Operation Waking Shark 2

British Banks to put themselves to cyber security test this week

By Dr Guy Bunker.

This week, the UK’s major banks and financial institutions launched the most extensive cyber threat exercise in two years, Operation Waking Shark 2, which tested the collective ability of the British financial system to survive a sustained online attack.

The exercise was designed to test Britain’s financial industry to 'its limits' on how to cope with a sustained cyber attack. The test was monitored by the Bank of England, Treasury and Financial Conduct Authority to assess the ability of Britain’s core financial services providers (banks, the stock market and payment providers) to withstand attacks by cyber criminals as well as state sponsored attacks on the UK. Every high street bank was expected to have taken part in the one day “war game”, which lasted for a few hours, simulating the impact of a major cyber-attack on the payments and market systems on which the UK’s financial system depends. 

In a recent discussion I had with a journalist at SC magazine for an article published on Tuesday, the day the attack simulation took place I spoke about the possible cyber defence tools and attack techniques that would potentially be tested, including denial of service. However, an area that certainly should have been tested, in my opinion, is data modification- changing information on the fly - which is a serious growing threat. While data loss is obviously not good, data corruption can be worse – imagine if an attacker got into your customer database and changed one digit in their telephone number? Or if they changed one digit in a random 10% of the records, every day. How long would it take to discover the problem – and how long to fix it? Another key point is how we “watch the watchers”. Although advanced cyber technology can be employed to ensure the right information gets transferred to authorised recipients, using techniques such as Adaptive Redaction to ensure that critical information is protected, how can we be assured that the people authorised to monitor and ‘ok’ exceptions be monitored themselves? Having a process which includes an audit of the actions taken is certainly a step in the right direction to address this.

Financial services value chain – attacking the weak point

One important point not to be overlooked is that financial institutions provide a service and rely on collaboration with their customers and suppliers, so this is not just a single organization or an endpoint issue; it’s a supply-chain or value-chain issue. With financial institutions transferring information back and forth from their customers and their partners (including third party data processors), hackers can seek out the weakest point in the chain in order to target the larger organizations. When looking at this on a global scale, this might mean targeting smaller companies in less secure countries in order to gain entry into the bigger organization or more influential country. Organizations, especially financial institutions cannot relinquish responsibility for the information they are responsible for, no matter where it is in the value-chain.

Global replication of this operation and a unified international cyber security regulation

Crucially, this exercise is a national acknowledgement of a growing threat to the economy and companies, and also of the potential damage that could be incurred due to lack of ability to defence against cyber-attacks. Whilst Waking Shark 2 is certainly a useful exercise, this a drill which should be reviewed, amended and improved upon; as hackers become more tactile and intelligent, so must we. In many ways this is like a fire drill, or a business continuity / disaster recovery practice – it needs to be repeated over, and over, and over again in order to ensure this defence is as strong as it can be. It should ideally be replicated on a global scale; it’s not until we reach international consensus regarding cyber security regulations that we’ll substantially reduce the risk. The latest instalment to Protect European Data - as outlined in Head of Market Strategy Kevin Bailey’s recent blog are steps towards a unified approach, but replication of this simulation on a global scale would undoubtedly face political challenges.