House of Commons - Defence and Cyber-Security

Defence and Cyber-Security - Defence Committee Contents

Introduction

The 2010 National Security Strategy (NSS) identified "hostile attacks upon UK cyberspace by other states and large-scale cyber crime" as one of four Tier One risks, explaining that "Government, the private sector and citizens are under sustained cyber attack today, from both hostile states and criminals."[1]

Recent examples of high profile cyber attacks include:

the leaking of thousands of British email addresses and encrypted passwords, including those of 221 British military officials, 242 NATO staff, and staff of the Joint Intelligence Organisation;[2]

a 'denial of service' attack on HSBC;[3] and

the loss of £800 million in revenue by a British company following cyber attacks by a foreign state.[4]

In November 2011 the Government published the second UK Cyber Security Strategy (the first was in 2009), Protecting and promoting the UK in a digital world.[5] The Strategy has four main objectives:

The UK to tackle cyber crime and to be one of the most secure places in the world to do business in cyberspace;

The UK to be more resilient to cyber attacks and better able to protect our interests in cyberspace;

The UK to have helped shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies;

The UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber-security objectives.[6]

The Cyber Security Strategy emphasises the limits of the Government's powers to act in this arena, and the close collaboration that will be needed with industry and academia.

A National Cyber Security Programme (NCSP) has been launched under the management of the Office of Cyber Security and Information Assurance in the Cabinet Office, and the oversight of the Minister for the Cabinet Office. £650 million has been allocated to the NCSP over the period 2011-2015, of which 14% (£90 million) has been allocated to the Ministry of Defence, and 59% to the Single Intelligence Account. (The Cabinet Office, Home Office, Business Innovation and Skills and Government ICT account for the remainder.)

The Strategy states that around half of the £650 million funding will go towards "enhancing the UK's core capability, based mainly at GCHQ at Cheltenham, to detect and counter cyber attacks. The details of this work are necessarily classified, but it will strengthen and upgrade the sovereign capability the UK needs to confront the high-end threat."[7]

In his evidence, Francis Maude MP, Minister for the Cabinet Office, commented that, in an "incredibly tight financial settlement generally, this was one of the few areas to which additional funds were apportioned, as a recognition that it was a growing threat".[8]

Asked what the £90 million set aside for the Defence Cyber Security Programme would be used for, Nick Harvey MP, then Minister of State for the Armed Forces, told us that the intention was to "mainstream cyber into all of our departmental business". He continued:

It will be up to an SDSR and a National Security Strategy in 2015 to assess how far we have got and how much more of an investment we will need to make in it from there forward.[9]

The inquiry

This report is the second in a series examining what we have termed "developing threats", the first of which examined the risks posed by Electro-Magnetic Pulses.[10] Some of the themes of that inquiry—the need for a joined-up response across Government, and the vulnerabilities inherent in our ever-growing reliance on technology—feature in this report as well. We announced the following terms of reference on 19 January 2012:

The nature and extent of the cyber-security threat to Ministry of Defence and Armed Forces systems, operations and capabilities;

The implications of the 2011 UK Cyber Security Strategy for the Ministry of Defence; including:

the MoD's role in cross-governmental cyber-security policy and practice, including the protection of critical national infrastructure;

the relationship of MoD's actions and planning to the National Security Council, the Cabinet Office and GCHQ.

How the Ministry of Defence and the Armed Forces are managing and planning responses to threats in the cyber domain; including:

skills, capacity and expertise within the MoD and the Armed Forces, including in research and development;

how MoD and National Cyber Security Programme resources are being used to address cyber-security.

The full list of organisations from which we received written evidence is published at the end of the report, along with the list of those who gave oral evidence. We held three oral evidence sessions, including one, which focused on the role of the Cabinet Office, in which we took evidence from the Minister with overall responsibility for cyber-security across Government, Rt Hon Francis Maude MP. We also visited the Global Operations Security Control Centre (GOSCC) at MoD Corsham in Wiltshire, and benefited from a number of briefings by Ministry of Defence staff and Service personnel. We are grateful to all who assisted us in the course of our inquiry, to our Specialist Advisers, particularly Graham Wright, for their advice and insight, and to our staff.[11]

In this report we discuss first the two tasks which the MoD has told us are its principal cyber-security responsibilities: protecting its own networks in order to enable military operations, and developing cyber capabilities which could in future be used to enhance military operations. We then go on to consider some of the challenges which the MoD will need to address in order to fulfil those responsibilities, including the development of concepts and the provision of resources to support its cyber-activity. We offer our assessment of the progress the MoD is making towards tackling these challenges, indicating the areas in which it seems to us more rapid progress is required at this stage, and those to which we are likely to return in a future inquiry.

Finally, we consider the role of the MoD as part of the Government's wider approach to cyber-security. Threats to national security cross organisational boundaries, and in order to assess the effectiveness of one department's contribution, it is necessary to understand how it fits into the whole and how effective that whole is.

Nature of the threat

Professor Paul Cornish and colleagues, Chatham House, describe the nature of the threat:

In cyberspace the boundaries are blurred between the military and the civilian, and between the physical and the virtual; and power can be exerted by states or non-state actors, or by proxy. [...] Cyberspace has made it possible for non-state actors, commercial organisations and even individuals to acquire the means and motivation for warlike activity.[12]

The UK Cyber Security Strategy notes that a number of different groups—criminals, terrorists, politically-motivated 'hacktivists', foreign intelligence services and militaries—are active today against the UK's interests in cyberspace, "but with the borderless and anonymous nature of the internet, precise attribution is often difficult and the distinction between adversaries is increasingly blurred".[13] Threats to security and information in the cyber domain include state-sponsored attacks, ideological and political extremism, serious organised crime, lower-level/individual crime, cyber protest, cyber espionage and cyber terrorism.

The UK Cyber Security Strategy states that:

Some of the most sophisticated threats to the UK in cyberspace come from other states which seek to conduct espionage with the aim of spying on or compromising our government, military, industrial or economic assets, as well as monitoring opponents of their own regimes. 'Patriotic' hackers can act upon states' behalf, to spread disinformation, disrupt critical services or seek advantage during times of increased tension. In times of conflict, vulnerabilities in cyberspace could be exploited by an enemy to reduce our military's technological advantage, or to reach past it to attack our critical infrastructure at home.[14]

The Strategy notes that "some states regard cyberspace as providing a way to commit hostile acts 'deniably'. Alongside our existing defence and security capabilities, the UK must be capable of protecting our national interests in cyberspace."[15]

Techniques used by hostile actors in cyberspace are various: malicious software (malware), networks of 'botnets'[16] and 'logic bombs'[17] can be employed to navigate target systems, retrieve sensitive data or overrule command-and-control systems. GCHQ estimates that 80% or more of currently successful cyber attacks could be defeated by simple best practice, such as updating anti-virus software regularly.[18]

'Advanced Persistent Threat' (APT) is the term used most often to describe subtle threats that are unlikely to be deterred by simple cyber hygiene measures[19]. Traditional 'boundary' defences may not be effective against "more subtle threats like APT and social engineering techniques"[20] such as manipulating people into performing actions which lead to confidential information being divulged.

Acts of aggression or malice in cyberspace differ from those in other domains. Cyberspace is regarded as an asymmetric domain, meaning that even adversaries of limited means can pose a significant threat to military capabilities. Attribution of attacks is difficult, time-consuming and sometimes impossible, as is discerning motives (some security breaches may owe as much to intellectual curiosity as intent to do harm). The then US Deputy Secretary of Defense William J. Lynn further wrote:

In cyberspace, offence has the upper hand. The Internet was designed to be collaborative and rapidly expandable and to have low barriers to technological innovation; security and identity management were lower priorities. For these structural reasons, the US government's ability to defend its networks always lags behind its adversaries' ability to exploit US networks' weaknesses.[21]

The Intelligence and Security Committee in its Annual Report 2010-11 considered the activities of state actors in cyberspace:

Cyber space means that countries no longer have to invest in global networks and pursue complex operations with high-level agents when it comes to espionage: they can access much of the same information using relatively inexpensive cyber attacks. The Director General of the Security Service told us in February 2011 that "the barriers to entry to cyber espionage are quite low. We have found a number of […] countries taking an interest in this".[22]

In evidence provided to that Committee, GCHQ had elaborated on the source of the threat:

The greatest threat of electronic attack continues to be posed by State actors and, of those, Russia and China are [suspected of carrying out] the majority of attacks. [...]. Their targets are in Government as well as in industry. [...]. There are also a number of other states with credible electronic attack capabilities [...].[23]

We note the finding of the Intelligence and Security Committee that the main purpose of such attacks is espionage and the acquisition of information; however, there is a concern that this capability could be turned towards disruption activities - for example, interrupting supply of utility services.

The UK Cyber Security Strategy's executive summary states that:

The networks on which we now rely for our daily lives transcend organisational and national boundaries. Events in cyberspace can happen at immense speed, outstripping traditional responses. Although we have ways of managing risks in cyberspace, they do not match this complex and dynamic environment. So we need a new and transformative programme to improve our game domestically, as well as continuing to work with other countries on an international response.[24]

Asked whether current cyber threats were containable, the Minister for the Armed Forces said:

I think that it would be bold to say that. It is a very fast-changing threat. We recognise how serious it is and that is why we give it the priority that we give it. [...] It is something to which we take a very cautious approach.[25]

There is a consensus that cyberspace is a complex and rapidly changing environment. In the remainder of this report, we consider the implications for UK defence and security.

1 Cabinet Office, A Strong Britain in an Age of Uncertainty: The National Security Strategy, Cm 7953, para 3.27 Back

2 "Hackers expose defence and intelligence officials in US and UK", The Guardian, 8 January 2012 Back

3 "Millions affected after cyber attack on HSBC", Daily Telegraph, 19 October 2012 Back

4 "UK firm 'lost £800m to cyber attack'", The Independent, 26 June 2012 Back

5 Cabinet Office, UK Cyber Security Strategy Back

6 Cabinet Office, UK Cyber Security Strategy, Executive Summary Back

7 Cabinet Office, UK Cyber Security Strategy, para 4.12 Back

8 Q 140 Back

9 Q 98 Back

10 Defence Committee, Developing threats: electro-magnetic pulses (EMP), Tenth Report of Session 2010-12, 22 February 2012 Back

11 For the interests of advisers, see Minutes of the Defence Committee, 13 July 2010, 13 September 2011, and 29 February 2012. Back

12 Paul Cornish, David Livingstone, Dave Clemente and Claire Yorke, On Cyber Warfare, Chatham House (November 2010) Back