11 July 2014

Andrew Gracie, the Bank of England’s executive director for resolution, said that when it comes to managing cyber threats, industry should “collaborate, not compete”.

The Bank of England (BoE) has launched CBEST, its new cyber security testing framework. It will run the scheme together with CESG (GCHQ’s information security arm) and the Financial Conduct Authority.

CBEST uses cyber intelligence from the government and accredited commercial providers to identify potential threats to a particular financial institution. Accredited cyber security analysts then replicate the techniques used by potential attackers to test, in a controlled environment, the impact an attack could have on the institution.

Speaking at the British Bankers’ Association Cyber Conference held in London in early June, the BoE’s executive director for resolution, Andrew Gracie, said: “This is the first time commercial intelligence providers will be subject to accreditation standards which are bound by enforceable codes of conduct.”

Gracie said CBEST is part of a broader effort to strengthen information sharing on cyber security within the financial sector. He said that while other security and penetration tests currently exist in the market, there is still an overall view that information sharing may not be proportionate relative to the need.

“Part of this may be coordination, a matter of joining up across different networks within and across firms; [or] it may be overcoming any unwillingness to share. But it is increasingly recognised that managing cyber threats should be a space in which industry should collaborate not compete. Indeed, given the prevalence of threats, silence on cyberrisks would be a cause not for comfort but for concern.”

Gracie pointed out that CBEST is different because it is bespoke, adapts to the reality of changing threats, and is also safe: “We have worked with CREST (Council for Registered Ethical Security Testers) to develop the new accreditation standards, as well as with Digital Shadows on standards for threat intelligence.

CBEST was launched with industry in May. MWR InfoSecurity is one of the firms that is now an accredited supplier. Its director, Alex Fidgen, says MWR has been conducting penetration assessments in isolation over the last four years for specific financial clients, and he welcomed the formalisation of the new scheme.

“It is a major step forward which couples highly realistic assessment techniques with real threat intelligence to help the UK’s financial industry better protect itself for the future. The CBEST scheme is a step change in data security collaboration.”

MWR has been involved in the scheme’s development alongside other firms within the industry. BAE Systems Applied Intelligence, Dell SecureWorks, Intelliag, Mandiant, and Verisign are among other suppliers that have also been accredited.