Proposal to the Treasury: Sponsor Cyberwar Games

Author: Clayton Locke

One of the most well-known and feared viruses in recent times has become a byword for cyberwarfare: Stuxnet. Created in 2010, its origins are shadowy, but Stuxnet marks a turning point in the development of malware. Stuxnet doesn’t infect at random; it can be programmed to infect a target system and disrupt a specific target. The threat to the UK Financial Services industry is that this type of virus has evolved into a new species that targets banking customers: Citadel.

The Citadel botnet is capable of ecommerce fraud, draining bank accounts and stealing personal information. The malware is built using tools widely available to hackers at low cost, can avoid many anti-virus defences, and is controlled by a remote hacker with a single purpose in mind: to steal a customer’s banking credentials.

As Sun Tzu famously said: “The supreme art of war is to subdue the enemy without fighting.” The time is now for the UK Financial Services industry to demonstrate the strength of the digital security methods deployed to protect our customers.

The Bank of England’s recent call to action to make our financial system more resilient to cyber attack is timely – but the proposed approach of asking each company to strengthen itself is not enough. More leadership is required to bring software, infrastructure and banking institutions together in a combined exercise of preparedness. The Treasury should sponsor and co-ordinate practical exercises, penetration testing and industry wide war gaming scenarios to test our overall financial system’s resilience. “In the conduct of war, one must not rely on the failure of the enemy to come, but on the readiness of oneself to engage him.”

Reference: Bank of England publication

17 Oct 2013

Author: Clayton Locke

One of the most well-known and feared viruses in recent times has become a byword for cyberwarfare: Stuxnet. Created in 2010, its origins are shadowy, but Stuxnet marks a turning point in the development of malware. Stuxnet doesn’t infect at random; it can be programmed to infect a target system and disrupt a specific target. The threat to the UK Financial Services industry is that this type of virus has evolved into a new species that targets banking customers: Citadel.

The Citadel botnet is capable of ecommerce fraud, draining bank accounts and stealing personal information. The malware is built using tools widely available to hackers at low cost, can avoid many anti-virus defences, and is controlled by a remote hacker with a single purpose in mind: to steal a customer’s banking credentials.

As Sun Tzu famously said: “The supreme art of war is to subdue the enemy without fighting.” The time is now for the UK Financial Services industry to demonstrate the strength of the digital security methods deployed to protect our customers.

The Bank of England’s recent call to action to make our financial system more resilient to cyber attack is timely – but the proposed approach of asking each company to strengthen itself is not enough. More leadership is required to bring software, infrastructure and banking institutions together in a combined exercise of preparedness. The Treasury should sponsor and co-ordinate practical exercises, penetration testing and industry wide war gaming scenarios to test our overall financial system’s resilience. “In the conduct of war, one must not rely on the failure of the enemy to come, but on the readiness of oneself to engage him.”

Reference: Bank of England publication