• Reuters


In the next few months, hackers will try to penetrate the cyberdefenses of Britain’s major banks and steal information about millions of customers. But for once they will be welcome.

Banks are on red alert after cybercriminals obtained details of 83 million clients from JPMorgan Chase this year, and Britain’s leading lenders have signed up for tests that let teams of certified hackers attack at will.

The cyberwar games will mark a major escalation in how banks test defenses in a high-stakes battle with global criminals.

“It’s the first time that banks are having their systems tested for security threats in a live environment as opposed to a simulated or isolated one,” said Stephen Bonner, a partner in the cybersecurity team at KPMG.

Cybercrime costs the global economy $445 billion a year and the bill is rising, according to the Center for Strategic and International Studies (CSIS), which said it damages trade, competitiveness and innovation across industries.

Banks are particularly vulnerable, despite spending hundreds of millions of dollars a year on cyberdefenses. Increasingly sophisticated criminals are trying to steal money or client data, cause havoc in financial markets or score political points.

“A defender has to block every possible route of entry, and the attacker only has to find one. That’s the position the banks are still in. The world is so connected now, they have to look in every direction to protect themselves,” said Paul Docherty, the technical director at Portcullis Computer Security, a consultancy that has been accredited to run the tests.

The Bank of England is behind the initiative. In June, it outlined a new framework called CBEST — a name that does not appear to be an acronym for anything — for handling the growing cyberthreat. It includes sharing intelligence from government agencies such as Britain’s GCHQ with companies while also encouraging more intense testing of financial institutions.

In the first such move by a leading central bank, the Bank of England will set the guidelines but leave banks to agree with the firms carrying out the tests how far their “attack teams” can infiltrate bank systems.

An “attack team” would typically be four to six people, including a project manager and an attack specialist at the sharp end trying to breach systems. Only a few bank employees will be aware an attack is coming.

“It’s taking examples of what we see out in the wilds in the threat landscape and applying those to realistic attack scenarios on financial firms,” said Adrian Nish, head of cyberthreat intelligence at BAE Systems Applied Intelligence .

CREST, which is responsible for accrediting firms to do cybersecurity testing in Britain, has approved four firms to run these so-called simulated targeted attack and response (STAR) services, and more are expected to be accredited soon, industry sources said. Besides Portcullis, BT Group, Context Information Security and Nettitude are the other three.

Britain’s biggest banks are among more than 30 financial firms lining up to go through the STAR test.

Pilot tests have begun, and the vast majority of institutions are expected to have completed the process by the end of 2015, one of the sources said. The tests will also involve insurance companies, financial exchanges and payments systems operators.

“The financial sector has realized it needs to up its game, and this is the logical progress,” said Portcullis Computer Security’s Docherty.

The test starts with a vulnerability assessment to spot where risks are and set out a plan to probe those areas. This is followed by security testing, or penetration testing, to try to exploit weaknesses during a process that could take three to six months.

Other key infrastructure industries such as energy, telecoms and defense, could follow the Bank of England’s CBEST plan.

London’s Metropolitan Police last month launched a new cybercrime and fraud team that will have up to 500 officers. Police in the City of London have linked up with the New York District Attorney’s Office to bolster their defenses and next year plan to deploy staffers permanently in each other’s offices.

CBEST aims to encourage the sharing of information between government agencies and companies, and between firms — which have been criticized for being slow to share information on dangers.

“For the last 20 or more years, hackers, attackers and that community have been sharing information and selling things to each other whilst finding ways to coexist and grow, whereas industry has been slow to embrace collaboration,” said Docherty.

Andrew Gracie, the Bank’s of England’s executive in charge of CBEST, warned in June that he would take action against any bank that was inadequately prepared for the cyberthreat.

Some British officials have even said that banks should face prosecution if they allow their systems to be breached by hackers.

In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.