5 Resources and
skills supporting military activity in cyberspace|
A constant theme in the literature
and comment about cyber-security is the rapid pace at which threats
develop and evolve.
Professor Paul Cornish and
colleagues, Chatham House, have written that:
The pace of change can be so abrupt as to render
the action/reaction cycle of traditional strategy out of date
before it has begun. [...] It is as if a government operational
analyst has been sent to observe the effects in battle of the
flintlock musket, only to discover upon arrival that the Maxim
gun has been invented.
Not only does the technology develop rapidly, but,
as John Bassett of RUSI said, "people are actually capable
of using these things in unexpected and unforeseen ways very much
sooner than the technology changes".
As noted earlier in this report, Francis Maude MP, Minister for
the Cabinet Office, told us that "One of the challenges is
that we do not know what threat we will be facing next month,
let alone in a year's time" .
Professor Brian Collins, a former Chief Scientific
Adviser in the Department for Business, Innovation and Skills
and the Department for Transport, argued that the necessary tools
are not yet in place across Government to understand and plan
in this way:
If I had suggested three years ago that people would
be organising riots in the streets using Facebook, no one would
have even understood what the words meant. Last summer, that is
what we saw. Now, if you say to law enforcement or, indeed, maybe
to parts of our military operations, 'Do you expect to see those
sorts of applications being used to organise a significant threat
to us?', I do not believe that we have the mechanisms in place
a priori, as opposed to by way of response, to anticipate
where some of those things may be hitting us.
He went on to say that across government "there
is maybe too much emphasis on the short-term tactical as opposed
to the long-term strategic".
Tactically, I don't think we are in bad shape at
all. However, to be in a situation in which you can anticipate
where some of these things might be coming from is a combination
of intelligence-gathering [...] together with some idea of where
individuals or groups might be taking their thinking, when we
would regard that as undesirable for us. That horizon-scanning
function is a piece that I see missing.
Francis Maude MP, Minister for the Cabinet Office,
told us that he was confident that the Government had the capacity
to keep up with the latest threats, pointing out, however, that
the Cabinet Office proposals for civil service reform explicitly
referred to the need to strengthen horizon-scanning across Government.
James Quinault said that "intelligence and anticipation of
the threat" was a thread in many of the funding allocations
that had been made from the National Cyber Security Programme,
and had been a particular feature of the investment in GCHQ. Research
strands in other departmental programmes relate to cyber-crime
and e-business, where the objectives of attacks may differ, but
much of the same technology is employed.
Similarly, Air Commodore Bishop, Head of the GOSCC,
highlighted the value of the MoD sharing threat information and
security techniques with industry, because the means of attack
against both these targets were often the same.
MoD evidence states that £80 million a year
is being provided for research in the related areas of cyber and
influence, through the Cyber and Influence Science and Technology
Centre at Porton Down, by working with research councils, and
by investing in pan-Government programmes that place work in universities
and designate a number of universities as centres of excellence.
The MoD is also funding a programme of
studies at Seaford House, London (part of the Defence Academy),
to consider the future character of conflict, and the implications
of the developing cyber-threat for the security environment.
When we invited the then Minister for the Armed Forces to comment
on whether the proportion of the Ministry of Defence budget being
spent on research and development was, at 1.2%, currently too
low, he agreed.
We have considered the issue of the percentage of
the defence budget which is spent on research and development
in the course of our inquiry into Defence Acquisition: there is
general agreement that it is currently too low. This applies to
cyber-security as much as to any other field. The
rapidly changing nature of the cyber threat demands that a premium
be placed on research and development to enable the MoD to keep
pace with, understand and anticipate that threat. We recommend
that this should be addressed. The Government should also make
it a priority to develop robust protocols for sharing information
with industry to allow expertise to be pooled, and we recommend
that the MoD set out clearly in its response to this report how
it will do so.
- skills and capability
The UK Cyber Security Strategy noted that people
with a deep understanding of cyberspace and how it is developing
are currently "a scarce resource" across both Government
and the business world, and set as one of its main aims the development
of knowledge, skills and capability sufficient to underpin all
the UK's cyber-security objectives.
'Cyber Future Force' is one of four strands of work in the Defence
Cyber Security Programme, and will design the cyber component
of Future Force 2020.
The MoD's intention
is to "embed" cyber skills throughout Defence by 2015,
and all MoD personnel will receive some degree of education in
cyber awareness. Those in operational command roles will be trained
to integrate the cyber domain with operations. Specialist training
will be provided to those in dedicated cyber roles, and their
skills will be recorded against a cyber competency framework on
HR systems. The
MoD stated that it would "grow a cadre of dedicated cyber
We note a degree of concern expressed
in evidence to our inquiry that the MoD does not have sufficient
skills at its disposal in this area.
IT industry body Intellect stated that:
The perception of industry is that the MoD does not
appear to have sufficient skills available for modern cyber-based
] there may be scope for an enhanced military-industry
partnership to address this capability gap. [
members commented that within MoD there are individuals with an
extremely high level of cyber knowledge, however recent movements
in personnel across Government have affected the MoD's cyber capacity.
concluded that greater investment in education, both within academia
and government, was necessary to ensure sufficient future capability.
Dave Clemente, a researcher at Chatham House, wrote:
Some sensitive tasks cannot be contracted to foreign
nationals, and it will be necessary to develop UK talent [
Talent retention is a regular concern and one that is becoming
more urgent. Cyber-security experts can earn far more in the private
sector than in government, and more thought needs to be given
to retaining and incentivising talent.
Bassett, RUSI, when asked what the MoD's priorities in cyber-security
should be, responded:
It is about ensuring that we have enough good people
in the Ministry of Defence, other parts of Government, academia
and industry, and I think that we do not have anything like enough
at the moment. I think that growing and skilling the people is,
for me, the single most important thing for us to do.
We observed during our visit to the GOSCC that the
application of the usual length of Armed Forces rotation to a
post in cyber-security results not only in churn, but in potential
dissatisfaction for personnel who develop a cyber specialism but
subsequently are given little opportunity to build on or pursue
this. To counteract this, the GOSCC is not only actively searching
for personnel throughout the Forces who may have the necessary
skills or aptitude, it is trying to ensure that staff who develop
those skills are tracked throughout their careers so that they
can be re-deployed in this area if necessary. Air Commodore Bishop
described the range of backgrounds that could be put to use in
the Centre: "We are looking at people with intelligence backgrounds,
we are looking at people with technical backgrounds and we are
looking at people with police backgrounds, because there was always
a forensic and potential police issue around some of the stuff
that we do."
John Taylor explained that the MoD was "agnostic" about
the paths individuals took into the cyber parts of the organisation,
provided they had the skills and training needed to fulfil their
Following our final oral evidence session, the MoD
told us that it had recently implemented a new Cyber Skills Strategy,
setting out the vision and strategic policy for generating and
sustaining cyber skills across the Department.
Existing single Service training had been surveyed
and tailored interventions delivered to enable a strong base level
of cyber-security awareness to be adopted across the Service Commands
and the MoD Civil Service. Initial training had been augmented
so that the MoD may more easily generate suitable personnel for
later employment as cyber specialists. Other training packages
had also been reviewed and augmented.
Finally, we were told that the MoD had designed a
new cyber competence framework, which was comparable with civilian
industry frameworks. Through integration with the Joint Personnel
Administration system (Military HR system), it will now be possible
to identify, track and better manage suitably qualified and experienced
High demand for these same skills in
the private sector may give rise to problems with recruitment
and retention. In the short term, the MoD is able to rely on the
unique nature of the work it offers to attract and keep skilled
personnel and the investment it is willing to make in training.
Similarly, Francis Maude MP argued that "By
and large, brilliant people do not go and work at GCHQ for the
money; they do it because it is fascinating and it is very big-picture,
However, it was acknowledged that an upturn in the economy could
result in more severe challenges.
Air Commodore Bishop stated that, although competition for posts
at the GOSCC was currently very stiff:
It would be naive if we thought that, having got
some of the best training in the world and then somebody offers
a big fat pay cheque, people would not decide to go. We do lose
some, but we don't lose very many. A lot of them stay because
they do enjoy what they do, and they do have the authority to
do the job they have been put in there to do.
We recommend that the 'Cyber Future
Force' work focuses on the development of career structures for
MoD and Armed Forces personnel that will allow them not only to
develop, but build on, their cyber skills. The MoD may not be
able to compete with the private sector on salary terms, but it
must be able to give staff opportunities and responsibility as
well as rewarding work.
One important means of securing expertise is through
the recruitment of reservists. The Minister for the Armed Forces
assured us that he was very interested in developing the potential
for reservists to contribute in this area, as a way of complementing
the skills that could be developed 'in-house'.
BAE Systems suggested that it would be possible for the private
sector to deliver a "surge capacity" through a "cyber
We encountered at the GOSCC some enthusiasm for involving more
reservists, with the caveat that they had to be available for
substantial enough blocks of time to develop sufficient understanding
of the normal functioning of the network. General Shaw alluded
to a potential culture clash between the Armed Forces and the
sort of individuals who might have the expertise the MoD most
needs; he envisaged a national reserve:
that really will attract people with ponytails and
earrings and will not force them to go through the same military
strictures that we conventionally think of, so that we pull in
the people with the requisite talent to get involved in the national
Following our final oral evidence session, the MoD
told us that it intends to develop a Joint Cyber Reserve whose
function will be to provide support to the Joint Cyber Units at
the GOSCC and GCHQ and Regular Information Assurance units across
all three Services. It is envisaged that the Reserve will be established
by the end of March 2013 with full operating capability to be
achieved by April 2015.
MoD thinking about how reservists
will help to deliver cyber-security is evolving, with many issues
to be resolved. Although we welcome the initial steps taken by
the MoD to develop the Joint Cyber Reserve it is regrettable that
information about its establishment was not shared with us during
our evidence taking. As a consequence, we were unable to explore
with Ministers the details of this important development.
We recommend that the MoD should
build on existing strengths in the ways reservists contribute
to cyber-defence and operations, and to retain the particular
reserve-led command structures that facilitate those contributions.
If any new reserve structure is to succeed, it is important that
reservists who work in the civilian world should play a part in
its design. The close relationships that have been established
with contractors at the GOSCC could provide an avenue for recruiting
more reservists from those companies, and we recommend that the
MoD prioritise, as part of Future Reserves 2020, a strategy for
recruiting personnel with specialist skills from the private sector.
The funding provided by the national programme to
the Defence Cyber Security Programme£90m over the
period to 2015is being supplemented by the MoD itself to
the tune of £30m in 2012-13. This funding is only for specific
new strands of work and to improve broader "transformation".
General Shaw described the programme work as "merely the
tip of the iceberg. Far greater than that is the bill that every
department faces for looking after its own internal security of
its existing systems."
Speaking before the announcement of Planning Round 2012 (PR12)
spending plans, General Shaw commented:
one of the greatest risks I see in the entire national
response to the cyber-threat is an unbalanced response, where
there is new money for new stuff, but departments, which are so
strapped for cash, will not give sufficient priority to the security
of legacy systems and new systems. That is a much bigger part
of the iceberg underneath the water. That challenge exists for
the MoD as well. Certainly, last year, in PR11, we bid for new
money from defence for [that] other part of the cyber equation.
We got nothing. This year, we made a more modest and more realistic
We were subsequently assured by the then Minister
for the Armed Forces that, as part of the mainstreaming of cyber
throughout Defence, it would henceforth be "ingrained"
in all budgets:
every time we are assembling budgets for any significant
programme, this will be part and parcel of it [...] I am envisaging
a time when this is so absolutely automatic to everything we do
that all the programme budgets we devise to do anything will include
ensuring that we have the necessary defences in place to guarantee
and assure what we are doing.
We were told that PR12 included a clearly identified
stream of funds set aside to address resilience and security.
Francis Maude MP, Minister for the Cabinet Office, argued that
although it would always be possible to dedicate even more funds
to cyber-security, deciding how much was the right amount to spend
was not "a perfectly judged and precise science". Given
the number of competing claims for the money, Mr Maude argued
that it was necessary to pitch spending at a point beyond which
additional expenditure would not confer proportionate additional
We also noted the findings of the Intelligence and
Security Committee in its Annual Report 2011-2012 regarding Defence
Defence Intelligence (DI) is part of the Ministry
of Defence (MoD) and is mostly funded from within the MoD budget.
DI provides strategic intelligence to inform MoD policy and procurement
decisions and tactical and operational intelligence to support
military operations overseas. However, large parts of its strategic
analysis work also support wider government - and particularly
the Joint Intelligence Committee - and so it has a national role
to play alongside the three main intelligence and security Agencies.
Indeed, DI has the largest pool of all-source analysts in government.
We recommend that the MoD must be
rigorous in ensuring that all cyber-security activitylegacy
and routine work as well as new initiativesis fully funded.
We were encouraged by the then Minister for the Armed Forces'
explanation that spending on cyber would be included as a matter
of course in future programme budgets. Continued investment in
skills and resources is vital. We seek the MoD's assurance that
this will not in practice mean cuts in other areas. Quantifying
the 'right' amount to spend on cyber-security is a challenge which
the MoD must not shirk; military and wider Government intelligence
capability depends on it.
We were keen to establish what measures might reasonably
be used, in the MoD, in Government more generally, and by us to
assess progress and effectiveness in cyber-security. Such measures
are crucial to deciding whether money has been spent intelligently
and efficiently. However, our witnesses agreed that developing
metrics in this area was extremely difficult, particularly if
what was sought were concrete outcome measures rather than inputs.
Air Vice-Marshal Rigby, Director, Cyber, Intelligence and Information
Integration, even suggested that it could be a waste of time to
try to identify any, although he believed that a range of input
measures could be of value: personnel trained to a particular
standard, or the inclusion of cyber in contingency plans, for
information is held on how many attacks have been thwarted, there
is always the possibilityeven likelihoodof some
attacks going undetected, and the extent and nature of the damage
averted by thwarting attacks is difficult to judge.
Comparisons with business or other institutions are made difficult
by the relative attractiveness of Defence and the Government as
a target and the sensitivity of the information that needs to
James Quinault, Director, Office of Cyber Security and Information
Assurance, Cabinet Office, explained that it was relatively straightforward
to tell whether the funding provided by the National Cyber Security
Programme was being spent on the desired activity:
but what is less clear, as the Minister [Francis
Maude] said, is whether overall that is making the dent in the
outcome that we want to see, with the overall problem. The problem
there is that we do not have a baseline, we do not know how big
the problem is that we are trying to shrink. We are working on
that, but if we had waited to solve it before we cracked on, we
would be further behind the curve than we are.
The development of metrics is being worked on across
Government, led by the MoD's CIO, John Taylor.
Mr Taylor told us:
we are doing some work on metrics to give us positive
evidence that we are as safe as we need to be. That involves looking
at metrics in the business infrastructure space, making sure that
we understand what assets we have and that we have processes that
review information risk on a regular basis. We then need to look
in the technology space, making sure that our information is backed
up, that we have up-to-date antivirus softwareall the hygiene
things that you need to do. Then there is the people spacefor
example, is our security vetting process working properly?
It is vital not only that the MoD
and the Government have ways of measuring their own progress in
cyber-security, but also of communicating that progress to Parliament
and the public. We are pleased that the MoD is engaging with the
challenge of devising appropriate metrics and measurements for
assessing progress. We acknowledge the difficulty of this task,
and look forward to seeing how pan-Government, international and
cross-sector thinking influences the outcomes of this work. We
recommend that the MoD should provide Parliament with a report
on cyber incidents and performance against metrics on at least
an annual basis.
97 Cabinet Office, UK Cyber Security Strategy,
p.7; Q 6 Back
Paul Cornish, David Livingstone, Dave Clemente and Claire Yorke,
On Cyber Warfare, Chatham House (November 2010) Back
Q 18 Back
Q 153 Back
Q 18 Back
Q 17 Back
Q 14 Back
Q 195 Back
Q 105 Back
Q 136 and Q 196 Back
Q 105 Back
Q 139 Back
Cabinet Office, UK Cyber Security Strategy, para 4.22 Back
Ev 45 Back
Ev 43, para 3.6 Back
Ev w9-10, paras 15-16 Back
Ev w3 Back
Ev w3 Back
Ev w2, paras 9-10 Back
Q 32 Back
Q 87 Back
Q 91 Back
Q 91 Back
Q 226 Back
Q 91 Back
Q 55 Back
Q 90 Back
Ev w10, para 16 Back
Q 40 Back
Ev 43, para 3.1 Back
Q 70 Back
Q 70 Back
Qq 100-1 Back
Qq 103-4 Back
Q 194 Back
Intelligence and Security Committee, Annual Report 2011-12, Cm
8403, para 174 Back
Q 44 Back
Qq 45-6 Back
Q 221 and Q 222 Back
Q 110 Back
Q 222 Back
Q 45 Back
Q 70 Back