Quantum Dawn War Games Test Cyber Resiliency in Finance Sector
10.11.2017 securityweek Cyber
Quantum Dawn IV, a large-scale exercise to test the cyber resiliency of the U.S. finance sector, was held on Tuesday and Wednesday this week. The excercise had more than 900 participants from over 50 financial institutions, government agencies and regulators.
Run by SIFMA (the Securities Industry and Financial Markets Association), Quantum Dawn is designed to test this industry's ability to weather a major cyber attack. SIFMA describes itself as the voice of the U.S. securities industry, representing broker-dealers, banks and asset managers.
"There is likely no greater threat to financial stability than a large-scale cyber event, which SIFMA considers a low-probability, high-impact event that the industry must prepare for along with other possible crisis events," explains Kenneth Bentsen, SIFMA president and CEO.
The exercise, he said, enabled financial institutions, key government agencies and other industry partners to practice communication and response processes to maintain smooth financial market operations in the event of a sector-wide attack. The outcome of the exercise, however, will not be known until the Deloitte Risk and Financial Advisory Cyber Risk Services analyzes the data and produces a 'public after-action' report with observations and recommendations over the next few weeks.
In the meantime, we just have Bentsen's comment, "A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing. No single actor -- not the federal government, nor any individual firm -- has the resources to protect markets from cyber threats on their own."
The value of such exercises is rarely questioned.
"Any exercise of this nature is always a good idea. Financial Services are part of critical infrastructure and we know they they are under sustained and increasing attacks," Neira Jones told SecurityWeek. "Destabilization of financial markets is definitely not something we want to see happen (well, not caused by cybercrime where we could potentially help it/minimize it anyway)," she said.
Jones is a non-executive director at Cognosec, chairs the advisory board for Ensygnia, and spent four years on the PCI SSC Board of Advisers. She has also worked for Barclaycard, Santander, Abbey National, Oracle Corp. and Unisys.
"While financial services are heavily regulated (in security, too), regulations are always some steps behind technology and criminals," she added. "Quantum Dawn is essentially good practice because it is merely testing an incident response plan through simulation, which should be standard practice anyway. It doesn't detract from individual bank testing of their own incident response processes -- which does happen in the great majority, and certainly for the major banks and FS firms."
Quantum Dawn is similar to Waking Shark in the UK. "The trick of course," Jones told SecurityWeek, "will be to act on the lessons learned and for the results not to be confined to the archives. Only time will tell."
That is certainly the hope of Bentsen. "Cybersecurity is truly an issue where the interests of the industry and public sector are fully aligned. SIFMA and our members are constantly working to improve cyber defenses, resiliency and recovery through massive monetary investment in technology and personnel, regular training, industry exercises, and close coordination between the financial sector and the government, including our regulators. Best practices are developed and refined regarding penetration testing, insider threats, third-party risks, and secure data storage and recovery. Lessons learned from Quantum Dawn IV will help shape these initiatives as we constantly work to get better."
Quantum Dawn IV leveraged NUARI (Norwich University Applied Research Institutes), and its latest version of the DECIDE FS, and the SimSpace Corporation’s Cyber Range software for the simulation and execution of the exercise.
In 2013, U.S. banks suffered a series of disruptive DDoS attacks from a group that called itself itself the Izz ad-Din al-Qassam Cyber Fighters. Growing concern about both nation-state and organized criminal attacks of increasing sophistication against the critical infrastructure make exercises like Quantum Dawn essential.