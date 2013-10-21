(Clarifies in 6th and 10th paragraphs that SIFMA, not Deloitte,
By Lauren Tara LaCapra
NEW YORK Oct 21 A few months ago, a group of
Wall Street banks fashioned a risk-manager's worst nightmare to
determine how they would survive. Luckily, it was all pretend.
In a staged simulation called Quantum Dawn 2, bank
executives in charge of operations, technology and crisis
planning were tasked with detecting how a massive cyber attack
was unfolding in the markets - but each one only got to see a
tiny red flag waving in a sea of information.
In some cases, a blue-chip stock started to plummet
inexplicably. Soon, shocking news about the company hit the
market, but unbeknownst to the participant, the news was fake.
For others, trading systems were on the fritz, or government
websites stopped functioning. Even basic technology such as
telephones and printers stopped working properly for some.
Individually, any of these problems would be reason to
worry. The challenge for Quantum Dawn 2's victims was not only
spotting a problem, but communicating with rivals, exchanges and
government authorities to conclude that markets were in the
throes of a systemic crisis and needed to be shut down.
"It didn't all happen at once - each attack affected firms
differently," said Karl Schimmeck, vice president of Financial
Services Operations at the Securities Industry and Financial
Markets Association (SIFMA), a Wall Street trade group that
oversaw the event.
"Some firms would see a problem, some firms wouldn't, and
some firms only 'see' it second-hand because they're
communicating with each other."
Banks are one of the biggest targets for cyber attacks,
which have occurred more frequently over the past two years,
security experts said.
The most visible attacks affect customers' access to
websites through a distributed denial of service - or "DDOS" -
attack. But banks are also worried about more insidious attacks,
in which hackers quietly infiltrate systems to swipe valuable
data, or lie in wait to plow across the entire industry with a
systemic attack - the doomsday scenario Quantum Dawn 2
participants want to avoid.
One key lesson from the drill was that the private sector
and government authorities must share information more freely
and quickly, said Ed Powers, the national managing principal of
Deloitte & Touche LLP's security and privacy practice, which was
an independent observer of Quantum Dawn 2. While firms have
detailed information about individual attacks, authorities can
help prevent a crisis by sharing information about broader
threats when appropriate, he said.
"Cyber attacks that manifest in different organizations can
become a systemic issue," said Powers.
The industry also needs to put in place better guidelines to
determine whether risks are systemic, and to formalize
procedures for deciding whether to close markets, he added.
Quantum Dawn 2 took place on July 18 after being delayed to
accommodate the large number of firms that wanted to
participate. It was the second time the industry had
participated in such an event, which required 10 months of
planning and tens of thousands of dollars to orchestrate. SIFMA
plans to perform an industry-wide drill every two years, with
more limited attack simulations in the interim, said Schimmeck.
In addition to big banks such as Bank of America Corp
and Goldman Sachs Group Inc, there were 50
participants, including major exchanges, clearinghouses, the
U.S. Treasury Department, the Securities and Exchange
Commission, the Department of Homeland Security and the Federal
Bureau of Investigation.
Representatives from SIFMA and Deloitte were stationed at
three hubs in New York, Washington and Chicago, where attacks
were being deployed and amplified at different times during the
day, and where conference calls were hosted for participants to
decide how to react to various threats.
The person who came up with the name Quantum Dawn did so
after being inspired by a movie, said Schimmeck. People involved
in Quantum Dawn drills said its name was a big selling point,
because it evoked the adrenaline rush of watching an action
movie.
"For a simulation, it did a very good job of creating the
sense of urgency that you'd expect to see in a real-world cyber
attack," said Powers.
