A war gaming exercise began in London recently to test financial institutions’ effectiveness against a range of simulated attacks from cyberspace. It was called Waking Shark II, which sounds very exciting – possibly even entertaining.
So is this simply a cybersecurity department “sports day” for London banks, or perhaps just a public relations stunt? Are banks cyberwar-gaming while our money burns?
Not quite. It has become very unfashionable to defend the financial sector, but that’s precisely what I am going to do.
First and foremost, the problem that Waking Shark II is attempting to address is a genuine one. In years gone by, the main miscreants on the internet were the equivalent of vandals who spray-painted websites and organised attacks that temporarily took websites out of action. This type of vandalism costs some people money, sure, but there are bigger problems to deal with.
Over time malicious activity online has become much more serious, with organised crime, cyber espionage and cyber terrorism all on the increase. To criminals, banks represent a primary target since, as bank robber Willie Sutton so famously observed, they are indeed “where the money is”.
Fast cars and balaclavas
The good news is that banks, in the main, understand cyber security. They were among the earliest commercial adopters of much of the technology that we have come to rely on to secure modern information systems. For instance, banks deployed the Data Encryption Standard (DES) to protect their networks in the late 1970s, long before most industry sectors had even heard of cryptography. Of course, as recent news stories have shown, they don’t always get their cyber security right. But awareness of the scale of the problem is crucial and the financial sector tends to be ahead of the game in this regard.
So what’s the worst that could happen? Thus far, we really don’t know since we have been fortunate enough that major cyber incidents with real impact have been relatively rare. However, as computer systems become increasingly connected and interdependent, the potential impact of a major cyber-attack is enormous. If the money stops flowing then we’re all in trouble.
Once upon a time you needed a balaclava, a fast car, and a fair bit of bravado to rob a bank. Nowadays it is at least theoretically possible to send the stock market reeling with a few remote clicks of a computer mouse.
Here’s the heart of the matter. We do not want to learn how to secure today’s sophisticated financial systems from major cyber-attacks by forensically examining the pieces after such an incident has happened. Smart people, designing smart security processes, are of course one part of the solution.
However with regard to cyber security, there is no substitute for a good road test of processes and procedures, a cyber-security “fire drill” if you like. This is precisely what Waking Shark II represents. Exercises of this type tend to involve simulations of potential attack scenarios within a safe environment that will not affect real systems. While we can’t be sure of the exact format of Waking Shark II, a common methodology during such games is to involve separate teams of attackers and defenders of the system, with the attackers attempting to obtain control of certain resources.
The lessons to be learned from a cyberwar game are considerable, both during, and in the aftermath, of such an exercise. Do the measures the financial industry think they have in place, actually hold out against the types of major cyber-attacks that they could well encounter in the future? This applies not just to the technology that they are using but, perhaps more importantly, to the processes that they have in place, as well as the way that the people implementing these processes react and behave.
The very fact that Waking Shark II is running at all also indicates something very profound about cyber security in the financial sector. Don’t believe anyone who claims that they understand everything about the cyber threats that face contemporary society. This is an area which is experiencing rapid change and we are all learning.
Let the banks play
In order to learn, we first have to share. Organisations have traditionally been reluctant to exchange much information about their own cyber security problems because, perhaps understandably, this is a sensitive subject.
However this is also an area where the financial sector has a better than average record. The participants of Waking Shark II not only learn how to secure their own organisations, but by participating in this exercise they are also adding to the sector-wide knowledge base on cyber security. There is, after all, no point in looking after your own data, if you cannot securely do business with any of your trading partners.
Let the banks play cyberwar games, I say. More organisations should be doing the same. We should all be competing for the highest score.