The second Waking Shark stress test exercise has been deemed a success, with participants calling for stronger attacks next time.
The exercise, which was held on Tuesday 12th November 2013, was s designed to follow up and reinforce the lessons learned from previous cyber exercises and reflect the continued evolution of the nature, intensity and sophistication of cyber threats over the past two years. It was conducted between 14 firms, six financial market infrastructure providers, the financial authorities including the Bank of England and the Prudential Regulation Authority, Financial Conduct Authority, HM Treasury and Government agencies and 220 attendees.
The exercise was held over three days and included: DDoS attacks; targeted and PC wipe attacks that penetrated the firms’ networks for disruptive and destructive purposes; issues with end-of-day market data pricing files for some equities markets; issues with Central Counterparty Clearing processes for fixed income; and issues associated with processes used to instruct payments through agent banks and manage balances in accounts at agent banks.
The results, published today, showed that there was a “significant improvement” from the first Waking Shark exercise, while communication and information sharing was “generally good” throughout the exercise, although it was noted that there is no central industry coordination for financial sector information sharing and communication to the wider public, and it was suggested that consideration should be given to allocating this role to a single coordination body from industry (possibly the BBA) to manage communications across the sector during an incident.
Participants also said that they were unclear as to the process for communication with regulators in the new institutional framework, while others claimed that the attacks “could have been more technically challenging with greater market stress over a longer period”. It was also recognised that the size of the audience, and possibly the presence of the regulating authorities, did tend to stifle the discussion.
The information sharing platform CISP (collaborative information sharing platform) was heavily used during the exercise, truncating three days of activity into a few hours. The results said that this highlights the value of the facility in identifying and responding to a cyber event, and also the amount of work required from the Fusion Cell in managing the information.
As a result, the platform will continue to be enhanced to facilitate the timely and secure exchange of information amongst the members.
Commenting, Stephen Bonner, a partner in KPMG’s Information Protection and Business Resilience team, said that the fear of damaged reputations or stuttering share prices are major factors behind many organisations’ decision to keep a low profile when their cyber defences have been breached.
“When anyone is under attack it’s always too easy to get caught in the moment and focus on self defence, but the onus must be on collaboration. Rather than hide when things go wrong, they should inform those that need to know – doing so will put attackers on the back foot and ensure partners and suppliers can take the necessary steps to ensure waking sharks are put to sleep,” he said.
“The fact is that the rising number of attacks shows that cyber vulnerabilities must be taken seriously. We’ve seen requests for help more than doubling in the past 12 months suggesting that the recognition is there, but awareness doesn’t equal resolution. Waking Shark II has shone a welcome light on current vulnerabilities, but that
doesn’t mean it is safe to ‘get back in the water’. Hackers see each barrier as a challenge to be beaten, meaning that constant vigilance and testing is vital if financial organisations are to remain secure.”
In future, it was deemed attacks against retail organisations should be considered, allow information on what the “victims” would experience and consider shorter and more focused exercises on specific issues.