Wall Street Cyber-Attack Drill to Test Security

NEW YORK—Concerned that Wall Street is a likely target for a large-scale cyber-attack, the industry is set to drill its firms to determine its chances of preventing a devastating stock market crash.

Participants are not being informed ahead of time what the exercise will entail—giving current security systems among firms and the government a full test.

The training scenario, called Quantum Dawn 2, is coordinated by the Securities Industry and Financial Markets Association (SIFMA), a trade group representing the securities firms, banks, and asset managers. The drill will be conducted on July 18.

According to Doug Johnson, vice president of risk management policy at American Bankers Association, who was part of the planning for Quantum Dawn 2, while the government is an active partner in the exercise, “What Quantum Dawn represents is us taking the lead.”

The financial sector is part of the nation’s critical infrastructures necessary for keeping the nation running, and therefore key targets for terrorist or military attacks. These include financial institutions, the energy grid, and transportation networks. The training scenario will test whether firms will effectively communicate crucial information about an attack in time to prevent significant damage.

The focus of the exercise is emblematic of the new threats facing businesses today. Just two years ago, the first Quantum Dawn simulated a more conventional attack on the financial sector—a group of armed militants attacking Wall Street with bombs and automatic weapons—similar to the 2008 attacks in Mumbai, India.

Participants included New York Stock Exchange, NASDAQ, JP Morgan Chase, Federal Reserve, the U.S. Treasury, the Department of Homeland Security, Goldman Sachs, Citigroup, and others.

The upcoming real-time drill will require firms to work together with the government while trying to prevent a simulated stock market from crashing. It will take place solely on computer screens.

If the test is successful, it may be tried in other cities. According to Johnson “We are actually in the process of evaluating how we can expand Quantum Dawn 2 past New York City.”

Retaining customer trust is among the most crucial points for the exercises. According to a SIFMA recap on the first Quantum Dawn, a successful cyber-attack on the market infrastructure could cause “significant impacts on confidence in the markets.”

Thus, maintaining trust—and ensuring that traders don’t cash in their stocks and run during an incident—is a key focus when it comes to securing the financial sector against cyber-attacks.

“If we’re not protecting customer data, then we really do lose that trust,” Johnson said. “That’s really what these exercises are meant to accomplish.”

Johnson said Quantum Dawn 2 may also be able to benefit sectors outside the financial industry. He noted that many of the participants are working closely with cybersecurity authorities in New York state and the larger cybersecurity community.

When the U.S. government set out to protect the nation against cyber-attacks, critical infrastructures were the first priority. The problem with securing critical infrastructures, however, is that most are privately owned. Cybersecurity falls in a grey area of government oversight, and the role of government in business has been among the more contentious issues with cybersecurity legislation.

There have been several bills attempting to establish national standards on cybersecurity, but none of the key legislation has made it past Congress. The turning point was when S. 3414, a bill to create voluntary cybersecurity standards for private companies, was blocked in the Senate in August 2012.

Rumors began spreading that the White House would issue an executive order for cybersecurity standards, and this happened Feb. 12, 2013, when President Barack Obama issued Improving Critical Infrastructure Cybersecurity.

The executive order states: “Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”

Rather than make strict rules for businesses to follow, the government created voluntary cybersecurity programs and offered incentives for companies to join.

The executive order, for example, is based primarily around programs to share cybersecurity information between government and businesses, and between businesses.

Johnson said government and large businesses often develop their own systems for cybersecurity with their own perks and weaknesses. When the entities cooperate they are able to learn from each other to close gaps and improve their own respective systems.

“We certainly view cybersecurity as being a cooperative and not a competitive issue,” he said. “It’s only when the public and private sector work together that we can really withstand.”