Skip to main content

Operation Waking Shark 2: UK banks to simulate massive cyber-attack

Every major bank in the UK will next month participate in a "war game" to test their ability to deal with a crippling cyber-attack. The Operation, dubbed "Operation Waking Shark 2", is tabled for mid-November, and will test the banks' ability to defend their assets, to communicate amongst themselves, and to protect the stability of the UK's financial system.

The exercise comes two years after the original Waking Shark exercise, which was launched by the now-defunct Financial Services Organisation (FSO) in order to steel banks against the "the increasing frequency, intensity and sophistication of electronic attacks upon the IT systems of firms operating in the financial sector."

Waking Shark 2 will go one step further, simulating a "very severe" attack on the UK financial system. An attack of this kind could be launched by state-sponsored hackers in the event of a wider conflict, and the exercise goes hand in hand with the recent announcement of the MoD's plans for a Joint Cyber Reserve Force staffed by reservists.

Ashley Stephenson, CEO of Corero Network Security called the exercise "a welcome step forward in the fight against cyber crime". However, he went on to say that the exercise will have limited success unless organisations can "demonstrate that they can deal with the attack whilst maintaining regular services".

"For the most part, recently disclosed attacks against banks have largely been the result of Distributed Denial of Service attacks launched by hacktivist groups, which are publicly a visible inconvenience to customers. However, a more significant disruption to critical financial services such as the stock market or the Bank of England from a cyber-attack could have a far wider impact on the industry and country as a whole."

John Yeo, EMEA Director at Trustwave, saw a different side to the exercises.

"It is of concern that the FPC feels these need to be ordered in the first place," he told us, "as one would have expected that all financial institutions should have robust and far-reaching incident response plans already in place."

The test has been designed by an outside consultant. The Financial Policy Committee (FPC) has in the past warned banks many times about the need for more robust industry defences. It has now ordered regulators to come up with "action plans" that assume a cyber-attack could take place as soon as early 2014.

The results of Operation Waking Shark 2 will be used to dictate cyber defence policy going into 2014. The disclosure of the test comes a week after Iranian hackers managed to breach the Navy Marine Corps Intranet, the largest internal computer network in the world.