Defence Committee<?oasys [np ?> Written evidence from the Institute for Security & Resilience Studies, UCL

This submission comes in two parts. The first addresses the current inquiry’s three questions. The second takes up the invitation to flag issues for subsequent consideration by the Committee.

Key points offered in part one of the submission include:

Threat analysis is a necessary but insufficient approach to assessing the risks and uncertainties of cyberspace for MoD and the Armed Forces or any other body.

Following the 2011 UK Cyber Security Strategy there is work to be done to bring coherence to practical cyber-security arrangements across government (eg clarity about Lead Government Department responsibilities in a variety of cyber circumstances), which development of doctrine could deliver.

The UK’s Cyber Security Challenge makes clear that we have skills gaps and are failing to fill these through formal secondary or tertiary education. Rather than treating symptoms—however profitable—it is vital that continuous learning is enabled through R&D on broad and deep fronts to shape rather than just react to the evolving environment. Although MoD is among the very few bodies to have addressed such a challenge before, it is not clear they can take a similar lead in cyberspace.

Part two, goes onto flag the following four items for further consideration:

The Net Assessment of Resilience and Irresilience to supplement threat analysis.

The Capacity for Innovation as the decisive measure of cyber-resilience.

The Organisational Fitness of Capabilities has to be grounded in learning competencies.

Twining empiricism with entrepreneurship defines the leadership ethos fit for cyberspace.

ISRS will be happy to support the work of the Committee as best it can in the exploring issues, considerations and factors raised by part one and/or two of our submission.

1 Introduction

1.1 The Institute for Security & Resilience Studies (ISRS) at UCL offers innovative approaches to the challenges of security and resilience in our world of networks. We do this by bringing together the public, private and third sectors to seek out ways to catalyse innovation. For us, Resilience to Crises (R2C) combines two vital words into a powerful concept fit for our times. It is a concept born of pioneering cyberspace research for the defence community during the 1990s.

1.2 Use of the word resilience is evolving. It has moved beyond its classical origins and narrow engineering definition in terms of bounce back to the status quo ante. Our use of the word resilience and its inverse—irresilience—are grounded in scientific advances in the mathematics of networks and from across the life sciences. We define resilience as the enduring power of a body or bodies for transformation, renewal and recovery through the flux of interactions and flow of events. Resilience is the power to bounce forward and thrive, not an idealistic notion of bouncing back to a status quo ante overtaken by events.

1.3 We also adhere to the dictionary definition of crises as decisive moments and turning points for better or worse. This again affirms key advances in the mathematics of information and decision taking over the last century. R2C offers a concept that enables decision-takers at all levels to contend with the risks and uncertainties of dynamic networks. Doing so does not just raise awareness of dangers; it also offers options for coherent decisive actions, which produces rather than just protects value because it focuses on the continuous learning of fitness. In sum, resilience is synonymous with healthy competitiveness.

1.4 Our response to the Defence Committee’s inquiry into cyber-security will come in two parts: the first will contribute to the committee’s short initial enquiry; and, the second will flag issues for further consideration by the Committee in due course. Both parts offer responses based on three parameters of our current research programme:

In general, we are examining how the prospects for cyber-resilience are affected by the depth and breadth of the Capacity for Innovation spurred by competition.

In particular, we are concerned with organisation of evolving capabilities in competitive environments, in which the combination or recombination of capabilities using diversity and selection defines immediate and enduring fitness.

In practice, we are emphasising the need for Competent Authorities that inspire trust because they embody an ethos that twins empiricism and entrepreneurship.

1.5 Leadership without enhanced empiricist and entrepreneurial characteristics will be found wanting in cyberspace. Such deficiencies are an issue for all big incumbent organisations whether in the public, private or third sectors.

2. Committee’s Current Inquiry

2.1 The current inquiry poses three good questions, which will flout full and complete answers. Indeed, the pretence of definitive answers would suggest odds are being stacked for errors to ensue. The three questions are taken to ask for evidence on:

(a)The nature, character and extent of the threat posed to the systems of the Ministry of Defence (MoD) and the Armed Forces in terms of operations and capabilities.

(b)The implications of the UK’s 2011 Cyber Security Strategy for MoD and the Armed Forces, in terms of policy, practice (including National Infrastructure Protection (CNIP)) and the relationship of MoD’s actions and planning to other governmental bodies.

(c)How the MoD’s cyber capacity building is planned and managed in terms of skills, expertise, research and development (R&D), again mindful of the interface with the National Cyber Security Programme (NCSP) run through Cabinet Office.

2.2 This submission will offer the imperfect views of ISRS on these questions, more in terms of the factors that need careful consideration than as definitive answers. Whilst it is important to distinguish what is peculiar to defence where possible, cyberspace tends to erode neat categories. Arbitrary constraints on the scope of the questions will be no more helpful.

Threat

2.3 The character and nature of the threat is the first question asked in orthodox security analysis. Such orthodoxy has been questioned for decades, particularly during the Cold War. The collection and collation of threat data is necessary but inadequate to the risk assessments needed to support decision-takers promoting fitness for any competitive environment. Cyberspace just makes that reality obvious. Although the first manufactured environment, cyberspace is transnational and permeates all other environments (maritime, land, air and space). It makes the dynamics of evolutionary forces impossible to ignore; ideal assumptions—such as perpetual status quo—do not endure. However, fixation on cacophony of tactical threats will draw the unwary into attrition and sap their resilience.

2.4 Detecting, profiling and patching software has become big business. The close battle of dealing with malicious code is reaching staggering proportions. Nonetheless, the streams of evolving threats cyberspace spawns are far from confined to malicious software. Mobile devices will soon attract the attention popular “fat client” computer networks have for over a decade. Smart metering based on mobile technology will create another link between Computer Information Systems (CIS) and Industrial Control Systems (ICS). “Thin client” devices dependent upon the Cloud are unlikely to design out the vulnerabilities that attract malicious code but will push most of the current limited capacity for computer forensics into obsolescence. Chasing these myriad threats with retrospective profiles may only increase a system or decision-taker’s susceptibility to deception.

2.5 Beyond the close battle with malicious code and the protection of existing channels, comes the deeper and wider issue of content. It poses a challenge in at least two major guises:

First, mindful of Clausewitz, the overriding friction in war is politics through which content can promote or subvert morale as the power of social software perhaps evidences in the Arab Spring.

Second, content includes the intellectual capital that fuels innovation and shapes our futures; indeed, it is the capacity for innovation that is decisive in winning wars and peace.

2.6 MoD systems cannot be isolated from evolving global and local networks. These are increasingly woven together and populated by agents that never rest. Together they create the dynamics of the cyber environment. Here, the characteristics of the threat cannot be limited to consideration of electronic attack and the use of malicious code whether or not war is declared. Inasmuch as the intent component of a threat may remain an unfathomable mystery rather than an undisclosed secret, the absence of intent can still leave great hazards fermenting. If assumptions about intent are mishandled, the challenges for decision-takers only multiply—whether agents of a sovereign state or not.

2.7 Threat is an inadequate approach to the risk and uncertainty that saturates cyberspace. Confronting this reality can make the challenges ahead seem intractable. Yet it is realising the limits of a threat based approach that enables the assessment of risks and uncertainty to become pragmatic. Such pragmatism can be better informed by Net Assessment as is outlined in the second part of the submission “signposting further issues”.

Coherence

2.8 There are outstanding practical questions about the coherence of activities in the wake of the 2011 UK Cyber Security Strategy. For example, at the Cyber Summit hosted by the Foreign Secretary in November last year the French had a clear answer to the question “who would you call in the event of a cyber-incident?” It is their Prime Minister. This answer resolves the geographic and thematic contradictions cyber crises can otherwise precipitate.

2.9 During the conference the answer for the UK was unclear. Subsequently it was said to be the Minister for the Cabinet Office—Frances Maude. Whilst he attends Cabinet, is at the Centre of UK Government and can act with the authority of the Prime Minister, it is not clear his post commands the capabilities necessary to be the Lead Government Department (LGD). For example, unless the Prime Minister is to be available for every cyber incident:

It is difficult to believe that cyber crises abroad would not make the Foreign and Commonwealth Office (FCO) the LGD and put the Foreign Secretary in the chair; or

Crises at home—whether security or crime related—would not make Home Office the LGD and put the Home Secretary in the chair; or

Cyber crises in the financial sector would not make Her Majesty’s Treasury (HMT) the obvious LGD and put the Chancellor in the chair.

2.10 As with any crises doubt about the competency to lead is a recipe for disaster, particularly in the golden minutes and hours at the onset of crises. The transnational nature of cyberspace is likely to place any cyber crises at the centre of UK Government in the first instance, even more so if events are to be construed as “armed attack”. However, as Libya seemed to demonstrate, it is less how MoD works with the National Security Council (NSC) and more how the NSC works with legacy national crisis management arrangements through COBR that might benefit from clarification, particularly with regard to the LGD doctrine. Fast onset crises make getting the drills right important but slow onset crises can also deliver shock and surprise.

2.11 For example, the compromise of intellectual capital can do economic and strategic damage of unexpected proportions that stuns or lulls authorities into inaction akin to those in response to “white collar crime”. Is the Business Innovation and Skills (BIS) department the LGD for cyber incidents involving content? The LGD question could create unnecessary duplication of capabilities among Government departments. In wealthier times CNIP could spur such expenditure and have it reach into local government too. This would not mean that private firms would match such capabilities as befits their CNI ownership. Amidst the tussles for lead roles and to avoid costly commitments many wrinkles remain to be smoothed out by clear doctrine in the wake of the 2011 Cyber Security Strategy.

Capacity building

2.12 Historically, MoD and the Armed Forces have provided resilience to what might be thought the moral hazard of Other Government Departments (OGDs). From Foot and Mouth Disease, to Fire Fighters Disputes and even the London Olympics, MoD has provided critical reinforcements. Whilst this has often been about reserves of disciplined labour with enormous stamina, there have also often been vital skills needed, in particular higher levels of tactical and operational command and control. It is not obvious how such capacity will be built for cyberspace. This is not an issue confined to MoD.

2.13 The UK’s Cyber Security Challenge has produced an alarming pattern of evidence to suggest that the skills and expertise for cyber resilience and security are not being produced through formal secondary or tertiary education. Amateurs—ie those with a love of the challenges cyberspace throws up—emerge from self-education. Likewise, the bulk of R&D outside of particular areas of government tends to either address security as an afterthought or cherry picks what can be readily commoditised for profit. Over the last decade or so, policy decisions to rely increasingly on Commercial-Off-The-Shelf (COTS), deskilled software engineering and light-touch de facto standards have sown problems of growing consequence. For some, this recipe has produced profitable business streams. It has also led to recruitment and retention problems for core government business.

2.14 Merely treating symptoms rather than the causes of skills gaps and expertise deficits will compound problems. Building capacity has to embody processes of continuous learning, particularly if fitness for the dynamics of cyberspace is to endure. This makes R&D on broad and deep fronts imperative. MoD and the Armed Forces are among the few bodies in Government that have ever attained the kind of depth and breadth of learning necessary for such environments. Uniformed and MoD civil servants alike have continued to deliver similar services in hostile environments on scales seldom rivalled.

2.15 Nevertheless, it is not clear that MoD or the Armed Forces are in a position to reproduce such capacity for cyberspace, even if they have to become a major contributor. This is not necessarily a budgetary issue even in straightened times. It is more to do with the ethos that would need to be created, making a far greater virtue of empiricism and entrepreneurship than any large incumbent organisation has hitherto shown itself inclined. That ethos could not be exclusive to the defence sector but would have to be shared in by a diversity of public, private and third sector bodies. The National Cyber Security Programme in combination with MoD programmes (new and longstanding) will doubtless offer some steps forward but it is not clear that our fitness for cyberspace is yet adequate.

2. Signposting Further Issues

2.16 Four issues are flagged below that may be relevant to the Committee’s subsequent deliberations.

The Net Assessment of Resilience and Irresilience

2.17 Resilience and irresilience have specific mathematical meaning in networks. In the financial sector these are now termed “superspreader” hubs. These do not just sow catastrophic collapse; they can also catalyse the uptake of healthy transformation. The former is characteristic of irresilience; the latter is characteristic of resilience to crises. Both move beyond ideal assumptions about risk to harnessing the reality of uncertainty in evolving systems for better and worse.

2.18 The development of a Net Assessment for resilience and irresilience is more comprehensive, robust and realistic than over-reliance on error or deception prone threat analysis. It has a pedigree that stretches back to the Strategic Bombing Survey of WW II looking for industrial webs and bottlenecks and the “Breakdown” studies at the dawn of the Cold War but also harnesses the insights of the most advanced mathematics and modelling today. Development of such capabilities will enable defence and security to avoid wasting money and focus on how to add value by continuously learn fitness in cyberspace.

Capacity for innovation

2.19 Our work on cyberspace has concluded that the capacity for innovation is the decisive measure of fitness for the challenges ahead. Whilst Lord Dannatt (a former Chief of the General Staff) was right to celebrate the ingenuity of “transformation in contact”, cyberspace will require transformation in far greater depth and breadth. We will be happy to detail how deep and broad transformation can be made tractable and rewarding.

Organisational fitness of capabilities

2.20 The term “equipment capabilities” may have done considerable disservice to the development of capabilities. We have reviewed leading academics in the field of capabilities and synthesised a fresh definition of capabilities and meta-capabilities:

Capabilities are evolving ecologies of competencies and technology.

2.21 This definition underscores that returns on investments and productivity gains only come when innovation brings users and developers together with an equal concern for competencies and technology rather than just integrating the technology. Moreover, albeit training is important, the rapidity of change means that competencies are ultimately more about continuous learning, in particular drawing research beyond invention into innovation.

2.22 This approach enables greater agility in combining and recombining capabilities fit for diverse circumstances and opens up more feasible innovation pathways. These are all attributes that are vital to cyberspace, where disruptive innovation is every day.

Leadership: An ethos befitting competent authorities

2.23 Cyberspace demands a distinctive characteristic of leadership too often squeezed out of big organisations—entrepreneurship. Indeed, we go further and suggest that to continuously learn fitness for cyberspace empiricism and entrepreneurship have to be twined. This is how concurrent research, education and innovation deliver the competitive advantages fitness for cyberspace demands. Confidence in the competence of authorities that cannot deliver such outcomes will suffer sooner than incumbents too often imagine.

2.24 Finally, it is important to recall few people other than the armed forces are capable of operating in hostile environments for protracted periods enduring high degrees of uncertainty. Moreover, the ethical use of force is something with which they have grim experience. Cyberspace may involve indirect forces where that ethical knowledge is more not less pertinent than non-combatant colleagues may care to realise.

5. Conclusion

5.1 ISRS will be happy to support the work of the Committee as best it can in exploring the issues, considerations and factors raised by part one and/or two of our submission.

20 February 2012

Prepared 8th January 2013