GCHQ, NSA cyber war games will test bank security

Surveillance agencies set up joint 'cyber cells' to share information and boost defences.

US and UK intelligences services will conduct war games to test the cyber defences of banks, as part of new plans for the agencies to work together more closely on digital threats.

GCHQ and MI5 will work with the FBI and NSA to establish "a joint cyber cell" to improve UK-US collaboration on cybersecurity.

"Aimed at strengthening mutual cyber defence, it will bring together agencies and law enforcement and allow staff from each agency to be co-located, enabling information and data to be shared at pace and at greater scale," GCHQ said.

Prime minister David Cameron said cyber attacks are the "biggest modern threats that we face" and suggested the teams will work on cyber defence but also cyber-deterrence.

He told the BBC that security teams in both countries will share information "and work out not only how we best protect ourselves but how we create a system where countries and hostile states and hostile organisations know that they shouldn't attack us".

Under the plans, later this year the agencies will conduct a simulated war game involving digital attacks on banks in the City of London. Such war games are not new, of course - the Bank of England's has run a number of similar events known as 'Waking Shark'. Another is set to be run later this year.

"It is happening already but it needs to be stepped up," Cameron told the BBC.

Despite high profile incidents such as the Sony Pictures hack, boards are still surprisingly relaxed about cyber risk, according to a survey carried out by KPMG as part of the UK government's 'cyber governance healthcheck' project.

It found that only 61 percent of board members said they have an acceptable understanding of their company's key information and data assets, and even less (55 percent) said they understood the potential impact of losing any of it.

Two-thirds (65 percent) never reviewed the risk management around valuable company information and data assets, and a quarter said they do not receive regular high level intelligence from company CIOs or heads of security on the types of online threats their businesses may face.

The survey said FTSE 350 directors "were lacking in direction" about who should ultimately be responsible for cyber security: only 16 percent said responsibility should lie with CEO and 31 percent said the CFO, while 15 percent pointed the finger at the CIO.

Malcolm Marshall, global leader of KPMG's cyber security practice, said: "Cybersecurity may be moving up the board agenda but clear communication between boards and management remains patchy at best. Regular board engagement on this issues is critical to ensuring companies remain alert to this growing threat.

"Alarmingly, just 39 percent of board members saw cyber risk as an operational risk when comparing it to other threats their companies face. This is a clear indication that boards have some way to go to understanding the consequences that a cyber-attack can have on the brand and bottom line," he said.

On the plus side, the survey highlighted a jump in the number of companies inserting contract clauses in order to deal with suppliers and cyber risk.

Further reading

Inside the secret digital arms race: Facing the threat of a global cyberwar