On September 16, 2015 the Securities Industry and Financial Markets Association (SIFMA) conducted Quantum Dawn 3, the third in a series of cyber attack exercises against the capital markets industry. Over 650 people from more than 80 firms and government agencies participated in the exercise. And this year, for the first time, Akamai was invited to take part.
Quantum Dawn is a series of cyber attack exercises organized by the capital marketing industry in the U.S. over the past few years. The objective is to test crisis response and communications in the event of a cyber attack against the industry. Quantum Dawn 1, in 2011, was a pure tabletop exercise involving 30 firms. In 2013, Quantum Dawn 2 grew to about 50 firms. And this year, Quantum Dawn 3 expanded even further. These Quantum Dawn exercises are perhaps the largest cyber attack simulations of their kind within the financial industry, or any industry.
Details of the QD3 Attack:
While details of the QD3 scenario are not public, objectives and a high level overview have been published on SIFMA's website:
SPECIFIC QUANTUM DAWN 3 OBJECTIVES:
1. Simulate the degradation of critical infrastructure by effecting the availability and accuracy of the clearance and settlement process for equities, allowing participants to coordinate to remediate or resolve the situation.
2. Rehearse firms' internal response capabilities to a cyber attack scenario which requires coordination of business continuity, equity operations and information security practices in order to maintain equity operations.
3. Exercise the interaction between firms and the public sector with a focus on sharing information or requesting assistance. Simulate the experience of crisis-state information sharing.
This one-day exercise simulated three business days within the markets. Participants first experienced firm specific attacks, such as a distributed denial of service (DDoS), a domain name system (DNS) poisoning or breach of personally identifiable information (PII). These attacks were followed by rolling attacks upon equity exchanges and alternative trading systems that disrupted equity trading without forcing a close. The concluding attack centered on a failure of the overnight settlement process at a clearinghouse.
Many of the firms involved in QD3 use our security solutions, and we worked with a few of our customers to play out scenarios and mitigate attacks in the exercise. For Akamai, QD3 was an excellent learning experience, not only in terms of playing out the scenarios to block attacks, but to further understand our role as a vendor in a large scale, high impact event.
We also worked closely with the Norwich University Applied Research Institutes (NUARI), which runs the QD3 exercise utilizing their DECIDE-FS software platform. We plan to continue working with NUARI to provide our feedback to help them improve DECIDE-FS to better handle the real-world attacks that Akamai deals with every day.
That's a Wrap:
Or is it?
As more financial services firms use cloud services and third party vendors to manage their security operations, it becomes more important to test and validate that these services can respond appropriately in a crisis. Quantum Dawn is a perfect test bed for this.
Akamai would like to thank SIFMA and NUARI for inviting us to participate in QD3. We look forward to the next Quantum Dawn and our continued work to help protect the financial services sector.
Quantum Dawn 3 Cybersecurity Exercise
Command Center - New York City
September 16, 2015
Rich Bolstridge is Chief Strategist, Financial Services at Akamai Technologies