Buck Rogers Leads BOE’s Hackersin 21st Century Cyberwar

Buck Rogers is the man behind the Bank of England’s latest cyber security campaign. Unlike the comic book hero, he doesn’t battle radioactive mutants or aliens. His foes are the 21st century humans who use computers as weapons.

Rogers’s mission is to improve online defenses at the U.K.’s biggest financial institutions. His idea is for hackers - - friendly ones vetted by the central bank -- to test those systems by trying to break through them.

The CBEST initiative “emulates the tools, techniques and practices of real-world attackers,” Rogers, 45, said in an e-mail.

In separate incidents this year, hackers stole millions of customer records from JPMorgan Chase & Co. and HSBC Holdings Plc’s Turkish unit, and accessed secret information about takeover deals from more than 80 companies. Central banks and regulators fear cybercrime could threaten not just individual firms, but the entire financial system.

Udo Helmbrecht, executive director of the European Network and Information Security Agency, called on banks last month to put more money into cyber defenses. The U.K. financial sector already spends more than 700 million pounds ($1.1 billion) a year to combat the problem, according to a May report by the British Bankers’ Association.

‘Existential Threat’

“Cyberhacking is a potentially existential threat to our financial markets,” Benjamin Lawsky, superintendent of the New York Department of Financial Services, said earlier this month.

CBEST is one of a confusing array of acronymic initiatives created to combat online crime. In the U.K., there’s also CERT-UK, CREST and the NCSP, all projects dedicated to cyber defense, plus the government agencies: GCHQ’s CESG, OCSIA, the National Crime Agency’s NCCU and the Metropolitan police’s FALCON unit.

The Bank of England is currently approving firms to carry out CBEST tests on financial institutions next year.

“This is a voluntary process with no pass or fail,” said Rogers, who has a lower profile than his comic book namesake. He has been at the central bank for 14 months after working at HSBC Holdings Plc, where he was global head of Cyber Threat and Intelligence.

Rogers, who also served in the Royal Navy, said he expects a range of results from “very good through to not so good.”

What makes the CBEST tests different to generic ones is that they are based on research about real incidents, said James Chappell, founder of Digital Shadows, one of the security firms seeking accreditation under the BOE’s CBEST plan.

Hacktivists, Activists

“Criminals, nation states, hacktivists, activists -- you are doing just the same things as the bad guys would do,” said Chappell, whose firm advises companies on the techniques used by criminal hackers.

“Banks that go through this will hopefully learn some quite valuable lessons,” said Stuart Criddle, a security consultant at NCC Group. He said other government agencies may adopt a similar approach.

“One of the things Buck is keen on is talking to other regulatory bodies to see if this works for them,” Criddle said.

The risks extend far beyond the finance industry and about 93 percent of large companies suffered an online security breach in 2013, PricewaterhouseCoopers LLP said in a June survey. Sony Corp.’s entertainment unit has faced a steady stream of embarrassing revelations about employee salaries, health records, movie stars’ fees and private e-mails for weeks after a group of hackers known as the Guardians of Peace broke into the company’s computers.

New Mechanism

“What the Internet has provided is a new mechanism for criminals to perpetrate old crimes,” said Matt Allen, director of financial crime at the BBA.

Early next year, the industry group will add another name to the army of acronyms. Its Financial Crime Alerts Service (FCAS) will warn banks about various threats, including those emerging online. The system is being designed by BAE Systems Plc, and will give the BBA’s more than 200 members a secure place to see and respond to alerts flagged by U.K. and international law enforcement agencies.

The service is an example of how governments and the private sector can work together to tackle web crime, said Scott McVicar, a BAE Systems executive working on the project.

“The adversary can choose who to attack and how and when,” McVicar said. “The challenge is using limited resources to counter that threat. Measures such as this help level the playing field.”

The CBEST tests will expose bank employees to the sort of underhanded tactics a hacker might use. Phishing e-mails promising details of a colleague’s bonus might instead infect their computer with a virus.

Another tactic is to leave a USB stick on the floor and see who picks it up and plugs it in, a trick known as Road Apples, according to Chappell at Digital Shadows. The difference is that instead of hijacking the system and stealing money or data, the ethical hacker tells the bank there’s a problem.

“There are some big risks out there,” Chappell said. “By testing it properly you actually stand a chance.”