As cyber criminals grow more sophisticated, banks are doing all they can to fend them off. We speak to Dave Sheridan, a Cyber Defence Alliance board member and the chief information security officer at Santander, about why collaboration is essential in combating malicious attacks.
Over the last few years, cybersecurity has barely been out the news. In 2017 alone, we saw the emergence of the Shadow Brokers – an anonymous group that leaked a suite of NSA hacking tools – followed by the WannaCry ransomware attack. Around 300,000 machines across 150 countries were infected, and a huge number of businesses (including the NHS) felt the impact.
While these kinds of attacks can seem almost indiscriminate in scope, the financial sector is particularly vulnerable. In 2017, UK banks reported 49 attacks to the Financial Conduct Authority (FCA), up from just five in 2014. The FCA has said this is unlikely to represent the full scale of the problem.
Some of the highest profile incidents included the theft of £2.5m from 9,000 Tesco Bank customers in November 2016, followed by denial of service hacks on Lloyds, HSBC, Barclays, Halifax and Bank of Scotland.
Attacks of this kind can be hugely disruptive, and they are set to become more expensive too. When the EU’s General Data Protection Regulation comes into force in May, banks will be fined up to 4% of their total revenue for data breaches.
With further attacks always a possibility, banks are doing all they can to ramp up their cybersecurity. And while each bank has their own individual strategies, the scale of the problem is such that they need to work together.
“We work on the premise that an attack on one is an attack on all, because whether you’re directly or indirectly impacted there’s going to be an impact on you,” says Dave Sheridan, chief information security officer at Santander. “We all do our own things to protect our own banks but we have the more fundamental objective of protecting UK financial services as a collective.”
Sheridan sits on the board of the Cyber Defence Alliance (CDA) – a not-for-profit group of UK banks and law enforcement agencies set up to quash cybercrime together. The group was founded in 2015, with Santander, Barclays, Deutsche Bank and Standard Chartered as its founding members. Since then, Bank of Ireland, Allied Irish Bank, Metro Bank and Lloyds have joined the fray.
As Sheridan explains, the CDA enables members to share experiences and discuss ideas relating to cyber threats.
“The objective is to work collaboratively to disrupt and dismantle cybercrime in the UK,” he says. “We share information to form actionable intelligence within our community, to then allow us to work side by side with law enforcement.”
To put it simply, if one bank is feeling threatened, and approaches law enforcement, the agencies may not think too much of it. But if you develop intelligence as a collective, they are more likely to treat the case as something worth pursuing.
“If we can say it’s not just happening to one bank – it’s happening to a number of banks – it then allows the law enforcement agencies to consider it as a real attack,” says Sheridan. “So we try to create this collaborative hub, co-locating our resources in the same room.”
In one sense, the group is structured like a typical alliance. It consists of several analysts from each bank, along with a number of intelligence experts who previously worked at the National Crime Agency or National Cyber Crime Unit. In another sense, however, it resembles a standalone business, with its own standard operating procedures and information security policies.
“Maria Vello, the CEO, has a team of about 13 resources at her disposal, and it’s really for her to determine how they are utilised,” says Sheridan. “So she has some guys working on threat intelligence and some guys working with law enforcement.”
Although the group’s objectives haven’t changed since the outset, the fast-evolving nature of cybercrime has occasioned a shift in focus. In 2015, the members were predominantly interested in threat intelligence, and how they could use that information to protect themselves. Over the last few years, however, they have become more focused on fighting economic cybercrime. This has meant sharing information regarding suspect accounts, with a view to protecting the individuals who’ve had their accounts compromised.
They have also become more open to sharing information that might once have been regarded as unimportant.
“What we’re seeing now is a whole change in psyche,” says Sheridan. “If I’m being attacked, my guys will call into Barclays, HSBC, Lloyds, saying are you seeing anything unusual, and we try to build patterns around what we see. So there might be a number of cases of business email compromised across the banks, and we share that information so we can all put blocks in our systems to stop it happening at source.”
Relatedly, when the Wannacry and NotPetya attacks happened last year, it didn’t take long for the banks to realise the full extent of the problem. Rather than working in sequestration, they were able to swap insights and solutions, and share the lessons learnt along the way.
This kind of knowledge sharing seems particularly critical in an age when cyber attacks are becoming more coordinated. Over the last few years, we have seen an uptick in what might be called nation-sponsored organised crime, with the cyber activities of foreign governments perennially under scrutiny. (We only need think of the allegations that North Korea was behind the WannaCry attack, or that Russia was responsible for NotPetya.)
As Sheridan explains, a state-backed hacker is likely to be more sophisticated than your average cybercriminal.
“Attackers generally are becoming smarter,” he says. “Historically we might have looked at the landscape and said it can range from the spotty teenager in his bedroom, through to a hacktivist crusading against a financial institution, through to organised criminal groups. But what we’re seeing now is nation state supported criminal gangs, which provide their resources to help commercialise some of the tools that are out there.”
In the case of the Shadow Brokers, the group that stole the NSA hacking tools, the identity of the group is still open to question. (Some have implicated disgruntled NSA insiders, while others blame an external nation state actor.) But whether you’re dealing with the enemy within or the enemy without, it’s clear that new tools carry new risks.
“When you have tools developed by security services, which then get leaked out into the public domain, that doesn’t help anyone – that compounds the challenge,” says Sheridan. “These are powerful tools, and powerful tools in the wrong hands equals quite a dangerous situation.”
He adds that, with so many ransomware tools now available on the open market, criminals are typically becoming more brazen.
“It’s not all done through the deep and dark web – it’s quite easy to purchase malware kits – and our challenge is to be ready,” he says. “Some criminals are operating like businesses as well, with lots of time and money. They have creative people working within that space who can try and attack many times, and they only have to be successful once to be in. So we have to be able to defend ourselves against whatever is thrown at us.”
While he can’t be specific about the sort of strategies the CDA is using, he describes its approach as ‘multilayered and multidiscipline’.
He also mentions a few of the ways the group hopes evolve in future. Firstly, it wants to grow its membership in a controlled fashion, making the CDA the single source of protection for UK financial services. Secondly, it would like to move away from an insular focus on banking, and more in the direction of cross-sector collaboration.
“The more we collaborate as organisations, the safer our environment becomes, and so we’d like to extend this type of collaboration into other sectors,” he says. “Financial services is an important part of critical national infrastructure, but equally so is telecoms, energy, etcetera. And I think the more that we can start to engage with each other cross sector, the more benefits we will all gain collectively.”
After all, as the world grows more connected, it simply won’t make sense for different sectors to operate in siloes. To go back to the WannaCry attack, businesses of every stripe were affected, and not just computers but also many IoT devices. Tomorrow’s cyber attackers will have an even wider range of targets.
“The advent of internet of things is probably a bit of a headache for us, because if one device gets infected, all of a sudden there’s an awful lot of infections out there,” says Sheridan. “Connected fridges and kettles sound good, that you can control them from an app on your phone, but equally once a compromise has happened you can expose yourself to a lot of other unwanted activity.”
The CDA, then, will aim to expand its horizons in future. Sheridan is adamant that cybersecurity is not a competitive issue: rather, it’s a topic in which different entities derive great value from sharing information.
“What might work in financial services might be a killer protection tool for energy, and similarly if someone in telecoms is doing something we can learn from, that might really help us in financial services,” he says. “I think that fundamentally, collaboration in cybersecurity will be key to our success in protecting ourselves and our environment.”
This article appears in the Summer 2018 edition of Future Banking