Publications
Partners
London - In the next few months hackers will try to penetrate the cyber defences of Britain's major banks and steal information about millions of customers. But for once they'll be welcome.
Banks are on red alert after cyber criminals obtained details of 83 million clients from JPMorgan Chase this year and Britain's leading lenders have signed up for tests that let teams of certified hackers attack at will.
The cyber war games will mark a major escalation in how banks test defences in a high-stakes battle with criminals.
"It's the first time that banks are having their systems tested for security threats in a live environment as opposed to a simulated or isolated one," said Stephen Bonner, a partner in the cyber security team at KPMG.
Cyber crime costs the global economy $445bn a year and the bill is rising, according to the Center for Strategic and International Studies (CSIS), which said it damages trade, competitiveness and innovation across industries.
Banks are particularly vulnerable, despite spending hundreds of millions of dollars a year on cyber defences. Increasingly sophisticated criminals are trying to steal money or client data, cause havoc in financial markets or score political points.
"A defender has to block every possible route of entry and the attacker only has to find one. That's the position the banks are still in, the world is so connected now they have to look in every direction to protect themselves," said Paul Docherty, technical director at Portcullis Computer Security, a consultancy which has been accredited to run the tests.
Attack teams
The Bank of England is behind the initiative. In June, it outlined a new framework called CBEST for handling the growing cyber threat. It includes sharing intelligence from government agencies such as Britain's GCHQ with companies, and encouraging more intense testing of financial institutions.
In the first such move by a leading central bank, the Bank of England will set the guidelines but leave banks to agree with the firms carrying out the tests how far their "attack teams" can infiltrate bank systems.
An "attack team" would typically be four to six people, including a project manager and an attack specialist at the sharp end trying to breach systems. Only a few bank employees will be aware an attack is coming.
"It's taking examples of what we see out in the wilds in the threat landscape and applying those to realistic attack scenarios on financial firms," said Adrian Nish, head of cyber threat intelligence at BAE Systems Applied Intelligence .
CREST, which is responsible for accrediting firms to do cyber security testing in Britain, has approved four firms to run these so-called Simulated Targeted Attack and Response (STAR) services, and more are expected to be accredited soon, industry sources said. Besides Portcullis, BT Group, Context Information Security and Nettitude are the other three.
Britain's biggest banks are among more than 30 financial firms lining up to go through the STAR test.
Raise your game
Pilot tests have begun and the vast majority of institutions are expected to have completed the process by the end of 2015, one of the sources said. The tests will also involve insurance companies, financial exchanges and payments systems operators.
"The financial sector has realised it needs to up its game and this is the logical progress," said Docherty.
The test starts with a vulnerability assessment to spot where risks are and set out a plan to probe those areas. This is followed by security testing, or penetration testing, to try and exploit weaknesses during a process that could take 3-6 months.
Other key infrastructure industries such as energy, telecoms and defence could follow the Bank of England's CBEST plan.
London's Metropolitan Police last month launched a new cyber crime and fraud team that will have up to 500 officers. The City of London police has linked with the New York District Attorney's Office to bolster their defences and next year plan to deploy staff permanently in each other's offices.
CBEST aims to encourage information sharing between government agencies and companies, and between firms - who have been criticised for being slow to share information on dangers.
"For the last 20 or more years hackers, attackers and that community have been sharing information and selling things to each other whilst finding ways to co-exist and grow, whereas industry has been slow to embrace collaboration," said Docherty.
Andrew Gracie, the Bank's of England executive in charge of CBEST, warned in June he would take action against any bank that was inadequately prepared for the cyber threat. Some officials have said banks should face prosecution if they allow their systems to be breached.
