The Bank of England and Treasury have responded to criticism that UK banks and financial services companies lack cyber resilience by launching a scheme to help banks pinpoint where they are vulnerable to cyber attacks.
The CBEST scheme, announced on 10 June, is claimed to be a “world's first” for a national central bank in that it enables financial services firms to test their security via targeted simulated attacks, based on detailed threat intelligence.
Unlike the banks' current pen tests, these attacks will simulate the behaviour of serious threat actors, said industry body CREST which is managing the scheme.
Launching CBEST at a British Bankers' Association (BBA) conference in London, BoE executive director Andrew Gracie explained: “The results should provide a direct readout on a firm's capability to withstand cyber attacks that, on the basis of current intelligence, have the most potential to have an adverse impact on financial stability.”
The scheme is voluntary but Gracie said “we see it as a core component to improving the sector's resilience to the threat of cyber attack” and so “we expect take-up to be significant given the benefits it will deliver”.
And in what may be seen as a thinly veiled threat to banks who ignore CBEST, he warned BoE will act against those who fail to adequately protect themselves from cyber attacks. “We will take a systemic, risk-sensitive, intelligence-based view as to what good practice looks like in relation to cyber; and we will take action in the face of inadequate preparation on the part of firms. Just as the threat evolves and adapts, so will our expectations.”
CBEST has been developed after last November's Waking Shark II cyber defence exercise, which tested the UK's leading banks' response to a simulated cyber attack by a hostile nation state, and found failings in their ability to communicate and collaborate.
This week's BBA conference brought together major banks, government departments and regulators to improve industry co-ordination and, in his speech, Gracie admitted CBEST was partly driven by UK banks' so far unwillingness and inability to share cyber threat information.
“Overall there is still a sense that information sharing may not be proportionate relative to the need. Part of this may be co-ordination, a matter of joining up across different networks within and across firms. Part of it may be overcoming any unwillingness to share - but it is increasingly recognised that managing cyber threats should be a space in which industry should collaborate not compete.”
CBEST is being run by CREST, a not-for-profit body, while cyber intelligence firm Digital Shadows helped define the scheme's framework.
The attacks will be carried out by CREST-certified pen testing companies, using threat intelligence delivered by CREST-accredited intelligence service providers.
So far seven intelligence providers have been certified for the scheme, which CREST brands as ‘STAR' as well as 'CBEST' – BAE Systems Applied Intelligence (formerly Detica), Dell SecureWorks, Digital Shadows, Intelliagg, Mandiant, MWR InfoSecurity and VeriSign.
CREST president Ian Glover told SCMagazineUK.com: “This a world-leading new approach in terms of how to deal with this type of activity. There is significant interest in these services – we have a whole queue of organisations that want to go through the process.”
Glover said around eight organisations or services “identified as being critical to the UK economy” will be the first to go through the CBEST testing process, hopefully by the end of this summer. A second tranche of around 40 more organisations have been identified by the BoE as being critical for going through the scheme.
He defended the voluntary nature of the scheme: “That's by far the best way to do it. We demonstrate that there is a benefit , we demonstrate that the organisation will receive something for going through the effort, and it's the right thing to do.”
But he added: “The Bank of England would reserve the right over time to mandate some of these things or to make some more stronger recommendations.”
Don Smith, Dell SecureWorks director of technology, told journalists via email: “It has become clear that the current cyber security testing methods used in the financial sector are not sufficient to protect organisations against more sophisticated attacks. CBEST differs because testing will be based on threat intelligence and an understanding of the real threat, something that is all too often overlooked.
“Cyber attacks are constantly evolving and in such a changeable security landscape, intelligence-led testing is the only way to prepare defences against the most persistent and sophisticated attacks.”
For more details on the scheme, see http://www.crest-approved.org/industry-government/cbest/index.html