“Not a cybersecurity incident”
The UK’s National Cyber Security Centre (NCSC) today denied claims in the Wall Street Journal that intelligence officials are digging into an August outage at the London Stock Exchange, fearing it may have signalled malicious cyber-activity or the possibility of it.
“The NCSC has not treated the LSE outage as a cyber security related incident and has not investigated it as such”, a spokesman told Computer Business Review.
The WSJ is incorrect, officials said, responding to the August 5 report that said officials were “examining whether a trading outage blamed on a software hiccup at the London Stock Exchange in August may actually have been caused by a cyberattack aimed at disrupting market”; the report claimed Treasury officials were also involved.
Trading on the London Stock Exchange (LSE) was delayed by an hour and 40 minutes following the incident on August 6, 2019; the longest LSE outage in eight years.
LSE Cybersecurity Investigation: “Technical Software Configuration” to Blame
An LSE spokesperson added in an emailed comment: “London Stock Exchange experienced a technical issue on the morning of August 16, 2019 that impacted trading in certain securities for one hour and forty minutes until it was successfully resolved.
“London Stock Exchange takes its commitment to run orderly markets for its members seriously and has thoroughly investigated the root cause of the issue to mitigate against any future incidents. The incident was caused by a technical software configuration issue following an upgrade of functionality and was not a cybersecurity incident.”
Pressed on whether the NCSC was assessing the LSE’s software supply chain security, a spokesperson said that the agency was “not a regulator”.
The incident, which saw trading delayed until 9.40am, was the third major infrastructure outage in Britain in a week.
It followed an IT issue at British Airways that left tens of thousands of passengers stranded, and major power cuts that left commuters in the dark on the Underground, after a lighting strike tripped two major power stations.
(This week Ofgem fined three electricity suppliers – RWE Generation, Orstead and UK Power Networks a combined £10.5 million for that incident).
The LSE at the time blamed the outage on a “technical software issue”. It was reportedly in the middle of updating its systems when the outage happened. With development outsourced to contractors, the WSJ cited concerns about supply chain security.
The WSJ report came amid heightened attention on the cybersecurity of critical national infrastructure, in the wake of rising tensions with Iran.
The NCSC offers a range of security services and guidance to British businesses, including the Cyber Security Information Sharing Partnership (CiSP), a joint industry and government initiative set up to “exchange cyber threat information in real time, in a secure, confidential and dynamic environment”.
Businesses can apply to join the CiSP here.
They will need a sponsor: either a government department, existing CiSP member or a regional Cyber PROTECT police officer or industry champion.