Bank of England Warns on Cyber Threat to Markets

Held on November 12, 2013, Waking Shark II simulated a three-day attack event from a hostile nation state over a four-hour period. Fourteen financial services firms took part in the exercise, as well as six infrastructure providers, regulators, such as the UK Financial Conduct Authority and the Prudential Regulation Authority, and UK government agencies. The event was similar in structure and objectives to Quantum Dawn II, a cyber exercise held in the US by the Securities Industry and Financial Markets Association last year.

Scenarios included distributed denial-of-service (DDoS) attacks, as well as computer-wipe intrusions and failures in payment services, market data provision, clearing, and other areas. The report finds that market participants generally responded well, with good communication and collaboration, although it expressed concern over the lack of a single body that would coordinate efforts in the event of an actual attack.

"It was noted that there is no central industry coordination for financial sector information sharing and communication to the wider public, and it was suggested that consideration should be given to allocating this role to a single coordination body from the industry (possibly the British Bankers' Association) to manage communications across the sector during an incident," said the BoE. "A number of the participants stated that they were unclear as to the process for communication with regulators in the new institutional framework, and some dual-regulated firms were unaware that notification to both regulators was a requirement."

In terms of the Cybersecurity Information Sharing Partnership (CISP), a platform developed to provide a secure virtual environment to collaborate during an attack, co-designed by the government and the industry, the report says that the initiative performed well. Use of the Fusion Cell program, which links UK security services with affected institutions, also went well, although those running it had technical issues due to managing multiple environments.

Next Steps
The BoE highlighted that, as a simulation, the event had a degree of artificiality to it, and market participants also said that condensing the exercise to a four-hour period affected it strongly, although many would be repeating the exercise internally. Recommendations for the future included broadening the exercise to include cross-border issues and foreign participants, to increase the stress of the attack, and focusing on other attack vectors more than DDoS.

"Since the threat from an adversary is an international one, it would be wise in future exercises to consider how to enhance the cross-border nature of such exercises." - Joram Borenstein, Nice Actimize.

"The financial services industry is large, with a broad attack surface; as such, exercises such as this are an important element for testing if inter-agency and inter-institutional cooperation even exists ─ and if so, how good that cooperation is," says Joram Borenstein, vice president of marketing at Nice Actimize. "The US and UK financial services industries have run numerous such exercises in the past but the cross-border communication has not been a focus of most such exercises. Since the threat from an adversary is an international one, it would be wise in the future to consider how to enhance the cross-border nature of such exercises."

Defense Concerns
In the report, the BoE also suggested inviting service providers to future events, such as BT. British authorities have become increasingly concerned about preparedness for cyber threats, with the UK Financial Policy Committee  telling firms in 2013 that they have a year to come up with a competent defense strategy against an attack. The government is said to be concerned with the degree of legacy systems in British banking's IT environments, as well as the level of reliance on market-infrastructure utilities.

"Critical to defense in depth is the ability to analyze huge amounts of data and run sophisticated models that can pull together all the pieces of evidence to automatically identify where threats may exist, and then rapidly deploy the cure," says David Porter, head of fraud analytics at SAS UK and Ireland. "With the cyber attacks becoming ever more sophisticated, the race is on to ensure the defences do not become rigid, but can quickly adapt and evolve; nobody should want to build a cyber Maginot Line."

The Bottom Line

• While the financial servies industry in the UK has improved its ability to react to a cyber attack dramatically, the report finds that more work could be done.
• The interconnectedness of markets, both in terms of asset classes and non-UK entities, should also be considered for future exercies.
• Defense against cyber attack is a tricky area. A more thorough understanding of data, and education around cybersecurity among businesses is needed.