It could be a plot line from a summer blockbuster movie: A large-scale cyber attack from a number of sources disrupts the U.S. financial system. Trading in the markets is degraded and investors are concerned as firms work to address the effects of the attacks and maintain trust and confidence in the system. As the attack persists over days, investor confidence sinks and the economy suffers a grievous blow.
With the rise of cyber attacks on U.S. businesses and government agencies in recent years, what once might have seemed a Hollywood screenwriter’s farfetched fantasy looks more plausible.
Which is why the financial industry is not standing still in developing plans to respond and recover in the event of a large-scale cyber attack. On September 16, over 650 participants from more than 80 financial institutions and government agencies carried out a simulation of a large-scale cyber attack to test the industry response to an attack.
Titled “Quantum Dawn 3,” the simulation was coordinated by the Securities Industry and Financial Markets Association (SIFMA), with the goals of testing communication capabilities and determining the response and recovery measures needed to keep the financial system functioning.
While a full report on the simulation’s findings is forthcoming, SIFMA President and CEO Ken Bentsen noted that a few key lessons were immediately clear.
“What we really learned about this is that information-sharing among industry participants, with each other and with the government…is critical,” Bentsen said in a post-simulation interview.
Along with financial institutions such as banks, brokerage houses and market exchanges, participating government agencies included the Department of Treasury, Department of Homeland Security, law enforcement agencies like the FBI, regulatory agencies like the SEC, and the Financial Services Information Sharing and Analysis Center.
How Quantum Dawn 3 worked
The latest simulation was the third in a series that began in 2011. In 2013, SIFMA coordinated the Quantum Dawn 2 exercise focused on a simulated attack on equities markets. This year’s Quantum Dawn 3 simulation expanded upon that exercise by focusing on maintaining market operations in the event of a systemic attack.
Quantum Dawn 3 was a one-day exercise, but it simulated an attack lasting three days, with the attacks spanning multiple fronts.
Participants first experienced firm specific attacks, such as a distributed denial of service (DDoS), domain name system (DNS) poisoning or breach of personally identifiable information (PII).
These attacks were followed by rolling attacks upon equity exchanges and alternative trading systems that disrupted equity trading without forcing a close.
The concluding attack centered on a failure of the overnight settlement process at a clearinghouse.
The simulation was “closed loop”-no real world systems were affected-and distributed, with participants taking part from their own established locations and communicating via email and telephone to share information and coordinate response efforts.
The cybersecurity challenge
A large-scale cyber attack on U.S. financial systems would likely be “low probability, but high impact,” as Bentsen notes. And that’s enough to make the industry stand up and take notice-and take steps like Quantum Dawn 3 to test the preparation and resiliency of the financial system.
While increasing in frequency and scope, the reality is that most cyber attacks fail. But it’s also important to recognize that the perpetrators of these breaches seek to learn from their experiences and then shift their tactics in response to a changing security environment.
That could mean that cyber security isn’t a problem with a definitive end solution, but one that has to be managed over time in a virtual arms race against hackers.
Most importantly, it’s about protecting investors and consumers while ensuring confidence in the U.S. financial system. And while the Quantum Dawn 3 exercise was geared toward financial institutions, other industries will likely gain insight and knowledge from the lessons learned in the exercise.
Further lessons learned will be available in a few weeks when SIFMA will release an after-action report on the Quantum Dawn 3 simulation, prepared by Deloitte Cyber Risk Services.
“This is a top priority issue for the industry,” Bentsen explained after the simulation’s end. “It’s an inevitable instance that we’re going to have cyber attacks, and we have to work not just on prevention, but on response and recovery, and that’s what those exercises are all about.”
For more information, check out SIFMA’s fact sheet on the Quantum Dawn 3 simulation.