The Bank of England has warned that the country's financial sector is still woefully vulnerable to hackers, despite positive work by the UK government.
The Bank of England revealed that a number of key weaknesses were discovered in financial organisations' cyber defences during the Waking Shark II exercises in its Desktop Cyber Exercise: Report to participants.
Waking Shark II was an initiative backed by the Bank of England, the Treasury and the Financial Conduct Authority, designed to stress test the financial sector's cyber defences in November 2013. Major banks including Barclays and RBS took part.
The Bank of England explained: "The scenario was set over a three-day period, the last day of which happened to coincide with ‘Triple Witching' (when contracts for stock index futures, stock index options and stock options all expire on the same day).
"The three-day period was broken into phases, playing out various technical and business impacts from the scenario. The scenario examined how firms would manage their response to the cyber attacks both on a technical level (in particular information-sharing amongst the firms via the CISP [Cyber-Security Information Sharing Partnership] tool), and from a business perspective."
The report said the simulated tests included DDoS attacks designed to knock websites and internet-facing systems offline and "APT and PC wipe attacks" designed to penetrate and damage the banks' inner systems.
The report said the tests highlighted a lack of coherent communication between those involved as well as confusion over which regulatory and law enforcement authorities to report to as key reasons for the attacks' success.
"It was noted that there is no central industry co-ordination for financial sector information-sharing and communication to the wider public and it was suggested that consideration should be given to allocating this role to a single co-ordination body from industry (possibly the BBA) to manage communications across the sector during an incident," read the report.
"Not all firms were fully aware of the requirement to notify both regulators in the new institutional framework."
Despite the negative news, the Bank of England did conclude that the Waking Shark II operation was a success, and supported the government's decision on Wednesday to expand the initiative to include other businesses and agencies involved in critical infrastructure areas.
The Bank of England also praised the government's CISP programme, arguing that despite any flaws it did prove useful.
"The CISP platform was heavily used during the exercise, truncating three days of activity into a few hours. This highlights the value of the facility in identifying and responding to a cyber event and also the amount of work required from the Fusion Cell in managing the information. This has been recognised and the platform will continue to be enhanced to facilitate the timely and secure exchange of information amongst the members," it said.
Waking Shark II and CISP are a key part of the UK Cyber Security Strategy. The strategy launched in 2011 when the government pledged to invest £650m to help bolster the nation's cyber defenses.
It has seen the launch of several other initiatives, including a new Cyber Streetwise campaign to help educate SMBs about cyber best practice in January.
Boris the robot outed as man in rented robot suit