* Bank of England pushing banks to confront cyber threats
* Theft of JPMorgan client details put banks on red alert
* Hackers to probe banks in live environment
By Steve Slater and Matt Scuffham
LONDON, Nov 19 (Reuters) - In the next few months hackerswill try to penetrate the cyber defences of Britain's majorbanks and steal information about millions of customers. But foronce they'll be welcome.
Banks are on red alert after cyber criminals obtaineddetails of 83 million clients from JPMorgan Chase thisyear and Britain's leading lenders have signed up for tests thatlet teams of certified hackers attack at will.
The cyber war games will mark a major escalation in howbanks test defences in a high-stakes battle with criminals.
"It's the first time that banks are having their systemstested for security threats in a live environment as opposed toa simulated or isolated one," said Stephen Bonner, a partner inthe cyber security team at KPMG.
Cyber crime costs the global economy $445 billion a year andthe bill is rising, according to the Center for Strategic andInternational Studies (CSIS), which said it damages trade,competitiveness and innovation across industries.
Banks are particularly vulnerable, despite spending hundredsof millions of dollars a year on cyber defences. Increasinglysophisticated criminals are trying to steal money or clientdata, cause havoc in financial markets or score politicalpoints.
"A defender has to block every possible route of entry andthe attacker only has to find one. That's the position the banksare still in, the world is so connected now they have to look inevery direction to protect themselves," said Paul Docherty,technical director at Portcullis Computer Security, aconsultancy which has been accredited to run the tests.
ATTACK TEAMS
The Bank of England is behind the initiative. In June, itoutlined a new framework called CBEST for handling the growingcyber threat. It includes sharing intelligence from governmentagencies such as Britain's GCHQ with companies, and encouragingmore intense testing of financial institutions.
In the first such move by a leading central bank, the Bankof England will set the guidelines but leave banks to agree withthe firms carrying out the tests how far their "attack teams"can infiltrate bank systems.
An "attack team" would typically be four to six people,including a project manager and an attack specialist at thesharp end trying to breach systems. Only a few bank employeeswill be aware an attack is coming.
"It's taking examples of what we see out in the wilds in thethreat landscape and applying those to realistic attackscenarios on financial firms," said Adrian Nish, head of cyberthreat intelligence at BAE Systems Applied Intelligence.
CREST, which is responsible for accrediting firms to docyber security testing in Britain, has approved four firms torun these so-called Simulated Targeted Attack and Response(STAR) services, and more are expected to be accredited soon,industry sources said. Besides Portcullis, BT Group,Context Information Security and Nettitude are the other three.
Britain's biggest banks are among more than 30 financialfirms lining up to go through the STAR test.
RAISE YOUR GAME
Pilot tests have begun and the vast majority of institutionsare expected to have completed the process by the end of 2015,one of the sources said. The tests will also involve insurancecompanies, financial exchanges and payments systems operators.
"The financial sector has realised it needs to up its gameand this is the logical progress," said Docherty.
The test starts with a vulnerability assessment to spotwhere risks are and set out a plan to probe those areas. This isfollowed by security testing, or penetration testing, to try andexploit weaknesses during a process that could take 3-6 months.
Other key infrastructure industries such as energy, telecomsand defence could follow the Bank of England's CBEST plan.
London's Metropolitan Police last month launched a new cybercrime and fraud team that will have up to 500 officers. The Cityof London police has linked with the New York DistrictAttorney's Office to bolster their defences and next year planto deploy staff permanently in each other's offices.
CBEST aims to encourage information sharing betweengovernment agencies and companies, and between firms -- who havebeen criticised for being slow to share information on dangers.
"For the last 20 or more years hackers, attackers and thatcommunity have been sharing information and selling things toeach other whilst finding ways to co-exist and grow, whereasindustry has been slow to embrace collaboration," said Docherty.
Andrew Gracie, the Bank's of England executive in charge ofCBEST, warned in June he would take action against any bank thatwas inadequately prepared for the cyber threat. Some officialshave said banks should face prosecution if they allow theirsystems to be breached. (Editing by David Clarke)