Financial centres in London and New York are to be hit with a simulated cyber-attack later this month in what could be a case of too little too late.
The exercise is to be the first stage of a Transatlantic cyber ‘war game’ agreed by British Prime Minister David Cameron and US President Barak Obama in January. However, both the length of time taken to initiate the first simulation and its limited scope already reveal an underlying weakness in the US/UK war games strategy.
When the joint strategy was originally launched in January it was in the immediate aftermath of the terrorist attack on the Paris offices of the French satirical magazine Charlie Hebdo. At the time, the US and UK leaders placed the threat of Islamist extremists – in particular the dangers posed by cyber warfare – at the top of their agenda.
The “war game” against the financial sector, which is being carried out with the co-operation of the Bank of England and other financial institutions, is being coordinated by a new joint “cyber-cell” established by the two powers to share information. Agents from the UK’s GCHQ and MI5 and America’s National Security Agency (NSA) and the Federal Bureau of Information (FBI) have been working in the US division of the cell and in a similar cyber-cell in the UK since earlier in the year.
Both Obama and Cameron were well-briefed regarding the danger of a full-scale terrorist attack on a financial centre such as New York or London. With financial systems, banking machines, power grids and other crucial services all now connected to the internet, a determined hacking attack could quite literally plunge The City of London into the Dark Ages.
Terrorists plan worst-case scenario
For stress testing of this nature, the simulation must not only be accurate but must also attempt to cope with a worst-case scenario, for that is what the cyber terrorists are planning. This means that the testing must be ruthless and take advantage of any conceivable weakness in the financial institutions’ security systems. It is notoriously difficult for organisations to try to penetrate their own defences in this way as they are invariably blind to security flaws they overlooked in the first place.
As long as the banks refuse to employ independent penetration testing services, the kind of simulation planned to hit the City later this month cannot be truly effective. Even at the start of this month, the UK government did not appear to have determined an exact scenario for the exercise. But all the indications are that the initial simulation, at least, will be highly limited in its scope.
According to a spokesman for the UK Government's cyber security body, CERT-UK, an exact scenario for the exercise is yet to be determined: "It is testing how we would react to 'x' scenario, how our colleagues in the US would react, and how we would then co-ordinate communications with each other…There will be no testing of cash machines coming down, banks coming down or anything like that."
Co-ordinating communications between the US and the UK in the event of an all-out cyber-attack would no doubt be useful, but there are more pressing tasks for the City. Some of the banks with a presence in the City of London have what can only be called antiquated digital infrastructure, some of it as much as 15 years out of date. Such outdated software is highly unsecure and is open to all kinds of malware attacks.
In the world of banking, the human element is the main weakness in any IT system. Around four-fifths of all cyber breaches can be traced to an internal source. Banks are particularly vulnerable owing to the sheer number of transactions they execute often involving unknown parties.
City’s cyber defences ‘antiquated’
Added to this is the fact that they deal in money, which makes the City of London a prime target for the world’s organised criminal gangs (OCGs) as well as for terrorist groups needing funds. The large sums transacted means that the criminals are able to invest in thorough social engineering, planning and software development to create an almost unstoppable cyber-attack. Unfortunately for the City, its financial institutions’ own cyber defences are generally antiquated in comparison to the malware which is now available on the criminal forums of the Dark Web.
But the City has not only small terrorist groups and OCGs to fear; nation states across the globe are now more or less openly preparing for cyber warfare. What would make a first strike offensive doubly crippling is that it can be extremely difficult to trace the source of cyber-attack of any kind. The aggressor state can easily cover its digital footprints to the point where it can plausibly maintain that the attack must have come from another source. Countries such as China now literally have regiments of hackers on their military strength.
Unless the City bankers start to deploy best practice security software and begin to educate their staff accordingly, they will be in danger of trying to fight a real cyber war with weapons and attitudes that were forged in the last century.
Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe