TECH
12/11/2013 06:11 GMT | Updated 23/01/2014 18:58 GMT

British Banks Stage 'Cyberwar' To Test Security Defences

Getty
City Of London General View Cityscape, London, United Kingdom, Architect Architect Unknown, City Of London General View Cityscape Landscape View Of City With 30 St Mary Axe And The Lloyds Building. (Photo by View Pictures/UIG via Getty Images)

Britain's banks are engaging in a make-believe "war" as part of a massive test of their defences against cyber attack.

What could go wrong?

The simulation - dubbed Waking Shark II - is set to be one of the largest of its kind in the world, involving teams of staff from dozens of banks and other City institutions and overseen by officials from the Bank of England, the Treasury and Financial Conduct Authority.

Details of the exercise have been kept under wraps, but it is expected to concentrate on how banks cope with a sustained attack, in particular focusing on investment banking systems, such as clearing and risk management tools.

Credit Suisse is understood to have designed a scenario that will mimic a real-time threat, with firms hit by a barrage of announcements and attacks on computer systems, also involving social media.

It is thought the test will be co-ordinated from one room, with staff from financial firms interacting with each other, Government officials and regulators as the crisis unfolds.

But teams of staff across the offices of financial firms are also expected to take part as the exercise plays out.

It comes amid growing fears over internet attacks and the ability of the UK banking system to protect itself.

The Bank of England's Financial Policy Committee (FPC) warned recently that there were a number of "potential vulnerabilities" in the system and called on financial institutions - including the Bank - to draw up plans for protection as a priority.

The UK's banking sector is particularly at risk due to old and complex IT systems, as well as a high degree of interconnectedness and its reliance on centralised infrastructure, such as payment systems and clearing houses.

The last cyber threat exercise - the original Operation Waking Shark - is thought to have taken place in 2011 under the watch of the former Financial Services Authority, testing responses to an attack at a time of increased demand, then using the London Olympics as a scenario.

Andrew Wingfield, partner at law firm King & Wood Mallesons SJ Berwin, welcomed a "proactive" test on the resilience of bank security infrastructure.

He said the risk of online attacks was increasing as customers move from traditional banking services to technology, data, communications and social media services.

David Emm, Senior Security Researcher, Kaspersky Lab added in a statement:

"These kinds of exercises provide a good opportunity to put people and organisations through their paces, much like the army does when practising manoeuvres. They can never be a substitute for a real-life attack. But they can however force people to think about the situation they are faced with and what they would do in that very moment.

What happens in the aftermath of such training programmes is also important: it’s essential for participants to examine how the scenario played out and what lessons can be learnt for the future. It is important for organisations in all sectors to look at the risks cyberthreats pose and iron out their own individual scenarios for dealing with an attack."