21 May 2015

Hacking onslaught tests UK banks’ defences

Martin Arnold
May 18, 2015

A new cyber challenge confronts British banks. It comes from elite hackers, advised by the British security services, reporting to the Bank of England and being paid for by the banks themselves.
Several of the UK’s biggest lenders, payment systems providers, clearing houses and securities exchanges have endured repeated attacks from these expert hackers since the start of the year.

FirstFT is our new essential daily email briefing of the best stories from across the web

But unlike many criminals and state-sponsored actors that are bombarding such companies almost every day, this group is made up of “ethical hackers”, working in an official capacity to help institutions improve their defences.

As well as probing the companies’ electronic defences, the tests include attempts to breach physical security, such as by entering a data centre building under false pretences.

Lloyds Banking Group this year became the first big lender to put itself through these cyber war games, which regulators are urging the country’s 36 systemically most important financial institutions to complete.

Other institutions, such as Barclays, have completed the exercises or are in the process of doing so.

The Bank of England’s Financial Policy Committee plans to publish a report on the first set of tests this summer.

This will be followed by a transatlantic cyber exercise, organised by US and UK authorities, which will, for the first time, test the vulnerabilities of large financial institutions of both countries in a co-ordinated way.

Concern about a state-sponsored attack on the financial system has intensified since last year’s theft of data on 76m customers from computer systems at JPMorgan Chase, the biggest US bank by assets.

The “ethical hacking” tests at UK financial groups are the latest indication of how seriously cyber threats are being taken. A survey by professional services firm PwC found that 81 per cent of large organisations suffered a cyber security breach last year, costing them each £600,000-£1.1m on average.

Bankers and government officials are reluctant to talk in detail about the latest exercises, which the Bank of England calls CBEST penetration testing.

One executive at a group that has experienced the test said it took place “in quite a controlled environment”.

Lasting six weeks to three months, the tests are broken down into phases. The hackers are given the data they need to break into computer systems at each stage. They remain in regular contact with the target’s management, while its frontline cyber security staff are unaware of the exercise and are told about it only after they have detected the intrusion and raise the alarm.

The tests are designed with input from GCHQ, the UK’s cyber intelligence and defence agency, and commercial intelligence providers to simulate real-life threats that big financial institutions have faced from cyber “hacktivists” and state-backed groups.

A set of key performance indicators — including how far the hackers were able to penetrate and how soon they were spotted — is then sent to the Bank of England.

Only a handful of specialist consultants can carry out the tests, which typically cost more than £100,000 each, and they are vetted by GCHQ beforehand.

As online threats race up national security agendas and governments look at ways of protecting their national infrastructures a cyber arms race is causing concern to the developed world

These approved consultants, such as BAE Systems Applied Intelligence, Context Information Security and MWR Infosecurity, employ people including tech-savvy graduates and ex-security services staff to carry out the tests.

Ollie Whitehouse, technical director of NCC Group, which is authorised to carry out the tests, said some groups were nervous about the process: “With anything that is new there is always a certain amount of anxiety,” he said.

“There is a question of how they do against competitors as security is a key differentiator in financial services.”

However, the tests have attracted criticism in some quarters, mainly over the role of GCHQ, which both approves and advises the consultants running the process and has supplied some of the staff they employ.

Ross Anderson, Cambridge university’s head of cryptography, said: “There is always a suspicion that these consultants are very close to GCHQ and just report back to the intelligence services on any vulnerabilities they find in the banks.”

Mr Anderson, who is also chairman of the Foundation for Information Policy Research, a UK internet think-tank, said since leaks from former US intelligence worker Edward Snowden revealed GCHQ’s extensive online eavesdropping activities, it was clear that “intelligence agencies sometimes access bank data without knocking on the front door”.

GCHQ has been stepping up its work with the financial sector on cyber security and recently gave a presentation about the issue to Royal Bank of Scotland’s board — part of regular briefings it gives in the City of London.

The intelligence agency also participates in the UK government’s Cyber Security Information Sharing Partnership, a venue for the security services and businesses to exchange information on threats.

“It is public knowledge that GCHQ supports the Bank of England in its work on cyber security,” the government said.

“They also meet, from time to time, with banks or groups of banks at their request to discuss the issue. This is all in support of GCHQ’s legal duty to promote information security.” 


Some senior bankers grumble about the pressure to co-operate more closely with the security services.

But Brian Lord — a former GCHQ deputy director who is now working for PGI, a private sector security group — said: “It would be sad if the knowledge and skills of people who come from the intelligence agencies were prevented from being part of the testing process.”

Some banks have even hired former spies to help them deal with cyber attacks and financial crime.

Sir Iain Lobban, former director of GCHQ, is advising Standard Chartered’s board, while HSBC has hired Lord Evans, former director of MI5, the UK intelligence agency, to join its board of directors.

Thanks to their sheer size as well as their complex, layered, and ageing IT systems, guarding banks against cyber attack is an onerous task.

So while some observers are suspicious about the increasingly close co-operation between bankers and spies, the sector seems to have little choice but to accept all the help it is offered.

No comments: