2 MoD networks,
assets and capabilities
The increasing dependence of the Armed Forces on
information and communication technologyin weapons systems,
in satellite networks and in intelligence-gatheringintroduces
into operations many more points of vulnerability to cyber attack.
Symantec set out some of the ways in which cyber attackers could
threaten or compromise military networks and operations:
Depending on the motivation of the attacker, the
objectives could range from traditional signalling intelligence,
in which case the targeted systems are likely to be communication
and information systems, all the way to the creation of a deceptive
picture in the command structure, where sensor systems and observation
systems such as radars or satellites, or even Command and Control
systems, may be targeted. Attacking systems controlling the logistical
supply may also be an option in order to limit and strain the
regular supply of a running operation. Perhaps the most worrisome
scenario of all is a cyber attack that could render dysfunctional
main combat units such as airplanes or ships, or that could limit
their operational capability or reliability. [...] Moreover the
increased utilisation of robotic devices such as drones, battlefield
robots and UAVs over the battlefield has numerous advantages,
but also creates a new type of information security challenge
that is not yet fully understood, studied or realised.
The UK Cyber Security Strategy stated that "there
can be no such thing as absolute security". The Government
would, therefore, "apply a risk-based approach to prioritising
General Shaw, Assistant Chief of Defence Staff, elaborated on
what this meant in practice:
All organisations and all people need to make a very
severe and clear judgement on what is their vital information
that they really want to lock away, and what level of risk they
are prepared to take with all their information. [...] what you
have is a graduated response, because you can't defend everything.
You take risks on certain bits. That's how you cope with a penetrated
system. [...] making very clear commanders' judgments about what
information is vital and how tightly you are going to protect
it, and what bits we are just prepared to operate.
We asked General Shaw about the extent to which the
Armed Forces retained the ability to operate in a compromised
cyber environment. He stated that the UK had moved beyond "reversionary
that we could no longer depend on simple backup systems. However,
Air Vice-Marshal Rigby, Director, Cyber, Intelligence and Information
Integration, stated that: "In the Cold War we made sure that
we could cope without our principal systems. We must have fall-back
and contingency methods of operating, particularly in command
We therefore asked the Minister for the Armed Forces how the MoD
was mitigating the risks posed by the reliance on networked technologies.
His answer focused on improving security measures rather than
reverting to back-up non-networked technologies. He responded:
Belt and braces and backupssort of defence
in depth, I suppose you would say. By working with intelligence
and security agencies to assess the threat to our systems. By
putting in place, as far as we can, technical measures to protect
ourselves, restrict access and protect key data from compromise.
By carefully segregating the most sensitive systems, carefully
patrolling the links and gateways between different elements of
systems and ensuring elements are completely autonomous. It is
almost a sense of replicating in the cyber domain some of the
approaches we would take to security in the physical space.
Francis Maude MP, Minister for the Cabinet Office,
told us that "One of the challenges is that we do not know
what threat we will be facing next month, let alone in a year's
The evidence we received leaves
us concerned that with the Armed Forces now so dependent on information
and communications technology, should such systems suffer a sustained
cyber attack, their ability to operate could be fatally compromised.
Given the inevitable inadequacy of the measures available to protect
against a constantly changing and evolving threat, and given the
Minister for the Cabinet Office's comment, it is not enough for
the Armed Forces to do their best to prevent an effective attack.
In its response to this report the Government should set out details
of the contingency plans it has in place should such an attack
occur. If it has none, it should say so - and urgently create
and defending the network
Securing the networks on which UK military operations
depend is the foremost cyber-security responsibility of the MoD.
This role is not funded by the National Cyber Security Programme,
as, in the words of James Quinault, Director, Office of Cyber
Security and Information Assurance, Cabinet Office, it "ought
to be business as usual for the MoD".
In 2010, the MoD put in place three 'network authorities' which
have been assigned responsibilities for the governance and security
of the networks on which the MoD and the Armed Forces depend.
They are as follows:
The Network Capability Authority - led by the Deputy
Chief of Defence Staff (Capability), deals with the cyber-proofing
and information requirements of future systems;
The Network Technical Authority - develops technical
solutions to meet capability requirements and ensures that systems
and platforms linking with the Defence network are able to communicate
and will not introduce vulnerabilities;
The Network Operating Authority - provides day-to-day
operational management of the defence network, monitoring and
managing more than 750,000 configurable IT assets.
The latter two are teams within Defence Information
Systems and Services (ISS), part of Defence Equipment and Support,
which provides the procurement and support functions for integrated
information and communication services across the Armed Forces,
the Ministry of Defence and to overseas bases, operations and
ships. The Director of ISS reports to the Chief of Defence Materiel.
The Network Operating Authority, which delivers and
operates the MoD's own networks and defends them from attack,
is based within the Global Operations and Security Control Centre
(the GOSCC). The rationale for combining the two roles of 'operating'
and 'defending' the networks is not only that overlapping skills
are needed, but that defenders need to have an in-depth understanding
of how the network is used in order to identify abnormal performance
which might indicate the presence of threats. They also need to
be able to strike a balance between the two roles because "in
general, networks that are optimised to support business needs
are more vulnerable to cyber attack".
The Head of the GOSCC is empowered to take rapid action without
direction from above to defend the network when necessary. The
Centre is also responsible for ensuring that software applications,
updates and patches are applied consistently across MoD networks.
Staff at the GOSCC are a mix of military, MoD civilian
and contractor personnel from major industry partners involved
in delivering and supporting the MoD network; these include Fujitsu,
BT DFTS, Cassidian, EADS, Babcock and Paradigm.
These delivery partners have all been encouraged to establish
their commercial Network Operating Centre or Security Operating
Centre physically within the GOSCC.
Of the staff, only military personnel can be sent to operational
theatres if the need arises.
A Joint Cyber Unit ("joint" meaning across all the three
services, but also with links to GCHQ) has been established at
the GOSCC; MoD has described the GOSCC's role as "to proactively
and reactively defend MoD networks 24/7 against cyber attack to
enable agile exploitation of MoD information capabilities across
all areas of the Department's operations."
Changes to structures elsewhere in the MoD, particularly
the evolving role of Joint Forces Command and nature of Defence
Equipment and Support, will have an impact on cyber functions
in terms of who sets the requirements for and procures cyber capabilities
and equipment, and their relationship to those who operate those
capabilities and manage the networks that they use.
The MoD's most important cyber-security
responsibility is to manage and protect the systems and networks
on which the UK's Armed Forces depend. The Committee was impressed
with the GOSCC as a model of how industry contractors with particular
expertise can be integrated with MoD personnel, and reassured
by the clarity with which its mission was communicated. It is
clearly a world-class facility. Changes to the MoD's procurement
function will also have a bearing on the responsibilities of Information
Systems and Services as a whole, and we ask that the Secretary
of State keep Parliament informed about the impact of such changes
on ISS's cyber functions.
good cyber-security practice throughout MoD
Teams within the GOSCC have oversight of cyber-security
housekeeping and hygiene issues: spotting missing patches to software
and updating anti-virus measures, promoting the use of complex
passwords, spreading awareness of how personal information or
personal devices might be employed by cyber attackers, and running
exercises to check on progress. 'Mainstreaming' of cyber-security
throughout the MoD workforce is, however, also a responsibility
of the Defence Cyber Operations Group (DCOG) (discussed later
in this report). The
GOSCC constitutes a pool of expertise which can be drawn on to
spread good 'cyber hygiene' and awareness of everyday threats
throughout the Defence workforce. In its response to this report
the MoD should explain how the GOSCC ¡¯ s
capability and the experience of its staff can be linked to the
responsibility of the DCOG for bringing cyber-security into the
forefront of all Government does. We consider that the GOSCC should
be held up as a Centre of Excellence to promote good practice
within the MoD and other Government Departments.
the supply chain
Military operations depend not only on the security
of networks, but the security of equipment and components and
the supply chain which delivers them. The MoD therefore needs
to have confidence in the resilience of its industrial base and
supply chain to cyber attack. The UK Cyber Security Strategy and
the "National Security Through Technology" White Paper
published in February 2012 both committed the Government to raising
the standard of cyber-security expected from suppliers of sensitive
equipment. The Cabinet
Office has a supporting role in advising about the cyber-security
aspects of acquisition, and the Department for Business, Innovation
and Skills is working with GCHQ to develop a cyber kite-marking
system for Government suppliers more generally.
However, it is the MoD's responsibility to manage relations with
its own suppliers.
BAE Systems warned that "the increasing use
of Commercial Off-the-Shelf products and dependency on internet
protocol (as opposed to proprietary) networks will have brought
a wider range of vulnerabilities into MoD systems, some of which
will already be known to attackers."
Professor Sir David Omand, King's College London, argued that:
there is a conflict for defence between the current
fashion for buying things off the shelf at the cheapest price
and taking the time and expenditure to write computer code that
is genuinely secure. Somewhere, somebody in defence has to strike
a balance between those two. [...] If we go about just buying
stuff off the shelf, including computer software that has been
bundled together from pre-existing blocks of software, then I
am afraid we are making ourselves vulnerable.
We asked MoD witnesses what cyber-security measures
it requires its suppliers to take. The MoD's Chief Information
Officer, John Taylor told us that:
This is an area that we are giving increasing attention
to. I am not convinced we have got this quite right yet. As you
rightly say, we are very dependent on those suppliers. Having
[...] got our own house in reasonable order, we are now starting
to work particularly with our key suppliers to help them raise
their game in this space. I am clearly not going to talk about
any individual supplier but I think we are getting an understanding
of what that landscape looks like.
The Minister for the Armed Forces added:
There is a mutual recognition of and understanding
of the problem and a determination and will to help each other
improve our defences. I think that the ingredients are there to
get us to where we need to be, but it is a big task. As we have
already commented a couple of times, there is an ever-changing,
fast-evolving threat. You have to be very sure of yourself to
say that you have cracked the problem.
MoD witnesses described the range of factors that
are balanced when decisions are made to procure equipment and
network components 'off-the-shelf'. The Minister for the Armed
Forces acknowledged there was a potential risk, but this had to
be balanced with cost, speed and efficiency of delivery, the urgency
with which the piece of kit is needed, "and the extent to
which you have any known concerns about the product that the supplier
is potentially going to supply to you. If it has any components
that you have a concern about, you have quite a complex risk balance
He told us that "there is no reason why you wouldn't"
use commercial off-the-shelf products in cyber-defence systems,
subject to advice from the National Technical Authority about
whether the specific product was appropriate for the job.
The relationship of the MoD with its industrial suppliers
also depends on robust and honest information-sharing about attacks
and potential vulnerabilities. Contractors may in the past have
been reticent for commercial reasons to admit to cyber-security
incidents affecting their organisations, but MoD witnesses offered
the view that such relationships are becoming more open, and contractors
are increasingly willing to approach the MoD for help in the event
of an incident.
Under the UK Cyber Security Strategy, a pilot for
a joint private-public sector forum for pooling threat information
was established, defence being one of five sectors involved. In
its first annual progress report on the Cyber Security Strategy,
the Government reported that 160 companies had engaged successfully
in the pilot. The Government, in conjunction with industry, is
now developing a permanent information sharing environment called
CISP (Cyber-security Information Sharing Partnership) to be launched
in January 2013. Initially, this will be open to companies within
Critical National Infrastructure sectors, but membership will
be made available more broadly, including to SMEs, in a second
We appreciate the MoD witnesses'
frank assessment of the work still to be done on securing its
supply chain and industrial base. Despite this frankness, the
witnesses gave the impression that they believed that an admission
of the problem took them close to resolving the problem. It does
not. It is imperative that we see evidence of more urgent and
concrete action by suppliers to address this serious vulnerability,
and of energy and determination on the part of the MoD to enforce
this action. This evidence should include, for example, efforts
to improve the technical processes involved, identification of
adequate resources, and provision of training to address the human
aspects of good cyber defence.
military cyber capabilities
If the foremost responsibility of the MoD is to enable
and protect military operations, its next most important role
is to explore how military operations might be enhanced
by exploiting cyber tools and techniques. Witnesses told us that
'cyberwar'in the sense of a conflict entirely fought and
decisively won in cyberspacemay be a distant prospect,
but it was reasonable to expect the armed forces to explore how
they might gain a military advantage by delivering effects through
can in this sense be regarded as a 'fifth domain' of warfare,
presenting an opportunity as much as a threat, and the Minister
(Nick Harvey) set out an aspiration for the UK's Armed Forces
to do everything in cyberspace that they do in every other domain:
prevent, deter, coerce or intervene.
The development of military cyber-capabilities also
requires substantial investment in research and intelligence.
Witnesses emphasised the long lead-in times for cyber-weapons,
and that the effectiveness of such weapons depends on intelligence
and a willingness to tailor-make weapons particular to each target.
Professor Sir David Omand stated:
if you really want to knock out the enemy's air defence
system, you are going to have to design something very specifically
for that purpose.
Talking about the Stuxnet worm
as an example of a cyber-weapon, John Bassett noted that:
this is something that has clearly had a huge amount
of intellectual capital poured into it. [...] it could only be
used once for one thing, so we are really talking about almost
hand-crafted weapons in that sense. This is not something where
one can easily imagine a production line of high impact cyber-weapons.
The Strategic Defence and Security Review stated
that the Government would "work to develop, test and validate
the use of cyber capabilities as a potentially more effective
and affordable way of achieving our national security objectives".
The National Cyber Security Programme's funding to the MoD is
partly to be used for the purpose of developing such capabilities.
Joint Forces Command is to take the lead in the "development
and integration of defence cyber capabilities", but the main
focus for this activity will be the Defence Cyber Operations Group
(DCOG), which reports to the Joint Forces Commander.
The DCOG, due to be fully operational by March 2015,
is a federation of cyber units working closely together to deliver
a defence capability. It will mainstream cyber-security throughout
the MoD and ensure the coherent integration of cyber activities
across the spectrum of defence operations.
The role of the DCOG was described by MoD as to "ensure
coherence across Defence planning for cyber operations and ensuring
that commanders have situational awareness of the impact of cyberspace
on their operations, and [are] able to use cyber tools and techniques
to assist them in conducting successful operations."
General Shaw, Assistant Chief of Defence Staff, told us that:
"What we have learned over the past year about the nature
of operating in cyberspace means that the idea that we can just
have cyber defence as one hived-off piece has been overtaken conceptually."
He argued that the military needed to reach the stage where "cyber
is not seen as something separate". He continued:
Cyber is just another effect, or rather, to put it
another way, it is merely the latest medium through which to achieve
effect. Therefore, all the normal effects that we try to achieve,
and all the normal relationships that we have, suddenly have a
cyber dimension to them or cyber ways of achieving them.
The full list of tasks and responsibilities given
to the DCOG is long and varied, and includes developing a recognised
career structure in cyber, "agile procurement and rapid pull
through of research and development", putting in place robust
structures for intelligence support with GCHQ, and factoring in
cyber resilience to all MoD equipment.
We were told by the MoD after the final evidence
session that it is currently working on plans to form a Joint
Forces Cyber Group (JFCyG), with the aim of bringing all aspects
of cyber affecting operations under one unified command structure.
The JFCyG will not replace the DCOG, but brings a number of the
elements that previously existed within it together to improve
coordination of effort and increase efficiency in operational
A Joint Cyber Unit within DCOGdistinct from
that based within the GOSCCis to work with GCHQ on developing
"new tactics, techniques and plans to deliver military effects,
including enhanced security, through operations in cyberspace,"
and will be fully operational by 2015.
GCHQ is recognised as the pre-eminent national repository of expertise
in the cyber field, and is, according to the Minister for the
Armed Forces, "performing the central role that in some of
our allied countries would be exercised somewhere within the defence
Shaw told us that:
the British response to the cyber threat [...] is
to create a national bucket of capability, from which everyone
draws. [...] That one bucket of expertise is GCHQ. We are contributing
personnel into it to ensure that in the development of cyber-capability
there are military people there, both to add their expertise to
that development and to give the military input on what sorts
of effects we might be looking for in cyber-space.
Air Commodore Bishop, Head of the GOSCC, explained
that information and staff exchanges between the MoD and GCHQ
were well developed, and included the sharing of "for want
of a better word, our tradecraft: tactics, techniques and procedures,
and the way we would address issues when they arise".
Air Commodore Bishop also assured us that command and control
arrangements were "very clear".
We consider that the opportunity
created by cyber tools and techniques to enhance the military
capabilities of our Armed Forces should be explored thoroughly
by the MoD. To this end, we support the use of National Cyber
Security Programme funding for the purpose of developing such
capabilities. In addition, the opportunity to draw upon capabilities
from strategic partners, particularly the USA, should be fully
within the MoD
Structures and lines of responsibility within the
MoD for cyber-security appear not yet to be set in stone. In mid-2012,
MoD conducted a Directorate of Operational Capability review of
command and control "governance" and "the detailed
relationships between the different components of the cyber world".
John Taylor, MoD Chief Information Officer, told us that this
came about as a result of transformation processes within the
MoD, notably the formation of the Joint Forces Command.
General Shaw, Assistant Chief of Defence Staff, described the
purpose of the DOC audit as to consider "how we achieve unity".
He also commented that the creation of the Joint Forces Command
"instituted a new process, which has yet to be finally decided
The MoD has said that the DCOG, which is part of
Joint Forces Command, would assist in concentrating all cyber
expertise in one structure. There are, however, significant exceptions
to this: the GOSCC, the Research and Development function at Porton
Down, and "cyber policy" in MoD Main Building all remain
outside the ambit of the DCOG. The logic for the organisational
split between GOSCC and DCOG is not clear to us: the skills, techniques
and tools required for network defence and for the development
of capabilities overlap significantly. The relationship between
the Chief Information Officer and the Joint Forces Commander has
been described by the MoD as "operating together closely
in a 'supporting' and 'supported' relationship to achieve a Single
Information Enterprise across Defence", a description which
does little to help us understand where responsibility ultimately
Good cyber-security practice needs
to permeate the whole of the MoD and the Armed Forces. It would
be a cause for concern if different units were to compete for
particular roles and resources, if lines of accountability were
to be unclear, if they were to operate in silos that would obstruct
the best use of skills across the organisation, or if policy were
to become fragmented.
The MoD's thinking on the best internal
structures for cyber-security appears to us to be still developing,
particularly as the Joint Forces Command becomes more established.
Getting this right must be a top priority. We recommend that the
MoD should report to Parliament regularly about proposed and actual
changes to those structures, and improvements in delivery that
come about as a result.
At present the stated unifying role
of the DCOG is more illusory than real, and among its long list
of tasks are some which appear to overlap with those of the GOSCC
or Information Services and Systems more generally. We urge the
MoD to communicate its cyber-security structures a more comprehensible
fashion, setting out strands of work and lines of accountability
unambiguously. Only by doing this can we be assured that there
is indeed clarity about roles and responsibilities within the
MoD and the Armed Forces. We recommend, in particular, that the
respective roles of the Chief Information Officer and the Joint
Forces Commander are clarified in relation to cyber-security.
26 Paul Cornish, David Livingstone, Dave Clemente and
Claire Yorke, On Cyber Warfare, Chatham House (November
Ev w24 Back
Cabinet Office, UK Cyber Security Strategy, para 3.2 Back
Q 57 Back
Q 61 Back
Q 63 Back
Q 111 Back
Q 153 Back
Q 180 Back
Q 82; see also MoD Defence ICT Strategy, October 2010; Ev 48-9 Back
Ev 49 Back
Ev 44 Back
Ev 48 Back
Q 87 Back
Ev 44 Back
MoD, National Security Through Technology: Technology, Equipment
and Support for UK Defence and Security, Cm 8278, para 160; Cabinet
Office, UK Cyber Security Strategy, para 4.5 Back
Qq 216-7; Q 76 Back
Q 214 Back
DCS 006, para 6; DCS 011, para 16 Back
Q 13 Back
Q 76 Back
Q 114 Back
Q 115 Back
Q 116 Back
Q 114 Back
Cabinet Office, Written Ministerial Statement, 3 December 2012 Back
Qq 9-10; Q 31 Back
Nick Harvey MP, speech at Chatham House, November 2010; Q 122
Q 60 and 65 Back
Q 21 Back
Stuxnet is a highly sophisticated computer virus (a complex computer
code). First discovered in June 2010, Stuxnet spread via Microsoft
Windows, and targeted Siemens industrial control systems, including
those used in the energy sector to control nuclear and gas infrastructure. Back
Q 21 Back
Strategic Defence and Security Review, 19 October 2010 Back
Cabinet Office, UK Cyber Security Strategy Back
Ev 44 Back
Q 38 Back
Q 36; Q 43 Back
Ev 44 Back
Q 81 Back
Q 39 Back
Q 78 Back
Q 82 Back
Q 36 Back
Q 84 Back
Q 36 Back