Update: Wall Street batters defenses in make-believe cybercrisis

War games, dubbed Quantum Dawn 2, designed to test preparedness for cyberattacks but critics dismiss it as a PR exercise

Wall Street played its own version of war games on Thursday, testing its defenses against simulated cyberattacks bent on taking down U.S. stock exchanges.

A total of 500 people took part in the exercise, called Quantum Dawn 2, in offices across 50 financial institutions and government agencies.

"The exercise was completed successfully with robust engagement from all participants," the Securities Industry and Financial Markets Association (SIFMA) said in a statement

Participants included banks, insurance companies, brokers, hedge funds and exchanges. The Department of Homeland Security (DHS), the Treasury Department, the Securities and Exchange Commission (SEC) and the Federal Bureau of Investigation (FBI) also participated.

At stake is the preparedness of Wall Street to fend off cyberattackers hoping to disrupt the nation's economy by taking down U.S. markets. The exercise tested the players' crisis response plans and mitigation techniques, as well as electronic and telephone communications between institutions and coordination with government agencies. 

The simulation included distributed denial of service (DDoS) attacks aimed at online banking sites. The players also had to counter a malware infection that threatened to take down trading operations, according to David Kennedy, founder and principal security consultant at TrustedSec. Kennedy spoke with representatives of banks participating in the tests. 

[Also see: NIST closer to critical infrastructure cybersecurity framework]

The exercise was helpful to test participants' collective effort to defend against attacks, but fell short of simulating a real-world assault, Kennedy said. 

"Personally, what I've heard is it's been a bit cheesy -- not a real-world type scenario," he said. "That's hard to do in a simulated environment."

The banks' participation was part public relations to ease concerns customers may have about security in their financial institutions, Kennedy said.

"I actually think this is to create more of an outward-facing PR spin," he said.

Customer confidence was shaken last year during several waves of DDoS attacks that disrupted online banking operations of some major financial institutions. A self-proclaimed Islamic hactivist group took credit for the assaults, which government officials believe originated from Iran.

No production systems were used in the exercises. Instead, separate software simulated three major attacks that attempted over a "multi-day period" to take down stock markets and banking operations.

Further attack details were not disclosed. SIFMA plans to release next month a report that will include recommendations on improving Wall Street's response to a cybercrisis.

Financial institutions were expected to find holes in their defenses as a result of the tests, which supporters say is a good reason for having these types of simulations regularly.

"Cybersecurity as a whole is an arms race," said Rich Bolstridge, chief strategist for financial services at Akamai Technologies. "The attackers are constantly evolving their techniques, so the defenses have to be [continuously] raised, coordinated and put in place."

Akamai, which did not participate in the tests, provides security services to many financial institutions.

In 2011, the first Quantum Dawn exercise had a handful of participants, Kennedy said. The fact that the latest test had more than double the number of players indicates the importance of appearing secure in the financial sector.

 "This is a show of force to say, 'Hey, we're taking it seriously,'" Kennedy said.

Copyright © 2013 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.