UK joins US financial institutions for industry resilience tests
Op Resilient Shield wasn't a live test, though
The UK teamed up with US authorities to run a banking industry resilience exercise, dubbed Operation Resilient Shield, last week.
The paper-based transatlantic exercise focused on improving information sharing and planning in the context of a cyber attack rather than fending off Red Team hackers.
Leading (but unnamed) global financial firms were also involved in the joint US/UK table-top exercise which aimed at enhancing “cooperation and ability to respond effectively to a cyber-incident in the finance sector.”
Resilient Shield omitted any test of individual financial firms or financial systems. Instead the exercise focused on improving understanding across the two governments and industry in three main areas: information sharing, incident response handling and public communications. The exercise did not “amount to a ‘cyber war game’ or include live play”, as a HM Treasury statement on Resilient Shield emphasises.
Testing the actions of law enforcement or the security and intelligence agencies was likewise outside the scope of the operation.
Participants from the UK included CERT-UK, the UK Financial Authorities (HM Treasury, the Bank of England and the Financial Conduct Authority), Cabinet Office, the National Crime Agency, the Office of Cyber Security & Information Assurance and UK intelligence (not named but doubtless GCHQ was involved). Participants from the US included representatives from the White House National Security Council, the Department of the Treasury, the Department of Homeland Security, the FBI, the US Secret Service, several reserve banks and other financial sector organisations.
One of the main aims of Resilient Shield was to exchange best practices domestically and between the US and UK on a government-to-government and government-to-financial sector basis. Understanding of each country’s cyber security information sharing processes and incident response coordination structures, including scenarios that may call for a coordinated response and public communications, was also part of the rationale for running Operation Resilient Shield.
Boosting “cyber security cooperation by “enhancing processes and mechanisms for maintaining shared awareness of cyber security threats between US and UK governments and the private sector” was another goal in the (frankly rather bureaucratic and seemingly focused on paper shuffling) exercise.
The operation follows earlier cyber-attack drills testing the resilience of the UK banking sector, including Operation Waking Shark and Waking Shark II. Waking Shark II, which took place in November 2013, was more focused on testing how investment banks and financial institutions held under a sustained assault by hackers.
Working on communications and pooling best practice was also involved but Waking Shark II also involved stress-test exercises and simulated attacks, unlike Resilient Shield. Waking Shark II tested how merchant banks and city institutions might react under a combination of DDoS attack and wiper-style malware assault from a nation-grade state adversary that was hell bent on causing chaos on financial markets.
Resilient Shield might seem tame, even bureaucratic, but independent security experts quizzed by El Reg agreed it was still worthwhile.
“One of the key elements in IR [incident response] is knowing who to contact and how,” independent infosec consultant Brian Honan, the founder and head of Ireland’s CERT, told El Reg. “These type of exercises are good at identifying gaps.”
Experienced infosec consultant and banking sector alumni Stephen Bonner added that exercises such as Resilient Shield are a “cost effective way to break down barriers/build links”.
In a statement, Mark Carney, governor of the Bank of England, praised the Resilient Shield exercise, which he argued ought to be regularly repeated.
"It is vital that the financial sector continues to develop its resilience in the face of ever-evolving cyber threats,” Carney said. “The Bank has a particular interest in this given its role along with HM Treasury and the Financial Conduct Authority to ensure that firms can continue to provide critical services that are important for the functioning of the financial sector, and the Financial Policy Committee's remit to monitor and address non-financial as well as financial risks to the system.”
"Regular exercises such as this play an important role in helping the financial sector and the authorities plan a coordinated response to a cyber event, and the Bank of England has been pleased to provide the technical expertise to facilitate this exercise,” he added. ®