UK banks use 'Waking Shark II' war games to test cybersecurity

In London, banks have participated in a series of war games to test their defenses against cyberattacks.
Written by Charlie Osborne, Contributing Writer on
bank operation waking shark

Dozens of employees at London-based banks have participated in war games designed to simulate cyberattacks in order to test each financial institution's defenses against real threats.

Dubbed "Waking Shark II," as reported by The Guardian, the gathering were bombarded with announcements that imitated a major attack on computer systems. Waking Shark II tested how banks dealt with security breaches, whether they were able to keep cash available through ATM systems, and how threats were detected and dealt with.

The games, taking place on Tuesday, were overseen by government officials, financial regulators and the Bank of England.

The original Waking Shark was held at Credit Suisse in Canary Wharf on 11 March 2011, but was a far smaller operation, which shows that financial institutions are finally taking notice of how cyberattacks are evolving and may be able to cripple their systems in the future.

Waking Shark II, apart from bringing together industry professionals to share knowledge and discuss potential network threats, comes a few months ahead of the deadline for action plans against cyberattacks to be submitted to the Financial Policy Committee of the Bank of England.

Senior Research Fellow David Harley at ESET told Professional Security Magazine Online:

"A self-test can also be useful in that a well-run security team knows something about the organisation's weaknesses as well as its strengths, and if it's really trying can use those weaknesses to advantage. You often learn more in circumstances like this from things that go wrong than from the things that function as they should.

However, there's the risk that a simulation will play to strengths rather than weaknesses: after all, there can be a (not necessarily conscious) desire to demonstrate how effective your defences are, rather than display failure."

Cyberattacks are far more than a stereotype script-kiddie sitting in their bedroom and toying with vulnerable websites. In May, U.S. intelligence chiefs ousted terrorism as the "top threat" facing the United States and instead replaced it with cybercrime, admitting that governmental and business networks are often left behind in the scrabble to protect networks as threats constantly evolve and become more sophisticated.

Add this to the rising rates of state-sponsored attacks which go after nationally important data and commercial intellectual property -- as well as hackers-for-hire who are willing to infiltrate networks to access lucrative and valuable financial data -- and war games like Waking Shark II become a necessity.

A spokesperson from security firm Malwarebytes told ZDNet:

"The U.K. banking industry can learn a lot from U.S. Banks as they've been hit hard in terms of volume and intensity of attacks. The damage caused cannot be ignored as a few hours of outage can cost millions of dollars.

To put it simply, the U.K. finance industry needs to pull together and take a joined-up approach. Trying to tackle such a large issue in isolation is never going to be as effective as a collaboration. U.S. banks and other financial institutions have realised this and are working together effectively. It is good to see the U.K. following suit for the greater good."

Editorial standards