House of Commons - Defence and Cyber-Security

Defence and Cyber-Security - Defence Committee Contents

5 Resources and skills supporting military activity in cyberspace

Research and development

A constant theme in the literature and comment about cyber-security is the rapid pace at which threats develop and evolve.[97] Professor Paul Cornish and colleagues, Chatham House, have written that:

The pace of change can be so abrupt as to render the action/reaction cycle of traditional strategy out of date before it has begun. [...] It is as if a government operational analyst has been sent to observe the effects in battle of the flintlock musket, only to discover upon arrival that the Maxim gun has been invented.[98]

Not only does the technology develop rapidly, but, as John Bassett of RUSI said, "people are actually capable of using these things in unexpected and unforeseen ways very much sooner than the technology changes".[99] As noted earlier in this report, Francis Maude MP, Minister for the Cabinet Office, told us that "One of the challenges is that we do not know what threat we will be facing next month, let alone in a year's time"[100].

Professor Brian Collins, a former Chief Scientific Adviser in the Department for Business, Innovation and Skills and the Department for Transport, argued that the necessary tools are not yet in place across Government to understand and plan in this way:

If I had suggested three years ago that people would be organising riots in the streets using Facebook, no one would have even understood what the words meant. Last summer, that is what we saw. Now, if you say to law enforcement or, indeed, maybe to parts of our military operations, 'Do you expect to see those sorts of applications being used to organise a significant threat to us?', I do not believe that we have the mechanisms in place a priori, as opposed to by way of response, to anticipate where some of those things may be hitting us.[101]

He went on to say that across government "there is maybe too much emphasis on the short-term tactical as opposed to the long-term strategic".[102] He continued:

Tactically, I don't think we are in bad shape at all. However, to be in a situation in which you can anticipate where some of these things might be coming from is a combination of intelligence-gathering [...] together with some idea of where individuals or groups might be taking their thinking, when we would regard that as undesirable for us. That horizon-scanning function is a piece that I see missing.[103]

Francis Maude MP, Minister for the Cabinet Office, told us that he was confident that the Government had the capacity to keep up with the latest threats, pointing out, however, that the Cabinet Office proposals for civil service reform explicitly referred to the need to strengthen horizon-scanning across Government.[104] James Quinault said that "intelligence and anticipation of the threat" was a thread in many of the funding allocations that had been made from the National Cyber Security Programme, and had been a particular feature of the investment in GCHQ. Research strands in other departmental programmes relate to cyber-crime and e-business, where the objectives of attacks may differ, but much of the same technology is employed.

Similarly, Air Commodore Bishop, Head of the GOSCC, highlighted the value of the MoD sharing threat information and security techniques with industry, because the means of attack against both these targets were often the same.[105]

MoD evidence states that £80 million a year is being provided for research in the related areas of cyber and influence, through the Cyber and Influence Science and Technology Centre at Porton Down, by working with research councils, and by investing in pan-Government programmes that place work in universities and designate a number of universities as centres of excellence.[106] The MoD is also funding a programme of studies at Seaford House, London (part of the Defence Academy), to consider the future character of conflict, and the implications of the developing cyber-threat for the security environment.[107] When we invited the then Minister for the Armed Forces to comment on whether the proportion of the Ministry of Defence budget being spent on research and development was, at 1.2%, currently too low, he agreed.[108]

We have considered the issue of the percentage of the defence budget which is spent on research and development in the course of our inquiry into Defence Acquisition: there is general agreement that it is currently too low. This applies to cyber-security as much as to any other field. The rapidly changing nature of the cyber threat demands that a premium be placed on research and development to enable the MoD to keep pace with, understand and anticipate that threat. We recommend that this should be addressed. The Government should also make it a priority to develop robust protocols for sharing information with industry to allow expertise to be pooled, and we recommend that the MoD set out clearly in its response to this report how it will do so.

People - skills and capability

The UK Cyber Security Strategy noted that people with a deep understanding of cyberspace and how it is developing are currently "a scarce resource" across both Government and the business world, and set as one of its main aims the development of knowledge, skills and capability sufficient to underpin all the UK's cyber-security objectives.[109] 'Cyber Future Force' is one of four strands of work in the Defence Cyber Security Programme, and will design the cyber component of Future Force 2020. The MoD's intention is to "embed" cyber skills throughout Defence by 2015, and all MoD personnel will receive some degree of education in cyber awareness. Those in operational command roles will be trained to integrate the cyber domain with operations. Specialist training will be provided to those in dedicated cyber roles, and their skills will be recorded against a cyber competency framework on HR systems.[110] The MoD stated that it would "grow a cadre of dedicated cyber experts".[111]

We note a degree of concern expressed in evidence to our inquiry that the MoD does not have sufficient skills at its disposal in this area.[112] IT industry body Intellect stated that:

The perception of industry is that the MoD does not appear to have sufficient skills available for modern cyber-based warfare. […] there may be scope for an enhanced military-industry partnership to address this capability gap. […] Intellect members commented that within MoD there are individuals with an extremely high level of cyber knowledge, however recent movements in personnel across Government have affected the MoD's cyber capacity.[113]

Intellect concluded that greater investment in education, both within academia and government, was necessary to ensure sufficient future capability.[114] Dave Clemente, a researcher at Chatham House, wrote:

Some sensitive tasks cannot be contracted to foreign nationals, and it will be necessary to develop UK talent […]. Talent retention is a regular concern and one that is becoming more urgent. Cyber-security experts can earn far more in the private sector than in government, and more thought needs to be given to retaining and incentivising talent.[115]

John Bassett, RUSI, when asked what the MoD's priorities in cyber-security should be, responded:

It is about ensuring that we have enough good people in the Ministry of Defence, other parts of Government, academia and industry, and I think that we do not have anything like enough at the moment. I think that growing and skilling the people is, for me, the single most important thing for us to do.[116]

We observed during our visit to the GOSCC that the application of the usual length of Armed Forces rotation to a post in cyber-security results not only in churn, but in potential dissatisfaction for personnel who develop a cyber specialism but subsequently are given little opportunity to build on or pursue this. To counteract this, the GOSCC is not only actively searching for personnel throughout the Forces who may have the necessary skills or aptitude, it is trying to ensure that staff who develop those skills are tracked throughout their careers so that they can be re-deployed in this area if necessary. Air Commodore Bishop described the range of backgrounds that could be put to use in the Centre: "We are looking at people with intelligence backgrounds, we are looking at people with technical backgrounds and we are looking at people with police backgrounds, because there was always a forensic and potential police issue around some of the stuff that we do."[117] John Taylor explained that the MoD was "agnostic" about the paths individuals took into the cyber parts of the organisation, provided they had the skills and training needed to fulfil their role.[118]

Following our final oral evidence session, the MoD told us that it had recently implemented a new Cyber Skills Strategy, setting out the vision and strategic policy for generating and sustaining cyber skills across the Department.

Existing single Service training had been surveyed and tailored interventions delivered to enable a strong base level of cyber-security awareness to be adopted across the Service Commands and the MoD Civil Service. Initial training had been augmented so that the MoD may more easily generate suitable personnel for later employment as cyber specialists. Other training packages had also been reviewed and augmented.

Finally, we were told that the MoD had designed a new cyber competence framework, which was comparable with civilian industry frameworks. Through integration with the Joint Personnel Administration system (Military HR system), it will now be possible to identify, track and better manage suitably qualified and experienced cyber-security personnel.

High demand for these same skills in the private sector may give rise to problems with recruitment and retention. In the short term, the MoD is able to rely on the unique nature of the work it offers to attract and keep skilled personnel and the investment it is willing to make in training.[119] Similarly, Francis Maude MP argued that "By and large, brilliant people do not go and work at GCHQ for the money; they do it because it is fascinating and it is very big-picture, serious stuff."[120] However, it was acknowledged that an upturn in the economy could result in more severe challenges.[121] Air Commodore Bishop stated that, although competition for posts at the GOSCC was currently very stiff:

It would be naive if we thought that, having got some of the best training in the world and then somebody offers a big fat pay cheque, people would not decide to go. We do lose some, but we don't lose very many. A lot of them stay because they do enjoy what they do, and they do have the authority to do the job they have been put in there to do.[122]

We recommend that the 'Cyber Future Force' work focuses on the development of career structures for MoD and Armed Forces personnel that will allow them not only to develop, but build on, their cyber skills. The MoD may not be able to compete with the private sector on salary terms, but it must be able to give staff opportunities and responsibility as well as rewarding work.

Reservists

One important means of securing expertise is through the recruitment of reservists. The Minister for the Armed Forces assured us that he was very interested in developing the potential for reservists to contribute in this area, as a way of complementing the skills that could be developed 'in-house'.[123] BAE Systems suggested that it would be possible for the private sector to deliver a "surge capacity" through a "cyber reserve".[124] We encountered at the GOSCC some enthusiasm for involving more reservists, with the caveat that they had to be available for substantial enough blocks of time to develop sufficient understanding of the normal functioning of the network. General Shaw alluded to a potential culture clash between the Armed Forces and the sort of individuals who might have the expertise the MoD most needs; he envisaged a national reserve:

that really will attract people with ponytails and earrings and will not force them to go through the same military strictures that we conventionally think of, so that we pull in the people with the requisite talent to get involved in the national effort.[125]

Following our final oral evidence session, the MoD told us that it intends to develop a Joint Cyber Reserve whose function will be to provide support to the Joint Cyber Units at the GOSCC and GCHQ and Regular Information Assurance units across all three Services. It is envisaged that the Reserve will be established by the end of March 2013 with full operating capability to be achieved by April 2015.

MoD thinking about how reservists will help to deliver cyber-security is evolving, with many issues to be resolved. Although we welcome the initial steps taken by the MoD to develop the Joint Cyber Reserve it is regrettable that information about its establishment was not shared with us during our evidence taking. As a consequence, we were unable to explore with Ministers the details of this important development.

We recommend that the MoD should build on existing strengths in the ways reservists contribute to cyber-defence and operations, and to retain the particular reserve-led command structures that facilitate those contributions. If any new reserve structure is to succeed, it is important that reservists who work in the civilian world should play a part in its design. The close relationships that have been established with contractors at the GOSCC could provide an avenue for recruiting more reservists from those companies, and we recommend that the MoD prioritise, as part of Future Reserves 2020, a strategy for recruiting personnel with specialist skills from the private sector.

Finance

The funding provided by the national programme to the Defence Cyber Security Programme—£90m over the period to 2015—is being supplemented by the MoD itself to the tune of £30m in 2012-13. This funding is only for specific new strands of work and to improve broader "transformation".[126] General Shaw described the programme work as "merely the tip of the iceberg. Far greater than that is the bill that every department faces for looking after its own internal security of its existing systems."[127] Speaking before the announcement of Planning Round 2012 (PR12) spending plans, General Shaw commented:

one of the greatest risks I see in the entire national response to the cyber-threat is an unbalanced response, where there is new money for new stuff, but departments, which are so strapped for cash, will not give sufficient priority to the security of legacy systems and new systems. That is a much bigger part of the iceberg underneath the water. That challenge exists for the MoD as well. Certainly, last year, in PR11, we bid for new money from defence for [that] other part of the cyber equation. We got nothing. This year, we made a more modest and more realistic bid—we hope.[128]

We were subsequently assured by the then Minister for the Armed Forces that, as part of the mainstreaming of cyber throughout Defence, it would henceforth be "ingrained" in all budgets:

every time we are assembling budgets for any significant programme, this will be part and parcel of it [...] I am envisaging a time when this is so absolutely automatic to everything we do that all the programme budgets we devise to do anything will include ensuring that we have the necessary defences in place to guarantee and assure what we are doing.[129]

We were told that PR12 included a clearly identified stream of funds set aside to address resilience and security.[130] Francis Maude MP, Minister for the Cabinet Office, argued that although it would always be possible to dedicate even more funds to cyber-security, deciding how much was the right amount to spend was not "a perfectly judged and precise science". Given the number of competing claims for the money, Mr Maude argued that it was necessary to pitch spending at a point beyond which additional expenditure would not confer proportionate additional protection.[131]

We also noted the findings of the Intelligence and Security Committee in its Annual Report 2011-2012 regarding Defence Intelligence:

Defence Intelligence (DI) is part of the Ministry of Defence (MoD) and is mostly funded from within the MoD budget. DI provides strategic intelligence to inform MoD policy and procurement decisions and tactical and operational intelligence to support military operations overseas. However, large parts of its strategic analysis work also support wider government - and particularly the Joint Intelligence Committee - and so it has a national role to play alongside the three main intelligence and security Agencies. Indeed, DI has the largest pool of all-source analysts in government.[132]

We recommend that the MoD must be rigorous in ensuring that all cyber-security activity—legacy and routine work as well as new initiatives—is fully funded. We were encouraged by the then Minister for the Armed Forces' explanation that spending on cyber would be included as a matter of course in future programme budgets. Continued investment in skills and resources is vital. We seek the MoD's assurance that this will not in practice mean cuts in other areas. Quantifying the 'right' amount to spend on cyber-security is a challenge which the MoD must not shirk; military and wider Government intelligence capability depends on it.

Measuring progress

We were keen to establish what measures might reasonably be used, in the MoD, in Government more generally, and by us to assess progress and effectiveness in cyber-security. Such measures are crucial to deciding whether money has been spent intelligently and efficiently. However, our witnesses agreed that developing metrics in this area was extremely difficult, particularly if what was sought were concrete outcome measures rather than inputs.[133] Air Vice-Marshal Rigby, Director, Cyber, Intelligence and Information Integration, even suggested that it could be a waste of time to try to identify any, although he believed that a range of input measures could be of value: personnel trained to a particular standard, or the inclusion of cyber in contingency plans, for example.[134] Although information is held on how many attacks have been thwarted, there is always the possibility—even likelihood—of some attacks going undetected, and the extent and nature of the damage averted by thwarting attacks is difficult to judge.[135] Comparisons with business or other institutions are made difficult by the relative attractiveness of Defence and the Government as a target and the sensitivity of the information that needs to be protected.[136] James Quinault, Director, Office of Cyber Security and Information Assurance, Cabinet Office, explained that it was relatively straightforward to tell whether the funding provided by the National Cyber Security Programme was being spent on the desired activity:

but what is less clear, as the Minister [Francis Maude] said, is whether overall that is making the dent in the outcome that we want to see, with the overall problem. The problem there is that we do not have a baseline, we do not know how big the problem is that we are trying to shrink. We are working on that, but if we had waited to solve it before we cracked on, we would be further behind the curve than we are.[137]

The development of metrics is being worked on across Government, led by the MoD's CIO, John Taylor.[138] Mr Taylor told us:

we are doing some work on metrics to give us positive evidence that we are as safe as we need to be. That involves looking at metrics in the business infrastructure space, making sure that we understand what assets we have and that we have processes that review information risk on a regular basis. We then need to look in the technology space, making sure that our information is backed up, that we have up-to-date antivirus software—all the hygiene things that you need to do. Then there is the people space—for example, is our security vetting process working properly?[139]

It is vital not only that the MoD and the Government have ways of measuring their own progress in cyber-security, but also of communicating that progress to Parliament and the public. We are pleased that the MoD is engaging with the challenge of devising appropriate metrics and measurements for assessing progress. We acknowledge the difficulty of this task, and look forward to seeing how pan-Government, international and cross-sector thinking influences the outcomes of this work. We recommend that the MoD should provide Parliament with a report on cyber incidents and performance against metrics on at least an annual basis.

97 Cabinet Office, UK Cyber Security Strategy, p.7; Q 6 Back

98 Paul Cornish, David Livingstone, Dave Clemente and Claire Yorke, On Cyber Warfare, Chatham House (November 2010) Back

99 Q 18 Back

100 Q 153 Back

101 Q 18 Back

102 Q 17 Back

103 Q 14 Back

104 Q 195 Back

105 Q 105 Back

106 Q 136 and Q 196 Back

107 Q 105 Back

108 Q 139 Back