Waking Shark II Pretend Cyber Attack

The Bank of England published findings and lessons learned from a simulated major cyber attack on UK’s financial sector during the 2013 fourth quarter.

The Waking Shark II cybersecurity exercise on November 13, 2013 was based on an intensive attack against the wholesale banking sector by a hostile nation with the purpose of causing significant disruption within the market and infrastructure.

It was meant to examine how firms managed the simulated three-day attack—on technical and business-perspective levels.

Chris Keeling, author of the report from The Bank of England, said feedback from participants was “overwhelmingly positive” in terms of the simulation’s objectives being met, but the test exposed the fact there is no central body to coordinate communication across the different financial agencies during an incident.

“Whilst there was some communication between participating firms and the [financial market infrastructure] and good communication with the authorities, it was identified that there is no formal communication coordination within the wider sector,” said Keeling.

“A number of sector groups are already in place…that provide for a framework for communication amongst their members but there is no cross-sector infrastructure in place currently for communication to other financial institutions outside the core systemic wholesale and retail firms,” he added.

The report concluded there was “significant improvement” in the use of the Cyber Security Information Sharing Partnership (CISP) initiative compared with 2011’s Waking Shark I.

CISP, launched in March 2013, includes a secure virtual information-sharing environment between government and industry partners supplemented by a “Fusion Cell” supported by the Security Service, Government Communications Headquarters and the National Crime Agency, and by industry analysts.

The Waking Shark II simulation was the first time many participants used the system, Keeling said. It’s heavy use highlighted the value of the system but Keeling also reports the use presented “a number of technical challenges” for the Fusion Cell administrator, the Centre for the Protection of National Infrastructure.

Keeling also pointed out a lack of awareness among some dual-regulated organizations to report to both the Prudential Regulation Authority and the Financial Conduct Authority and a “number of participants stated they were unclear as to the process for communication with regulators in the new institutional framework.”

Furthermore, Keeling noted, no one contacted law enforcement. He acknowledged firms may have taken it for granted that law enforcement was aware due to media coverage of the simulation , or they errantly assumed the CISP alerts authorities.

John Yeo, EMEA director at Trustwave, said that while it was “great to see financial institutions taking cybersecurity so seriously,” he questioned the definition of Waking Shark’s cyber attack.

“With so many people and paper-based activity focusing on policies and procedures, this exercise may be more of a logistical planning exercise instead of a simulated practice run,” Yeo said.

Yeo suggested more real-world attack scenarios to “truly test the businesses’ incident response plans.” He also questioned the response when an attack is more subversive and less obvious than a Distributed Denial of Service (DDoS) attack.

“In our experience, the majority of organizations that suffer a breach do not realize for some time that they have been hit, let alone where the attack originated from, and how it works,” he said.

In the 2013 Trustwave Global Security Report, security researchers reveal in 2012 it took about 210 days for an organization to realize it had been attacked.

Keeling admitted the scenario had some “element of artificiality in the issues encountered and the demands of running a three-day scenario in a four-hour session.”