Professor Ross Anderson by RUSI/Flickr

Experts at Cambridge University are concerned that a new “penetration testing” scheme aimed at checking how secure banks are from criminal cyber attacks could be hijacked by intelligence agencies for their spying agenda.

The Foundation for Information Policy Research think tank has told MPs they should be worried about some of the effects of CBEST, a testing regime launched by the Bank of England nine months ago.

The scheme, which was set up after the Bank’s financial policy committee criticised the industry’s approach to cybersecurity, was designed to make IT systems more robust.

However, the think tank, which is led by Ross Anderson, professor of information security at Cambridge, believes the likes of GCHQ could be exploiting weaknesses found in the tests for their own means.

The worries centre not only on the role of GCHQ’s information security arm in vetting the small number of companies carrying out the tests, but also on the suspected employment of former GCHQ staff by the testing firms.

The concerns were outlined in written evidence to Parliament’s Joint Committee on National Security Strategy late last year, and came after documents leaked by US National Security Agency whistleblower Edward Snowden showed that secret services were monitoring international banking and credit card transactions in 2010.

Under the CBEST scheme, banks and other financial services institutions are invited by the Bank of England to pay up to £100,000 for an assessment that includes their ability to withstand simulated hack attacks.

The penetration tests are conducted by security firms vetted and approved by CREST, an industry body whose examinations and processes are overseen by the information security arm of GCHQ, CESG.

Threat intelligence

First a “threat intelligence report” is produced by an approved firm, based partly on real-life past attacks and other information supplied by GCHQ.

The bank to be assessed then meets with the Bank of England, the threat intelligence provider company, GCHQ, and an approved penetration testing company.

Together they discuss how to develop a simulated attack based on the threat intelligence report. The penetration testing company then carries out the “attack”.

The results are shared with the Bank of England. The Bank has declined to say whether the findings are also passed on to the intelligence agencies.

The FIPR think tank told Parliament that the secret services were putting “pressure [on] banks to hire former intelligence agency staff and CESG-approved security consultants to do penetration testing”.

FIPR’s evidence to the committee added that as a result “the agencies not only learn a lot more than they perhaps need to about financial systems’ vulnerabilities, but a clique of their former staff establish unjust market power in security consultancy.”

It continued: “There is a clash of incentives: for example, ‘security’ means different things for a bank and a bank customer. Their goals are in conflict, and the proper government body to arbitrate them is not an intelligence agency but a financial regulator or a court of law.

“There is also a clash of cultures: the missions of ‘national security’ and consumer protection are also in conflict, as the latter requires openness.

“Even national security itself may be compromised. Will agency staff be motivated to reduce risks, or merely to maximise compliance?”

As well as Prof Anderson, other FIPR trustees include Cambridge security researcher Richard Clayton and Nicholas Bohm, a retired solicitor and guest lecturer at the university.

Clayton told the Bureau: “We are concerned that the agencies, and their former staff, may put agency interests above those of the banks and their customers.”

He conceded his organisation had no hard evidence the test findings would be used by GCHQ, but added: “If you want security systems that will work into the far future, it is not a good idea to build in structures that will serve other people’s interests.”

He also pointed out that if banks are all receiving advice from the same small group of people and making the same adjustments to their security systems, then there is a risk that common vulnerabilities will remain.

“We would like to see more variation in the way that banks handle security. Restricting pen testers to a small number of firms does not seem a good way of achieving that.”

Allegation denied

Brian Lord, managing director of PGI Cyber and former deputy director of GCHQ’s intelligence and cyber operations said FIPR’s suggestion that the CBEST programme could be “a backdoor” exploited by GCHQ was unfounded.

“In my experience of GCHQ, it simply does not behave in that way – the culture, ethics and governance safeguards are too strong,” he said. He said encouraging experts with commercial backgrounds to work closely with those who had agency experience was the most productive way forward. He said the quality of the industry advice could be undermined if “unfounded suspicion” were to fall on ex-agents, leading to a reluctance to employ them. Lord also criticised the suggestion that commercial staff accredited under procedures approved by GCHQ’s information assurance arm, CESG, had an operational relationship with the agency. “I employ a number of CESG-accredited staff from all backgrounds who have nothing to do with the agency,” he said. However Lord did agree with Clayton’s view that rigidity of CBEST may not be the best way to improve banks’ cybersecurity in the long term. He said: “Enforced systems and processes can tend to lead to box ticking and do not evolve at the same speed as the threats – the banks may be left with the false sense that they are safe once they have done the testing. It may also lead to a risk of dilution of the banks’ own responsibility.” At the same time, the CREST-CESG process is too rigid, he argued.

He said: “Speaking as a CREST member, CREST are setting rules that, while admirably robust, can only be met by a small group of its members. The result is a closed market that is very difficult for others to penetrate and will lead to a lack of informed innovation and agility in the testing regime.”

Four companies approved

To date, according to the CREST website, four firms have been approved as penetration testing providers under the CBEST: Context Information Security, MWR Infosecurity, Nettitude and Portcullis Computer Security.

Context Information Security which has an office in Cheltenham, where GCHQ is based, has the most obvious links to the intelligence agencies. It is owned by Babcock International, a major player in the defence engineering field. Former GCHQ director Sir David Omand is Babcock’s “senior independent director”.

A post on the company’s website about cyber attacks on the financial sector discusses “state-sponsored attack groups” motivated by “traditional intelligence gathering for national security related purposes”.

It adds: “While there are often legal frameworks allowing this access and analysis, in situations where this may not be possible through the usual law enforcement means the arts of cyber espionage may be leveraged.”

When asked whether the UK government might also be conducting cyber espionage on UK banks, Context declined to respond. It also declined to comment on FIPR’s statement about CBEST or to confirm whether or not its employees included ex-GCHQ employees.

The other three firms did not respond to the Bureau’s request for comment.

A further eight companies are accredited as providers of “threat intelligence”, including BAE Systems Applied Intelligence, Control Risks Group, Digital Shadows and Mandiant.

Although CBEST is currently voluntary, the Bank has made clear that mandatory provisions may follow if financial institutions drag their feet.

Financial policy committee minutes show that all financial institutions deemed critical to the UK’s economic security were required to submit “self-assessment on cyber resilience” to the regulators last year.

The regulators found no “critical shortcomings” but did discover a tendency to view the issue as a technical problem rather than one needing board-level attention.

The findings of both the self-assessments and CBEST tests will form the basis of a cyber-security action plan for the sector.

Publicly, the CBEST testing scheme has been welcomed by both the financial services and information security industries.

However a list of FAQs published by the Bank of England this month highlights concerns about how the information will be shared.

“There is a belief that the Financial Policy Committee is using CBEST to get a feel for who is most at risk. Is this true?” is one FAQ.

The response says that the results of each test will be made available to the Committee.