House of Commons - Defence and Cyber-Security

Defence and Cyber-Security - Defence Committee Contents

2 MoD networks, assets and capabilities

The increasing dependence of the Armed Forces on information and communication technology—in weapons systems, in satellite networks and in intelligence-gathering—introduces into operations many more points of vulnerability to cyber attack.[26] Symantec set out some of the ways in which cyber attackers could threaten or compromise military networks and operations:

Depending on the motivation of the attacker, the objectives could range from traditional signalling intelligence, in which case the targeted systems are likely to be communication and information systems, all the way to the creation of a deceptive picture in the command structure, where sensor systems and observation systems such as radars or satellites, or even Command and Control systems, may be targeted. Attacking systems controlling the logistical supply may also be an option in order to limit and strain the regular supply of a running operation. Perhaps the most worrisome scenario of all is a cyber attack that could render dysfunctional main combat units such as airplanes or ships, or that could limit their operational capability or reliability. [...] Moreover the increased utilisation of robotic devices such as drones, battlefield robots and UAVs over the battlefield has numerous advantages, but also creates a new type of information security challenge that is not yet fully understood, studied or realised.[27]

The UK Cyber Security Strategy stated that "there can be no such thing as absolute security". The Government would, therefore, "apply a risk-based approach to prioritising our response."[28] General Shaw, Assistant Chief of Defence Staff, elaborated on what this meant in practice:

All organisations and all people need to make a very severe and clear judgement on what is their vital information that they really want to lock away, and what level of risk they are prepared to take with all their information. [...] what you have is a graduated response, because you can't defend everything. You take risks on certain bits. That's how you cope with a penetrated system. [...] making very clear commanders' judgments about what information is vital and how tightly you are going to protect it, and what bits we are just prepared to operate.[29]

We asked General Shaw about the extent to which the Armed Forces retained the ability to operate in a compromised cyber environment. He stated that the UK had moved beyond "reversionary modes"[30], meaning that we could no longer depend on simple backup systems. However, Air Vice-Marshal Rigby, Director, Cyber, Intelligence and Information Integration, stated that: "In the Cold War we made sure that we could cope without our principal systems. We must have fall-back and contingency methods of operating, particularly in command and control."[31] We therefore asked the Minister for the Armed Forces how the MoD was mitigating the risks posed by the reliance on networked technologies. His answer focused on improving security measures rather than reverting to back-up non-networked technologies. He responded:

Belt and braces and backups—sort of defence in depth, I suppose you would say. By working with intelligence and security agencies to assess the threat to our systems. By putting in place, as far as we can, technical measures to protect ourselves, restrict access and protect key data from compromise. By carefully segregating the most sensitive systems, carefully patrolling the links and gateways between different elements of systems and ensuring elements are completely autonomous. It is almost a sense of replicating in the cyber domain some of the approaches we would take to security in the physical space.[32]

Francis Maude MP, Minister for the Cabinet Office, told us that "One of the challenges is that we do not know what threat we will be facing next month, let alone in a year's time"[33].

The evidence we received leaves us concerned that with the Armed Forces now so dependent on information and communications technology, should such systems suffer a sustained cyber attack, their ability to operate could be fatally compromised. Given the inevitable inadequacy of the measures available to protect against a constantly changing and evolving threat, and given the Minister for the Cabinet Office's comment, it is not enough for the Armed Forces to do their best to prevent an effective attack. In its response to this report the Government should set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so - and urgently create some.

Operating and defending the network

Securing the networks on which UK military operations depend is the foremost cyber-security responsibility of the MoD. This role is not funded by the National Cyber Security Programme, as, in the words of James Quinault, Director, Office of Cyber Security and Information Assurance, Cabinet Office, it "ought to be business as usual for the MoD".[34] In 2010, the MoD put in place three 'network authorities' which have been assigned responsibilities for the governance and security of the networks on which the MoD and the Armed Forces depend. They are as follows:

The Network Capability Authority - led by the Deputy Chief of Defence Staff (Capability), deals with the cyber-proofing and information requirements of future systems;

The Network Technical Authority - develops technical solutions to meet capability requirements and ensures that systems and platforms linking with the Defence network are able to communicate and will not introduce vulnerabilities;

The Network Operating Authority - provides day-to-day operational management of the defence network, monitoring and managing more than 750,000 configurable IT assets.[35]

The latter two are teams within Defence Information Systems and Services (ISS), part of Defence Equipment and Support, which provides the procurement and support functions for integrated information and communication services across the Armed Forces, the Ministry of Defence and to overseas bases, operations and ships. The Director of ISS reports to the Chief of Defence Materiel.

The Network Operating Authority, which delivers and operates the MoD's own networks and defends them from attack, is based within the Global Operations and Security Control Centre (the GOSCC). The rationale for combining the two roles of 'operating' and 'defending' the networks is not only that overlapping skills are needed, but that defenders need to have an in-depth understanding of how the network is used in order to identify abnormal performance which might indicate the presence of threats. They also need to be able to strike a balance between the two roles because "in general, networks that are optimised to support business needs are more vulnerable to cyber attack".[36] The Head of the GOSCC is empowered to take rapid action without direction from above to defend the network when necessary. The Centre is also responsible for ensuring that software applications, updates and patches are applied consistently across MoD networks.

Staff at the GOSCC are a mix of military, MoD civilian and contractor personnel from major industry partners involved in delivering and supporting the MoD network; these include Fujitsu, BT DFTS, Cassidian, EADS, Babcock and Paradigm.[37] These delivery partners have all been encouraged to establish their commercial Network Operating Centre or Security Operating Centre physically within the GOSCC.[38] Of the staff, only military personnel can be sent to operational theatres if the need arises.[39] A Joint Cyber Unit ("joint" meaning across all the three services, but also with links to GCHQ) has been established at the GOSCC; MoD has described the GOSCC's role as "to proactively and reactively defend MoD networks 24/7 against cyber attack to enable agile exploitation of MoD information capabilities across all areas of the Department's operations."[40]

Changes to structures elsewhere in the MoD, particularly the evolving role of Joint Forces Command and nature of Defence Equipment and Support, will have an impact on cyber functions in terms of who sets the requirements for and procures cyber capabilities and equipment, and their relationship to those who operate those capabilities and manage the networks that they use.

The MoD's most important cyber-security responsibility is to manage and protect the systems and networks on which the UK's Armed Forces depend. The Committee was impressed with the GOSCC as a model of how industry contractors with particular expertise can be integrated with MoD personnel, and reassured by the clarity with which its mission was communicated. It is clearly a world-class facility. Changes to the MoD's procurement function will also have a bearing on the responsibilities of Information Systems and Services as a whole, and we ask that the Secretary of State keep Parliament informed about the impact of such changes on ISS's cyber functions.

Promoting good cyber-security practice throughout MoD

Teams within the GOSCC have oversight of cyber-security housekeeping and hygiene issues: spotting missing patches to software and updating anti-virus measures, promoting the use of complex passwords, spreading awareness of how personal information or personal devices might be employed by cyber attackers, and running exercises to check on progress. 'Mainstreaming' of cyber-security throughout the MoD workforce is, however, also a responsibility of the Defence Cyber Operations Group (DCOG) (discussed later in this report). The GOSCC constitutes a pool of expertise which can be drawn on to spread good 'cyber hygiene' and awareness of everyday threats throughout the Defence workforce. In its response to this report the MoD should explain how the GOSCC ¡¯ s capability and the experience of its staff can be linked to the responsibility of the DCOG for bringing cyber-security into the forefront of all Government does. We consider that the GOSCC should be held up as a Centre of Excellence to promote good practice within the MoD and other Government Departments.

Securing the supply chain

Military operations depend not only on the security of networks, but the security of equipment and components and the supply chain which delivers them. The MoD therefore needs to have confidence in the resilience of its industrial base and supply chain to cyber attack. The UK Cyber Security Strategy and the "National Security Through Technology" White Paper published in February 2012 both committed the Government to raising the standard of cyber-security expected from suppliers of sensitive equipment.[41] The Cabinet Office has a supporting role in advising about the cyber-security aspects of acquisition, and the Department for Business, Innovation and Skills is working with GCHQ to develop a cyber kite-marking system for Government suppliers more generally.[42] However, it is the MoD's responsibility to manage relations with its own suppliers.[43]

BAE Systems warned that "the increasing use of Commercial Off-the-Shelf products and dependency on internet protocol (as opposed to proprietary) networks will have brought a wider range of vulnerabilities into MoD systems, some of which will already be known to attackers."[44] Professor Sir David Omand, King's College London, argued that:

there is a conflict for defence between the current fashion for buying things off the shelf at the cheapest price and taking the time and expenditure to write computer code that is genuinely secure. Somewhere, somebody in defence has to strike a balance between those two. [...] If we go about just buying stuff off the shelf, including computer software that has been bundled together from pre-existing blocks of software, then I am afraid we are making ourselves vulnerable.[45]

We asked MoD witnesses what cyber-security measures it requires its suppliers to take. The MoD's Chief Information Officer, John Taylor told us that:

This is an area that we are giving increasing attention to. I am not convinced we have got this quite right yet. As you rightly say, we are very dependent on those suppliers. Having [...] got our own house in reasonable order, we are now starting to work particularly with our key suppliers to help them raise their game in this space. I am clearly not going to talk about any individual supplier but I think we are getting an understanding of what that landscape looks like.[46]

The Minister for the Armed Forces added:

There is a mutual recognition of and understanding of the problem and a determination and will to help each other improve our defences. I think that the ingredients are there to get us to where we need to be, but it is a big task. As we have already commented a couple of times, there is an ever-changing, fast-evolving threat. You have to be very sure of yourself to say that you have cracked the problem.[47]

MoD witnesses described the range of factors that are balanced when decisions are made to procure equipment and network components 'off-the-shelf'. The Minister for the Armed Forces acknowledged there was a potential risk, but this had to be balanced with cost, speed and efficiency of delivery, the urgency with which the piece of kit is needed, "and the extent to which you have any known concerns about the product that the supplier is potentially going to supply to you. If it has any components that you have a concern about, you have quite a complex risk balance to perform."[48] He told us that "there is no reason why you wouldn't" use commercial off-the-shelf products in cyber-defence systems, subject to advice from the National Technical Authority about whether the specific product was appropriate for the job.[49]

The relationship of the MoD with its industrial suppliers also depends on robust and honest information-sharing about attacks and potential vulnerabilities. Contractors may in the past have been reticent for commercial reasons to admit to cyber-security incidents affecting their organisations, but MoD witnesses offered the view that such relationships are becoming more open, and contractors are increasingly willing to approach the MoD for help in the event of an incident.[50]

Under the UK Cyber Security Strategy, a pilot for a joint private-public sector forum for pooling threat information was established, defence being one of five sectors involved. In its first annual progress report on the Cyber Security Strategy, the Government reported that 160 companies had engaged successfully in the pilot. The Government, in conjunction with industry, is now developing a permanent information sharing environment called CISP (Cyber-security Information Sharing Partnership) to be launched in January 2013. Initially, this will be open to companies within Critical National Infrastructure sectors, but membership will be made available more broadly, including to SMEs, in a second phase.[51]

We appreciate the MoD witnesses' frank assessment of the work still to be done on securing its supply chain and industrial base. Despite this frankness, the witnesses gave the impression that they believed that an admission of the problem took them close to resolving the problem. It does not. It is imperative that we see evidence of more urgent and concrete action by suppliers to address this serious vulnerability, and of energy and determination on the part of the MoD to enforce this action. This evidence should include, for example, efforts to improve the technical processes involved, identification of adequate resources, and provision of training to address the human aspects of good cyber defence.

Developing military cyber capabilities

If the foremost responsibility of the MoD is to enable and protect military operations, its next most important role is to explore how military operations might be enhanced by exploiting cyber tools and techniques. Witnesses told us that 'cyberwar'—in the sense of a conflict entirely fought and decisively won in cyberspace—may be a distant prospect, but it was reasonable to expect the armed forces to explore how they might gain a military advantage by delivering effects through cyberspace.[52] Cyber can in this sense be regarded as a 'fifth domain' of warfare, presenting an opportunity as much as a threat, and the Minister (Nick Harvey) set out an aspiration for the UK's Armed Forces to do everything in cyberspace that they do in every other domain: prevent, deter, coerce or intervene.[53]

The development of military cyber-capabilities also requires substantial investment in research and intelligence. Witnesses emphasised the long lead-in times for cyber-weapons, and that the effectiveness of such weapons depends on intelligence and a willingness to tailor-make weapons particular to each target.[54] Professor Sir David Omand stated:

if you really want to knock out the enemy's air defence system, you are going to have to design something very specifically for that purpose.[55]

Talking about the Stuxnet worm[56] as an example of a cyber-weapon, John Bassett noted that:

this is something that has clearly had a huge amount of intellectual capital poured into it. [...] it could only be used once for one thing, so we are really talking about almost hand-crafted weapons in that sense. This is not something where one can easily imagine a production line of high impact cyber-weapons.[57]

The Strategic Defence and Security Review stated that the Government would "work to develop, test and validate the use of cyber capabilities as a potentially more effective and affordable way of achieving our national security objectives".[58] The National Cyber Security Programme's funding to the MoD is partly to be used for the purpose of developing such capabilities.[59] Joint Forces Command is to take the lead in the "development and integration of defence cyber capabilities", but the main focus for this activity will be the Defence Cyber Operations Group (DCOG), which reports to the Joint Forces Commander.

The DCOG, due to be fully operational by March 2015, is a federation of cyber units working closely together to deliver a defence capability. It will mainstream cyber-security throughout the MoD and ensure the coherent integration of cyber activities across the spectrum of defence operations.

The role of the DCOG was described by MoD as to "ensure coherence across Defence planning for cyber operations and ensuring that commanders have situational awareness of the impact of cyberspace on their operations, and [are] able to use cyber tools and techniques to assist them in conducting successful operations."[60] General Shaw, Assistant Chief of Defence Staff, told us that: "What we have learned over the past year about the nature of operating in cyberspace means that the idea that we can just have cyber defence as one hived-off piece has been overtaken conceptually."[61] He argued that the military needed to reach the stage where "cyber is not seen as something separate". He continued:

Cyber is just another effect, or rather, to put it another way, it is merely the latest medium through which to achieve effect. Therefore, all the normal effects that we try to achieve, and all the normal relationships that we have, suddenly have a cyber dimension to them or cyber ways of achieving them.[62]

The full list of tasks and responsibilities given to the DCOG is long and varied, and includes developing a recognised career structure in cyber, "agile procurement and rapid pull through of research and development", putting in place robust structures for intelligence support with GCHQ, and factoring in cyber resilience to all MoD equipment.

We were told by the MoD after the final evidence session that it is currently working on plans to form a Joint Forces Cyber Group (JFCyG), with the aim of bringing all aspects of cyber affecting operations under one unified command structure. The JFCyG will not replace the DCOG, but brings a number of the elements that previously existed within it together to improve coordination of effort and increase efficiency in operational planning.

A Joint Cyber Unit within DCOG—distinct from that based within the GOSCC—is to work with GCHQ on developing "new tactics, techniques and plans to deliver military effects, including enhanced security, through operations in cyberspace," and will be fully operational by 2015.[63] GCHQ is recognised as the pre-eminent national repository of expertise in the cyber field, and is, according to the Minister for the Armed Forces, "performing the central role that in some of our allied countries would be exercised somewhere within the defence arena".[64] General Shaw told us that:

the British response to the cyber threat [...] is to create a national bucket of capability, from which everyone draws. [...] That one bucket of expertise is GCHQ. We are contributing personnel into it to ensure that in the development of cyber-capability there are military people there, both to add their expertise to that development and to give the military input on what sorts of effects we might be looking for in cyber-space.[65]

Air Commodore Bishop, Head of the GOSCC, explained that information and staff exchanges between the MoD and GCHQ were well developed, and included the sharing of "for want of a better word, our tradecraft: tactics, techniques and procedures, and the way we would address issues when they arise".[66] Air Commodore Bishop also assured us that command and control arrangements were "very clear".[67]

We consider that the opportunity created by cyber tools and techniques to enhance the military capabilities of our Armed Forces should be explored thoroughly by the MoD. To this end, we support the use of National Cyber Security Programme funding for the purpose of developing such capabilities. In addition, the opportunity to draw upon capabilities from strategic partners, particularly the USA, should be fully exploited.

Structures within the MoD

Structures and lines of responsibility within the MoD for cyber-security appear not yet to be set in stone. In mid-2012, MoD conducted a Directorate of Operational Capability review of command and control "governance" and "the detailed relationships between the different components of the cyber world".[68] John Taylor, MoD Chief Information Officer, told us that this came about as a result of transformation processes within the MoD, notably the formation of the Joint Forces Command.[69] General Shaw, Assistant Chief of Defence Staff, described the purpose of the DOC audit as to consider "how we achieve unity". He also commented that the creation of the Joint Forces Command "instituted a new process, which has yet to be finally decided upon".[70]

The MoD has said that the DCOG, which is part of Joint Forces Command, would assist in concentrating all cyber expertise in one structure. There are, however, significant exceptions to this: the GOSCC, the Research and Development function at Porton Down, and "cyber policy" in MoD Main Building all remain outside the ambit of the DCOG. The logic for the organisational split between GOSCC and DCOG is not clear to us: the skills, techniques and tools required for network defence and for the development of capabilities overlap significantly. The relationship between the Chief Information Officer and the Joint Forces Commander has been described by the MoD as "operating together closely in a 'supporting' and 'supported' relationship to achieve a Single Information Enterprise across Defence", a description which does little to help us understand where responsibility ultimately lies.

Good cyber-security practice needs to permeate the whole of the MoD and the Armed Forces. It would be a cause for concern if different units were to compete for particular roles and resources, if lines of accountability were to be unclear, if they were to operate in silos that would obstruct the best use of skills across the organisation, or if policy were to become fragmented.

The MoD's thinking on the best internal structures for cyber-security appears to us to be still developing, particularly as the Joint Forces Command becomes more established. Getting this right must be a top priority. We recommend that the MoD should report to Parliament regularly about proposed and actual changes to those structures, and improvements in delivery that come about as a result.

At present the stated unifying role of the DCOG is more illusory than real, and among its long list of tasks are some which appear to overlap with those of the GOSCC or Information Services and Systems more generally. We urge the MoD to communicate its cyber-security structures a more comprehensible fashion, setting out strands of work and lines of accountability unambiguously. Only by doing this can we be assured that there is indeed clarity about roles and responsibilities within the MoD and the Armed Forces. We recommend, in particular, that the respective roles of the Chief Information Officer and the Joint Forces Commander are clarified in relation to cyber-security.

26 Paul Cornish, David Livingstone, Dave Clemente and Claire Yorke, On Cyber Warfare, Chatham House (November 2010) Back

27 Ev w24 Back

28 Cabinet Office, UK Cyber Security Strategy, para 3.2 Back

29 Q 57 Back

30 Q 61 Back

31 Q 63 Back

32 Q 111 Back

33 Q 153 Back

34 Q 180 Back

36 Ev 49 Back

37 Ev 44 Back

38 Ev 48 Back