US and UK play war games as banks try to get their act together on hacking

Storm clouds gathering over the city. alcaide, CC BY-NC-ND

The financial institutions of the City of London and Wall Street are to take part in a series of “war game” exercises aimed at testing their resilience to cyber attack. The announcement comes as prime minister David Cameron travelled to the White House to discuss with president Barack Obama closer UK-US intelligence and cybersecurity cooperation.

Recent months have seen criminal hackers raising the bar in the scale and destructiveness of cyber-attacks, with two strikes. One was believed to be politically motivated, bringing down Sony Pictures networks for the film The Interview mocking North Korean leader Kim Jong-un. Another was religiously motivated, as Islamists humiliated the US military by hijacking its CENTCOM Twitter account.

Hacking social media channels is one thing, but it’s only a matter of time before a major institution such as a major bank or government service is brought to its knees by an online onslaught.

What effect would this have on the economy unfortunate enough to be on the receiving end? Financial services sectors across the world are constantly enduring – and just about surviving – cyber-attacks. But a major breach in any one part of a bank’s critical network infrastructure could cause it to fail, setting in motion potentially devastating ripple effect throughout the markets.

The key is public confidence: no one wants to see a repeat of the run on Northen Rock in 2008, with queues and cash machines. “How safe is my money?” is the question that immediately occurs to those at other banks. Were any financial institution to fall to a cyber attack we would see a run on banks and an economic slump following not far behind.

In fact, when the Associated Press had their Twitter feed hijacked with a fake tweet posted reporting the bombing of the White House, within minutes the Dow Jones industrial average plunged 143 points. Imagine the economic effects of a genuine strike.

Even something as straightforward as a denial-of-service attack can shut down the networks running cash machines for days at a time, as happened in South Korea in 2013. Three of the country’s major banks were paralysed by an attack which many suspected originated in neighbouring North Korea.

Despite a recent push to flag up the importance of cybersecurity matters at board level, banks are still not especially well prepared for even this sort of attack at the periphery – never mind one that goes for jugular. The Bank of England launched its CBEST framework last year to help finance houses identify vulnerable areas. But there needs to be mandatory tests right across the sector, in the same way that banks have had to pass a “stress test” to check their financial reslience.

Banks would be wise to focus more on the human element involved in cyber-security, and not just piling resources into technical safeguards, as attacks leveraging human errors or ease of manipulation are increasingly common and effective. Most employees, without proper training of the necessary “cyber-hygiene” required at work are a significant weak link. And beyond this, in most cases only a small number of people in the organisation are sufficiently expert in cybersecurity issues – a problem that doesn’t just affect banks.

There’s a very real possibility of this new threat, economic cyber-terrorism, emerging: intimidation from state-sponsored attacks, terrorist cells keen to highlight their sophistication, or a malicious insider at an organisation. Our financial institutions have to be ready when they find themselves in the crosshairs.