The first Waking Shark operation took place on 11 March 2011 in the auditorium of the Credit Suisse building in Canary Wharf, and involved just over 100 people from 33 organizations. There were 28 non-participating observers from the financial authorities, and an Expert Panel provided by the Center for the Protection of National Infrastructure (CPNI), the Serious Organized Crime Agency (SOCA, now incorporated into the National Crime Agency), the Cyber Security Operations Center (CSOC), the Payments Council, BT and O2.
The exercise involved electronic voting and discussion on three separate scenarios, and to some extent concentrated on security incident information sharing. The results showed that many representatives considered that there were existing mechanisms for cross-firm communication during a major disruption, but less so specifically within IT and security. Similarly, it was suggested that there was a lack of clarity over the roles of official bodies such as the financial authorities, CPNI, CSOC and law enforcement.
Waking Shark II is expected to be bigger, longer, and more ambitious."It will be co-ordinated from a single room housing regulators, government officials and staff from banks and other financial firms, people familiar with the matter said," reports Reuters. "Hundreds more people are expected to be involved from their own offices as the 'war game' plays out."
The exercise is likely to see if lessons from the first exercise have be learnt, and whether the banks can continue to operate while under attack – and whether cash is still available to both consumers and business.
The security industry is largely supportive. "Having a committee planning security controls, cyber attack response steps, and a high-level protection plan is an important initiative," comments Barry Shteiman, director of security strategy at Imperva. "This means that the different financial cyber security heads in the UK can join forces to strategically plan how to mitigate potential cyber threats. This is Threat Intelligence in its most simple and effective way."
“It’s great to see financial organizations such as the Bank of England, and the Treasury taking cyber-security so seriously, and in particular that they will be conducting a simulated cyber-attack on payments and markets systems," adds John Yeo, EMEA director at Trustwave.
"The new cyber stress test initiative will help to identify areas of weakness within the participating banks' IT security infrastructure, allowing them to be better prepared for real attacks," says Ashley Stephenson, CEO of Corero Network Security.
But there are still areas of concern. Graham Welch, EMEA Managing Director of Sourcefire, points out that in real life "you have a living, breathing adversary on the other side – and this makes it hard to predict what might be coming at you." He suggests that organizations should accept that they will be breached, and then base a security strategy to address that scenario.
Yeo notes, "The Bank of England’s Financial Policy Committee (FPC) have also ordered regulators to come up with 'action plans' in the event of a cyber-attack by the first quarter of 2014. However," he adds, "it is of concern that the FPC feels these needs to be ordered in the first place, as one would have expected that all financial institutions should have robust and far-reaching incident response plans already in place."