Bank of England conducts "Waking Shark" simulated cyber attack with financial services sector

Tuesday's exercise simulated attacks on investment banking and ATM network

UK banks have been participating in a simulated cyber attack run by the Bank of England in a bid to test their defences.

Called Operation Waking Shark II, it followed a similar initiative two years ago and focused on investment banking operations, the cash machine network, a potential liquidity squeeze and the likely fallout across social media.

In addition to the Bank of England, the Treasury, Financial Conduct Authority and staff at various financial institutions - including High Street banks - were involved.

"Waking Shark II will bombard firms with a series of announcements and scenarios, such as how a major attack on computer systems might hit stock exchanges and unfold on social media. It will be co-ordinated from a single room housing regulators, government officials and staff from banks and other financial firms," according to Reuters.

The March 2011 event, according to Reuters, "involved 'a concerted cyber attack upon the financial sector' that disrupted wholesale and retail payments and online services, and included more than 3,500 people, according to an evaluation published the next year."

It was a much smaller operation, held in the auditorium of Credit Suisse at Canary Wharf.

The Financial Policy Committee of the Bank of England in September mandated that the financial services industry must "ensure that there [is] a concrete plan in place to deliver a high level of protection against cyber attacks for each institution at the core of the financial system, including banks and infrastructure providers, recognising the need to adapt to evolving threats."

The exercise, though, was criticised for not covering physical threats, such as the recent attacks on branches of Santander and Barclays in which the attackers attached keystroke logging devices to PCs after tricking their way into the branches. It also failed to address the kind of social engineering aspect of many attacks in which attackers - whether insiders or outsiders - persuade staff to divulge login details.

For example, US National Security Agency whistleblower Edward Snowden scooped up colleagues' login and password details by claiming he needed them to perform his systems administrator role.