last year, was largely a success, but warned that more needs to be done to improve sharing of technical information during a major cyber attack.
“While there was some communication between the participating firms and [financial market infrastructure providers] there is no formal communication coordination within the wider sector,” the report read.
The Bank of England recommends that a “single coordination body” is established to manage communications during an incident, with the British Bankers Association tipped to take on the role.
The report did also note that communications between banks and other parties have improved in comparison to the previous year’s test, partly through use of the government’ Cyber Security Information Sharing Partnership (CISP) platform, launched in March 2013. CISP is supported by the government's cyber attack monitoring team, known as Fusion Cell, which connects the expertise of GCHQ, MI5 and Government to the businesses community.
Other issues highlighted by participants included a lack of central industry coordination for communicating information to the wider public in the event of an attack, and the need for banks to ensure that all major incidents are quickly reported to relevant regulatory bodies.
Financial institutions are increasingly the targets of distributed denial of service attacks, as cyber criminals attempt to manipulate markets and lower share prices, according to a report released today from Prolexic Technologies.
Stephen Bonner, a partner in KPMG’s Information Protection and Business Resilience team, commented that banks must recognise the need to quickly communicate in the event of a major cyber attack, rather than attempting to deal with the situation internally.
“Fear of damaged reputations or stuttering share prices are major factors behind many organisations’ decision to keep a low profile when their cyber defences have been breached. But the days of isolationist thinking have long since disappeared, as an attack on one institution can lead to the exposure of commercially sensitive details for another,” he said, adding that "only by standing as one can they avoid being breached".
“The fact is that the rising number of attacks shows that cyber vulnerabilities must be taken seriously. We’ve seen requests for help more than doubling in the past 12 months suggesting that the recognition is there, but awareness doesn’t equal resolution. Waking Shark II has shone a welcome light on current vulnerabilities, but that doesn’t mean it is safe to ‘get back in the water’. Hackers see each barrier as a challenge to be beaten, meaning that constant vigilance and testing is vital if financial organisations are to remain secure.”
In related news today, business secretary Vince Cable announced requirements for companies that supply the UK’s critical services - including the finance, telecoms and energy sector firms - to adopt robust cyber security measures and to work with government on addressing cyber risks.