Waking Shark II: a curate’s egg?
The findings from Waking Shark II, published in February, make good reading but continue to raise some big issues, some of which were aired before the Desktop Cyber Exercise even took place:
* A director from Securedata questioned whether the goal of the exercise was clear and suggested that it was principally an attempt by government to gain some positive publicity.
* A Partner from PwC emphasised the need for detailed cross-industry technical work and testing to develop meaningful containment and recovery plans.
* The International Markets MD at LogRhythm emphasised the need for 24/7 monitoring of all network activity as the best defence against cyber attack.
* The COO of Corero Network Security advocated more and better information sharing to develop a knowledge pool on how to protect against them.
* The cyber security Director at McAffee emphasised the need for government intelligence agencies to be involved to thwart hackers.
(Source: Computer Week, 12 November 2013)
So, who catalysed the event, how did it play out and what did the participants think of it?
Drawing freely on the report and its appendices, written incidentally by Chris Keeling, a security consultant from Keystone Resilience:
‘The Waking Shark II exercise, held on 12 November, was designed to rehearse the response of the wholesale banks sector, including investment banks and key financial market infrastructure, in working together to understand and minimise the impact of
a cyber-attack on the sector, not to test individual firms’ cyber response mechanisms.’
It appears to have been a pretty impressive piece of logistics:
220 participants including participants, observers, experts and the facilitation team.
- 14 Firms (wholesale including RBS, JPM, HSBC, Goldman Sachs, Deutsche)
- 6 Financial Market Infrastructure (FMI) providers including LCH Clearnet, SWIFT, CLS, CHAPS)
- Financial Authorities including the Bank of England including the Prudential Regulation Authority, the Financial Conduct Authority and HM Treasury
- 9 Support/Expert agencies including BBA, BT, Cyber Security Oprerations Centre)
The simulation, run over about 6 hours, was designed with inputs from many stakeholders:
– 31 on the Scenario Design Group.
– 12 on the Planning and Facilitation Group.
The exercise was run in three phases, with four paper ‘injects’ detailing of the events that the firm was experiencing, plus periodic media ‘injects’, TV bulletins, web pages and Twitter comments.
‘The participants were then given between 20 minutes and half an hour to discuss the impact to their firm resulting from the injects and interact with the other participants (including Firms, the FMIs and the UK Financial Authorities) as appropriate.
In addition, information could be posted to the CISP platform that provided all participants with an overview of the developing cyber-attack.’
CISP, by the way, is Cyber-Security Information Sharing Partnership:
‘The Cyber-Security Information Sharing Partnership (CISP) is a joint, collaborative initiative between industry and government to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat and
therefore reduce the impact upon UK business.
CISP uses a dedicated, online collaboration environment to allow government and industry members to share cyber threat and vulnerability information at pace whilst operating within a framework that both protects and respects the confidentiality of any shared
information.
Any UK registered company or other legal entity which is responsible for the administration of an electronic communications network in the UK is eligible to become a member and apply for membership of the CISP collaboration environment’. (Source: cisp.org.uk) So
far so good.
But what actually happened?
Three set of scores were taken after each exercise: from investment banks, market infrastructure entities and financial authorities. They show an increasingly acute situation being responded to generally by banks coping more or less by themselves, with a mix
of increased risk oversight, manual workrounds and, latterly, communications to stakeholders outside the banks themselves. For the detail, google 'Waking Shark II Report Appendices Reduced File'.
The two key objectives of Waking Shark II were judged roundly to have been achieved with 90% of participants accepting that it had:
* Exercised ‘communication and information flows between firms, and between firms and regulators, during a cyber-attack.’
* ‘Improved understanding of the impact of a cyber-attack on the financial sector and how the sector should respond, as identified in the 2011 Market Wide Exercise’.
I reflect that these goals are, perhaps, on the low side of ambitious, given the assembled industry and regulatory firepower deployed.
But there are some other dissenting voices here as well:
* Only 44% agreed that the scenario had been ‘sufficiently challenging’
* Only 47% identified issues with communications and information sharing between firms or regulators.
* Only 25% of investment banks had initiated communication with law enforcement by the middle of phase 2.
* Only 8% of investment banks by the end of phase 2 had considered requesting a CMBCG meeting. CMBCG is the Cross Market Business Continuity Group.
These were reflected in four key findings and recommendations. My bold type for emphasis:
'1. Financial sector communication
Whilst there was some communication between the participating firms and the FMIs and good communications with the authorities, it was identified
that there is no formal communication coordination within the wider sector. A number of sector groups are already in place including SIBCMG, IBSIG, CMBCG, FSIE that provide for a framework for communication amongst their members but
there is no cross-sector infrastructure in place currently for communication to other financial institutions outside the core systemic wholesale and retail firms.
Recommendation 1: Consideration will be given to the identification of a single coordination body from industry to manage communications across the sector during an incident.
2. Regulatory engagement
The exercise tested interactions between firms and the authorities highlighting the requirement in the new regulatory structure for dual-regulated firms to communicate with both the PRA and the FCA, and to complete a separate MIDAS form as required by each
regulator. Not all firms were fully aware of the requirement to notify both regulators in the new institutional framework. Some firms questioned the reactive nature of the official response and whether the authorities should be more proactive in identifying
any adverse systemic impact of the event on firms and in leading or coordinating the sector response.
Recommendation 2: Firms should be aware of the need to report major incidents to their respective regulators as soon as possible. The PRA and FCA will coordinate to ensure dual-regulated firms are fully aware of the regulators’ incident reporting
requirements, including frequency of updates. The Authorities will also provide further clarification to the sector on the respective roles of the Authorities, Government agencies and the sector in responding to major cyber-events and reinforce with
firms the importance of reporting major incidents to their respective regulators as soon as possible.
3. CISP platform
The CISP platform was heavily used during the exercise, truncating three days of activity into a few hours. This highlights the value of the facility in identifying and responding to a cyber-event and also the amount of work required from the Fusion Cell
in managing the information. This has been recognised and the platform will continue to be enhanced to facilitate the timely and secure exchange of information amongst the members.
It should be noted that the CISP platform was launched in March 2013 and therefore
this was the first time many of the users had actively used CISP. Furthermore, the exercise helped raise awareness and increase membership amongst the finance sector participants. As they become more practised, so they will find it easier to use and
get more out of it.
Recommendation 3: The CISP platform will continue to be enhanced through close collaboration between the financial sector firms and Government partners.
4. Engagement with law enforcement
The participants did not engage directly with law enforcement during the exercise in reporting the cyber-attack, primarily because there were no law enforcement representatives present. It is possible that participants considered that law
enforcement agencies were aware through the extensive media coverage, or assumed incorrectly that reporting via the CISP platform constituted advising law enforcement.
Recommendation 4: The types of attack witnessed during the Waking Shark exercise would constitute a criminal offence and
organisations will be reminded of the need to report such incidents to the appropriate authorities, including law enforcement.
Some commentators have reflected on an apparent lack of transparency in past exercises of this kind and the absence of a set of standards to be able to form a clear view of whether the industry, its market infrastructure and its regulators are ahead of them.
Waking Shark II goes a good way towards transparency which can only be a common good.
However, from the results of Waking Shark II, I can conclude only that:
* the banks have well prepared contingency measures for dealing with external shocks, not necessarily due to cyber attack
* that there is an abundance of advisory and coordinating bodies whose roles appear to overlap
* that inter-bank information exchange is still new and relatively immature
* that law enforcement is well down the banks’ response priority list.
There are contingent reasons, which may have much to do with the design of the exercise itself, that suggest these conclusions. But even if only half right, they throw a moderately uncomfortable light on level of industry coordination.
And I sense they have might have done too little to convince that the wholesale banks, at least, are ready for tomorrow’s cyber attacks.