CORRECTED TRANSCRIPT OF ORAL EVIDENCE To be published as HC 1881-i

HOUSE OF COMMONS

ORAL EVIDENCE

TAKEN BEFORE THE

DEFENCE COMMITTEE

DEFENCE AND CYBER-SECURITY

WEDNESDAY 18 APRIL 2012

JOHN BASSETT, PROFESSOR BRIAN COLLINS, and PROFESSOR SIR DAVID OMAND

Evidence heard in Public

Questions 1–34

USE OF THE TRANSCRIPT

1. This is a corrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

2. The transcript is an approved formal record of these proceedings. It will be printed in due course.

Oral Evidence

Taken before the Defence Committee

on Wednesday 18 April 2012

Members present:

Mr James Arbuthnot (Chair)

Mr Julian Brazier

Thomas Docherty

Mr Jeffrey M. Donaldson

John Glen

Mr Dai Havard

Mrs Madeleine Moon

Sandra Osborne

Bob Stewart

Examination of Witnesses

Witnesses: John Bassett, Associate Fellow, Cyber-security, Royal United Services Institute, Professor Brian Collins, Chair of Engineering Policy, Faculty of Engineering Science, University College London, and Professor Sir David Omand GCB, Visiting Professor, Department of War Studies, King’s College London, gave evidence.

Q1 Chair: Gentlemen, welcome to the Defence Committee. I am sorry to have kept you waiting outside. We will get on as speedily as we can. Would you like to begin, please, by introducing yourselves for the record?

Professor Collins: My name is Brian Collins. I am professor of engineering policy at University College London.

John Bassett: I am John Bassett. I am associate fellow for cyber-security at the Royal United Services Institute.

Professor Sir David Omand: I am David Omand, currently visiting professor at King’s College London, previously security and intelligence co-ordinator and, probably of relevance here,Director of GCHQ.

Q2 Chair: You are all most welcome. This is our second Cyber-security inquiry, and we will be doing a third in due course. The SDSR described the National Cyber-Security Programme and its impact as transformative. Do you think it has been?

Professor Sir David Omand: Transformation is needed, and transformation will take time. It would be wrong to say that the programme has already been transformative, but it has the potential to make significant improvement in the vulnerabilities, which we will no doubt discuss, in a number of areas of national life that are subject to cyber-threat.

Q3 Chair: Do you think there has been a change of approach since 2009, or merely a promise of a change of approach?

Professor Sir David Omand: More money has been allocated, and that makes a big difference. The conceptual approach is very similar. I do not detect a great difference in that. The strategy itself is perhaps more clearly mapped out in terms of the areas of priority, and there are some important political statements, notably the importance of the cyber-realm for future national prosperity and economic growth, and the social benefit that will come from having it. I think it is more clearly stated that the purpose of cyber-security is to secure those gains. It is not an activity in its own right.

Q4 Chair: Would either of you like to add to that?

John Bassett: I endorse Sir David’s comments. It seems to me that the benefits there have been from this and the previous strategy are essentially conceptual; that there is recognition of the nature of the threat that is faced and what we need to protect. There is also some sense that it is going in the same direction, and that it is evolving and will continue to evolve if we are successful, because there are still some areas of lack of understanding. We just do not know exactly how the internet will impinge on society. It is healthy that it continues to evolve, and I look to other strategies in due course to replace this one over a period of years rather than decades.

Q5 Chair: Professor Collins, what do you think the 2011 Strategy does well, and what do you think it does badly?

Professor Collins: I would reinforce the comments that have just been made with regard to an overarching strategy that is designed to pull together the whole Government around the issue, rather than it being seen as an intelligence issue, a defence issue, or probably a Home Office issue in isolation. It is holistic for the well-being of the Defence of the Realm; the military aspect is only one part of that. What it does well is to do that.

What it does not address is the pace of change that is needed. The organisational inertia that exists in Whitehall will get in the way of delivery. Perhaps as a codicil to that, going back to your previous question, there is an assumption that there will be continuity of stewardship of the strategy over a period of many years. History shows us that continuity of stewardship of strategies of this nature is quite difficult to achieve through our democratic process. We need to flag up the fact that that is so important to the well-being of our society-and, indeed, developed societies around the world, because we are not in isolation from other developed societies. That is what cyber-space does to us: it connects us richly to everywhere else on supply chains and economic and social well-being. Unless we maintain that stewardship over a period that is much longer than the five-year electoral cycle, we will fail to deliver the desired outcomes.

Q6 John Glen: Building on that, is not one of the issues the internal co-ordination within Government? One of the challenges is how you identify who should be responsible for what among the National Security Council, the Ministry of Defence, the Armed Forces and the GCHQ, and how they fit together. How do you see the effectiveness of that cyber-security planning process at the moment?

Professor Collins: I would say it was work in progress. It is getting better, from my perception, given where it was, let us say, seven or eight years ago, when in a previous role I worked for the Defence Academy as a professor educating the military on information assurance and cyber-security matters. It was clear that that was completely disconnected from what was happening in the rest of the commercial world-and other parts of Government, even. Now we are beginning to see a much deeper understanding of the interconnectedness and interdependency between these various elements of our well-being. We are moving in the right direction, but I still come back to the fact that the threat is moving much faster than we are.

Q7 John Glen: Is it not a fact that, in some cases, some of the actors can be benign, curious individuals, versus actually identifying where malign intent exists? Does that not create ambiguities and uncertainties over who should take responsibility? How are those things being resolved, in terms of who owns it? The Whitehall structures tend to focus on a single point of ownership yet, by its very nature, it necessitates the involvement of multiple agencies. How is that resolved at the moment?

Professor Sir David Omand: I am not sure that I would put it quite that way. One of the improvements that has been brought in is to have central policy co-ordination. It is a very small team, located in the Cabinet Office. I have questions about whether there are enough people in that team with really deep expertise but, in principle, that is the right place to have that co-ordination.

Then we have to look, for example, to the Ministry of Defence to be responsible for safeguarding its own networks and transactions, for making sure that its networked equipment and network-enabled capability is not sabotaged by cyber means and so on. That is clearly its responsibility. Where does it look for its professional technical advice? It has capability of its own in the defence scientific and technical laboratories (DSTL), but the national centre of expertise is in GCHQ in Cheltenham. Again, one of the innovations that has been introduced is to set up the cyber-operations centre (CSOC) down in Cheltenham as a joint organisation, with representation across the interested Departments, so that there is that connection.

As a nation, we cannot afford-particularly in the current circumstances-to duplicate expertise. It would be nice to have different centres of expertise but I don’t think that we can afford it, so what has happened is we have put it in one place and made sure that everyone is contributing to it, and can draw from it, particularly in relation to the most sophisticated, advanced persistent threats, where there is now a centre of expertise. The Ministry of Defence can go there for advice and technical assistance. That seems okay to me.

Then you go round the rest of Government. HMRC has a big cyber problem with all its networks. It is its responsibility to sort that and make sure that it takes on the right kind of professional technical expertise to do it. I do not think that it is so difficult. As Brian has said, what is more difficult is looking ahead. How will this evolve? Will we be ahead of the curve and spot the next generation of threat appearing? I hope that research is going into that but I am outside the system now so cannot comment.

John Bassett: If I might make just one observation, looking at international partners and so on, we are rather better joined-up than some of our international partners. Accepting that it is work in progress, and that it is still ongoing, there seems to me to be quite a lot more co-ordination and jointery here than overseas, in some cases.

Professor Sir David Omand: To add a specific example, which perhaps goes to your point, I would advise the Office for Security and Counter-Terrorism at the Home Office to put more effort into the cyber domain, not because we currently face a big threat from terrorist use of the cyber method, but because we very well could, and it needs to start thinking about that. It needs to start thinking about the role of the police in being able to access social media to derive intelligence, for example, to help in riots and crowd control, and all the rest of it. There are lots of things that Departments like the Home Office need to be thinking about now, all within the overall strategy that the centre is setting up.

Q8 Chair: Do you think that the 2011 strategy represents a proportionate approach to the different types of cyber-threat, for example, in relation to cyber-crime, terrorism and other national security threats?

Professor Sir David Omand: There is a real problem in trying to devise something called a strategy that would meet your standards of connecting ends, ways and means, because this is a big, baggy monster of a subject. It covers everything from the vandalism of websites at one end to what putatively could be acts of armed aggression at the other, with crime in between.

I would limit the expectations of what you should look for in a national strategy. You have to break the subject back down into, for example, financial crime or countering espionage and then really have sub-strategies looking specifically at those kinds of threat. There is a limit to how far you can take strategising at the grand level on a subject like this, and it is moving so fast.

Professor Collins: The Government are not the only organisation that have a strategy in this domain. Clearly, if you work in the financial markets in the City, you will find that all the major banks, clearing houses and insurance companies have major strategies and major investment. Some of that might dwarf what the Government are doing because they are seeing real money being put at risk, in the way that the Government have other things that they value being put at risk. You have to take a more holistic view of what the total investment-financial and political-is in this subject. To answer your question in a more accurate way, just to look at the Government piece is not sufficient.

Q9 Chair: The Strategy talks about "exploiting the cyber environment for our own national security needs". What do you think that means?

Professor Sir David Omand: I could hazard a guess.

Q10 Chair: Would you care to do so?

Professor Sir David Omand: It may be completely wrong, since I did not write the document.

Chair: Of course.

Professor Sir David Omand: I suspect that it is a euphemism for the fact that, while cyber-security focuses on defending ourselves from aggression from elsewhere, we, too, would be capable should it come to it to use the cyber-domain for our own offensive purposes, for example, in taking out an air defence system where we are engaged in military operations. We have to look not just at the defence, but at the potential offence within the law, within international humanitarian law and within all the constraints that armed force would normally find itself. That is one possible explanation-we can actually exploit this.

John Bassett: Perhaps one would add that ongoing active intelligence gathering that the state would wish to do will be done in cyber-space as well as in other areas. That is another activity that would fit into that description, I believe.

Q11 Chair: Professor Collins, would you like to add to this?

Professor Collins: No, I concur with what has just been said.

Q12 John Glen: Some of what I ask has been covered in your answers. The Intelligence and Security Committee report identified 18 departmental bodies that were interested in cyber-security. You have explained how there has been a significant effort to co-ordinate efforts into a single entity, but each of those bodies will have a different perspective on the threat and its nature. Going forward, it is difficult to see how the MoD would have the same perspective on malign threats as the Home Office, for example. There will surely need to be some movement in terms of who takes responsibility and ownership. If that central co-ordinating agency does not do justice to the interests of one part of it, it will, of necessity, become fractured. How do you see that organisational model evolving? How will different ownership for the different bits of cyber-security evolve as the threats and people’s interpretations of the risks differ across different parts of government?

Professor Sir David Omand: I shall answer that slightly indirectly, by saying, "Were you to ask me in 1910 the same question in relation to the invention of the internal combustion engine, you would immediately see that here is a transforming technology." Every part of government has a potential interest. There is a big upside in economic growth, and the nation needs to develop the technology to master the use of such devices, but there is a dark side. There was a dark side to the motor car-criminality, warfare. In exactly the same way, in the cyber-domain, we can see a dark side. Every part of government has got to be involved in this. I would be very against trying to over-centralise this kind of thinking about cyber.

Q13 John Glen: The Department for Transport, in the end, owned it, with respect.

Professor Sir David Omand: It has a policy responsibility. In the case of cyber, that is what we must look for from the central Cabinet Office policy team. It is at a high level. Work will continue on the cyber-implications of the work of Government Departments and their communications, their databases and so on, and the public’s use of these. For example, the Government might use social media to inform the public about their responsibilities, benefits that they might need and so on. In an emergency, they might give the public information about what is going on. That, too, will need analysis.

As I say, you have to be quite devolved about this, and then have a powerful centre that can lay down some high-level policy and sort out arguments, when they arise, about whether it is more important to go for economic advantage or try to get more security over there, because there will be conflicts. For example, I think there is a conflict for defence between the current fashion for buying things off the shelf at the cheapest price and taking the time and expenditure to write computer code that is genuinely secure. Somewhere, somebody in defence has to strike a balance between those. Most of the successful cyber-attacks have come about because of flaws in the computer code that should not have been there if it had been written properly. If we go about just buying stuff off the shelf, including computer software that has been bundled together from pre-existing blocks of software, then I am afraid we are making ourselves vulnerable. But that costs, so somewhere there are trade-offs. For some of these higher-level issues, again I look to the co-ordinating policy centre to put this before Ministers and try to get some guidance on where to strike the balance.

Q14 John Glen: Thank you; that is a very helpful analogy.

John Bassett: I wonder if the historical perspective isn’t helpful in this in a slightly different way. If we look to the cold war, we would see then that the Home Office would have a particular set of national security concerns, which might be in the espionage area, and the Ministry of Defence might have interests that are in the nature of the deterrent or the central front. In some ways, that is the kind of reconciliation we would need now. It isn’t so very different from the kind of reconciliations that we have done in the past with some degree of success. I don’t know that the co-ordination challenges are so very different from some of the challenges we have faced in this and the previous century.

Professor Collins: I would add one point, if I may, John, that does complicate things, and that is the complexity of the nature of the multifarious threats that we face and the lack of clarity, as you have indicated, as to what their purpose might be. Is it bravado or is to damage or steal something valuable? That complexity compounds the difficulty of this co-ordination process strategically. Tactically, I don’t think we are in bad shape at all. However, to be in a situation in which you can anticipate where some of these things might be coming from is a combination of intelligence-gathering, which we should not go into here, together with some idea of where individuals or groups might be taking their thinking, when we would regard that as undesirable for us. That horizon-scanning function is a piece that I see missing. We don’t appear to have resourced that as effectively as we could have done. Although there are words in the strategy that say that is what should be done, I don’t think we have put enough anticipatory investment in place, not just in Government, going back to my previous point, but Government with others who play in this space. The need for national secrecy sometimes impedes that collaborative activity.

Q15 John Glen: That is exactly my point. The nature of that collaboration means that compromises are made in order to have co-ordination and a single view.

Professor Collins: There shouldn’t be any within Government, but my point relates to between Government and other bodies inside the nation-not international collaboration, which has its own problems of course-such as the City, other operators and other critical national infrastructure activities.

Q16 John Glen: I just want to get to the bottom of this point with respect to the MoD. If the MoD felt as a single Department that that horizon-scanning was inadequate-those that were represented in the central planning body-then it would probably be a failure if it decided to undertake a separate departmental activity that was in some way extended.

Professor Collins: It would certainly be less efficient than it might be.

Q17 John Glen: That is a reasonable measure of success perhaps.

Professor Collins: Yes. That is entirely right. However, at the technical level I should have mentioned that I left the position of Chief Scientific Adviser in BIS and DFT last May, so I sat on the National Security Council sub-committee for Science and Technology, as one of all the chief scientific advisers involved in this matter who sat at that table. That body was the one that would advocate a rise in scanning activity in a pan-departmental way, at least about social science and the physical sciences. I emphasise that because we were very keen to ensure that more social science research was done on futures and horizon-scanning. That was work in progress. I am no longer on that body so I don’t know whether that work is proceeding. There are indications that it is. I still do not believe that it is being resourced as effectively as it could be. There is maybe too much emphasis on the short-term tactical as opposed to the longer-term strategic.

Q18 Chair: You said earlier, Professor Collins, that the strategy did not pay sufficient attention to the pace of change. Are you able to give us any quick example of that?

Professor Collins: If I had suggested three years ago that people would be organising riots in the streets using Facebook, no one would have even understood what the words meant. Last summer, that is what we saw. Now, if you say to law enforcement or, indeed, maybe to parts of our military operations, "Do you expect to see those sorts of applications being used to organise a significant threat to us?", I do not believe that we have the mechanisms in place a priori, as opposed to by way of response, to anticipate where some of those things may be hitting us. That is one example not so much in the defence domain as in law enforcement, but you can clearly see how that could be expanded into more international domains, which would be of interest to the Ministry of Defence.

Professor Sir David Omand: Another interesting cyber-example, which I certainly did not predict and I am not sure that the Ministry of Defence had anticipated, was what the impact of soldiers and Service personnel equipped with mobile telephones with cameras would have on the home front-the blogging and the sending-back of real-time video of combat. It is completely unheard of in history to face that kind of situation, and I think people are just getting their minds round it now.

John Bassett: If I may make one point to build on those themes, these examples, whether it is Facebook and the riots or mobile phone cameras and so on, are existing forms of technology, but they are used in different ways. Facebook had been around for some years before it was used in the riots and cameras likewise. It is important to think of cyber-security not just in terms of changing technology but, perhaps critically, in terms of how people are using that technology. The technology develops and can develop quickly, but people are actually capable of using these things in unexpected and unforeseen ways very much sooner than the technology changes. It is the people who, as ever, are most adaptive and the fastest moving.

Q19 Mrs Moon: I am just wondering whether the people of Tunisia, Egypt and Libya are not absolutely grateful that the technology to predict what has been organised is not in place. We can talk about it in terms of riots, but it has also had beneficial effects for people living with tyranny, so I do not think that we should underestimate that. I certainly have seen the police force using Facebook to look at criminal networks, but can you give us a summary of threats to the Ministry of Defence and Armed Forces networks and of the nature of cyber-security threats?

Professor Sir David Omand: As I read it at the moment, they perhaps fall into four or five categories. The first is straightforward criminality. The MoD, as any other large organisation, has bills to pay and staff to pay, and it has to protect itself from criminal activity. That is no different from any other organisation, but it is quite a big organisation, so it has to be taken rather seriously.

Then we have a trio of espionage, subversion, and sabotage, which are not cyber-war. They are far short of cyber-war, but they are very serious. So that means stopping hacking into networks in order to gain intelligence, either on equipment or on military activity. What I would regard as subversion is the Jihadist websites and suchlike. There is also the possibility of sabotage, where the particular bit of network or kit that you are relying on in combat suddenly does not perform as it should because it has been degraded and you did not know that a Trojan had been planted.

Not currently, but in the future, we have the possibility of more widespread and more serious cyber-attacks, which, in a situation of national emergency, could mean that the electricity does not work and you have attacks on the infrastructure. That is of interest to the Ministry of Defence, because it will of course depend on that infrastructure both to mobilise and then actually to support military operations. That would be my spectrum.

Q20 Chair: That’s three.

Professor Sir David Omand: No, that’s five.

Q21 Mrs Moon: Can you give us some examples of where this has actually happened, not necessarily in the UK but where a military network or operational asset around the globe has actually been impacted? Are there key ones that stand out as good examples for us to look at?

Professor Sir David Omand: That might be a question you want to address in a closed session. I can only rely on what I read in the newspapers.

On espionage, there is plenty of evidence of penetration. The Canadian discovery of GhostNet, as they called it, was a major penetration by a state power looking for intelligence and commercial information. The Australians also suffered in the same way, and they did actually pin that to a Chinese source. Again, that was for commercial purposes. I think we are all familiar with the subversion side and the jihadist websites.

I am not aware of many properly documented cases of sabotage in which somebody has planted some Trojan or virus. Stuxnet is the one everyone talks about, but, in my view, people jumped to the wrong conclusions on the Stuxnet experience. What Stuxnet shows, now that the code has been examined in very great detail, is that it was a very specific attack on the centrifuges at Natanz, although, as viruses do, it actually spread elsewhere. The virus would not have harmed anything else, because it was written and designed, and had to be written and designed, only to attack that target, including the specific location of the centrifuges and the way they were patterned. All of that is clear, I am told, from the code.

So there is a relationship: the more damage you want to do, the more specialised your attack has to be. Therefore, if you really want to knock out the enemy’s air defence system, you are going to have to design something very specifically for that purpose. It won’t knock out their civil infrastructure. Not only that, to design it you are going to have to have a huge amount of intelligence-detailed technical intelligence, and probably insider knowledge and insider help. Finally, you have to be attacking a system that has some flaws in it. If the system is really well designed and protected, you will find it rather hard. As we know with Stuxnet, they were attacking a Siemens control system that everybody knew had a flaw in it. As far as I know, the flaw still hasn’t been fixed. That is the kind of approach that I take.

The thought I would leave with you on that is that the threat of sabotage at the moment is probably relatively low, but it is likely to rise because knowledge of how to do this is likely to increase. It would be a reasonable prediction to say that this kind of threat will increase. So now is the time to start work on it and now is the time to do the research and development, but I would not overwrite it or overhype it. As I say, we haven’t faced a massive cyber-threat of sabotage of our systems. That is only one view, and I could be wrong.

John Bassett: It seems to me that, if we take Stuxnet as in any way representative of cyber-weapons, Sir David’s comments are very apposite. This is something that has clearly had a huge amount of intellectual capital poured into it. Sir David has illustrated very clearly that it could only be used once for one thing, so we are really talking about almost hand-crafted weapons in that sense. This is not something where one can easily imagine a production line of high impact cyber-weapons. I may be wrong in saying that, but that is just my perception, if we can in any way see this one example of Stuxnet as indicating anything of the future.

Professor Sir David Omand: A modern anti-radiation missile fired from an aircraft will home in on the sorts of frequencies you would expect from an air defence radar. What we are talking about here is spending a lot of time and energy building something that will attack only one specific kind of system. That will rather tend to limit it, and it is one of the reasons why I do not personally believe in cyber-war. This is a helpful adjunct in some circumstances to some nations, giving them perhaps a bit of an edge in certain circumstances, but we are not going to see battles going on in something called cyber-space.

Q22 Chair: Professor Collins, do you disagree?

Professor Collins: I do not disagree with the position we are currently in, but I think anyone who has the ambition to make things much more difficult for us will realise the limitation of what has just been described, and will be starting to look at targets that we have that do not have those very singular properties, so that they can not only attack, but mount campaigns-in other words, sets of attacks in different dimensions, whether social, technical, or political-in order to achieve their objectives. I do not think we should be in any way complacent about investigating what that might look like hypothetically, in order to at least understand what the threat mindset might look like, were they to go down that road. They will be looking for the appropriate economic balance between what it costs them to mount the threat versus what the impact will be. As has just been described, it is probably disproportionate against them at the moment, but they will not tolerate that for very long. They will be looking for softer ways of achieving what they want to achieve.

For instance, one example that I have had conversations with colleagues in the Department of Energy and Climate Change about is smart meters. If there are 35 million of them littered throughout households and industrial premises in this country, and there is a degree of uniformity about them, so that electricity monitoring can be carried out easily and at a very low cost to us, that uniformity-in contrast to what has just been described about Stuxnet-provides a blanket mode of attack. You can attack all of them all at once and disable them, subvert them or do things with them. Although defence may be one stage away from relying on the energy systems of this country, were the electricity to disappear for very long, I think MoD would have some problems. That is just one hypothetical example of where we are actually putting in systems that have uniformity, and we are putting them in at scale.

Q23 Mr Brazier: My question follows straight on from that last point. The rather good pamphlet, I thought, by Graeme Lamb and Richard Williams makes the point that we tend to focus on security in cyber and protecting our systems, and we have missed the opportunities for offensive warfare as we move from the industrial to the information age. In the First World War, we were not trying to design anti-tank weapons before we built tanks. Do you think that there is a very significant offensive capability in the cyber world?

Professor Collins: There will be a capability, but whether we should use it for our national purposes is one issue. It is rather like chemical and biological weapons: we had treaties to stop us doing it, but that did not stop us thinking about what such things might look like, so that we could defend ourselves appropriately. I think we are in exactly the same space. We have to try to put ourselves in the threat mindset to understand what they might try to create that would cause us damage. That is not quite answering your question. In doing that, we will understand-were we to want to, and were we to feel it was ethical and legal to do so-that we would be in a position to go down that road. That is a decision one would have to take at that time.

Q24 Mrs Moon: Professor Collins, in terms of the actors that we might be needing to defend ourselves against, a lot of focus has been on criminality, anarchistic groups and terrorist groups, but what about state actors? How significant is state-sponsored action thought to be, where one state uses cyber as a way of attacking another state? Is that a realistic expectation of the threat that we face?

Professor Collins: Clearly, you would not expect me to answer specifically whether it is a realistic one, in the sense of knowing whether such a thing exists, in open session. Is it realistic to assume that it might be possible? Yes, because it has happened in the past, and we should not repeat the mistakes of history by not examining what happened in the past, which I think we have a propensity for doing.

Q25 Mrs Moon: In that case, you are probably not going to like my next question. Where do you think the attacks would come? Would they come on supply chains, a particular asset, or networks, or would they be trying to influence the individual in the field-their communication systems, or the particular weapons that they carry?

Professor Collins: The answer to all of it is yes, because all of them have value propositions to a threat. I think what one has to understand is the value proposition to the threat in attempting to disrupt, destroy or steal from an asset that we would regard as valuable. That is the very simple equation that I think we need to examine. It goes back to my much earlier comment about horizon scanning. Part of what horizon-scanning activity ought to be doing is looking at those sorts of possibilities in this space, much as the Ministry of Defence does in its more traditional military operations space over a 30 to 50-year horizon. It looks at geopolitics. I know, because I have been involved in it. Is it doing that as vigorously and thoroughly in this space, in collaboration with other Departments, as it could? I suspect not.

Professor Sir David Omand: From a slightly different point of view, the most prevalent form of attack that falls into the state-versus-state category is espionage and the theft of intellectual property. It is very much in certain nation’s interests, for economic and commercial purposes, to get an edge by getting early sight of research work done in pharmaceutical labs, oil exploration, or whatever, so I think that is where we will see the leading edge of threat. Why would a state attack another state only with cyber-weapons? It wouldn’t. You could just about construct a scenario where a competent state used a proxy-Iran and Hezbollah, for example, if Iran were particularly pissed off with us and decided that something ought to be done. However, it gets far-fetched quite quickly, as against rather more straightforward ways of using your proxy to cause trouble. So I do not see this is as cyber-domain stuff.

Professor Collins: No, nor do I.

Professor Sir David Omand: I see this as a question of whether states can use the knowledge that they now have of the cyber-world to improve their military capabilities-and yes, they can. The other point, at the risk of dampening down enthusiasm for all this, is that we are quite a small player in all of this. We are not really at the leading edge, when you look at the size of effort that goes on in the United States and, I imagine, other countries such as China. We just need a slight sense of proportion about that.

Q26 Mrs Moon: But it was a small State-Estonia-that faced a particular threat and experience, which woke people up.

Professor Sir David Omand: It woke people up, but it was actually only a denial-of-service attack.

Q27 Mrs Moon: As the Armed Forces are increasingly looking at network technology, are the increased risks to those new network-enabled weapons systems bringing a new level of risk?

All witnesses: Yes.

Q28 Mrs Moon: Or is the level of risk greater than when we were using simpler weapons, if you see what I mean?

Professor Collins: When I was a professor at the Defence Academy in Shrivenham, I gave lectures on network-enabled vulnerability, which is exactly your point. Yes, it has to be thought about in a systematic way across the new development. Every new development that the MoD puts in should be thought about in terms of what it does, especially-I am sorry, that is not very articulate. When it is networked, what does that do with regard to enhanced vulnerability that had not been there before it was networked? You are absolutely right.

Q29 Mrs Moon: So we need to offset enhanced capability against enhanced-

Professor Collins: New benefits normally do have new risks.

Q30 John Glen: Do you think it is useful to describe cyber-space as a new domain? I think, from Sir David’s comments, that he does not think it is, and I recognise that there is a present and a future. Obviously, if you get into that language, it has implications, in terms of how resources are employed and so on, particularly for the Armed Forces, in terms of acting in a different domain. I realise that there is a bit of a debate on this. It would be interesting to hear your three views, even with respect to the present and the future.

Professor Sir David Omand: My instinct is against thinking about cyber as a domain, because it is ubiquitous. If you are looking at land, sea and air and operations in those environments, they all involve activity that could be influenced by cyber, so it is not something to put in a compartment and say, "Within the Ministry of Defence, cyber is done by this little group in isolation". That said, obviously you need to have some focus of activity and some command and control, but I am just nervous about people thinking that because it is a separate domain, you are going to get separate activity. In the end, with cyber, it is real people who get hurt, real money that gets stolen and real intellectual property that gets pirated.

Q31 John Glen: You have cyber-war and cyber-weapons, do you not?

Chair: Maybe you do not have cyber-war.

Professor Sir David Omand: I think that the idea of cyber-war is very unlikely. Cyber-assisted war is very likely.

John Bassett: On balance, I can see some use for the concept of cyber as a domain at present, principally for the reasons that David has outlined-that it helps focus thinking on it. It is unclear to me whether in five years’ time we will think of it as a domain or not. I would say, yes, very gently and cautiously, at this stage let’s consider it a domain, but let’s be willing to drop it quite quickly if it proves that that is not the best way of handling it-not a very robust form of conceptualisation, I am afraid.

Professor Collins: I do not think that it is new at all. There is a very interesting book, published some years ago, called "The Victorian Internet", which is worth reading, because it is the history of the telegraph in the mid-19th century. In particular, there is an interesting military story whereby the military discovered that a telegraph message could be sent to the Crimea in about a day and a half. It took them six weeks to get the reinforcements there, by which time, of course, everyone was prepared for the reinforcements to arrive. That was when they woke up to the fact that the telegraph travelled more quickly than ships-a very salutary story. The relevance of it is to do with time constants, and the rapidity and global range and reach of what we now call cyber-space compared with where it was maybe even 10 or 20 years ago.

The parameters have changed, the nature of how cyber stuff interacts with all the other physical and organisational stuff, and those things are different. That is where I think that the acceleration of the rate of use, the rate of range and the reach of cyber stuff has changed the nature of how it interacts with all the stuff that we have traditionally done, and I am not sure that we have really bottomed that at all yet, as to what the impact of that change of time constant is. "The Victorian Internet" describes that in terms of days and months; we are now talking seconds, and that is really rather different for us, compared with where we were even 10 years ago. It is not new, but it does have aspects that are different.

Q32 Mrs Moon: From what you are saying, we are always playing catch-up, so what are the priorities that you see now for the next Defence and Security Review? Are we able to project that forward, or are we always waiting for the technology to come along to know what we have to start building our security around? Do you know what it is now for the next four years?

John Bassett: On a personal basis, I think that it is all about the people. It is about ensuring that we have enough good people in the Ministry of Defence, other parts of Government, academia and industry, and I think that we do not have anything like enough at the moment. I think that growing and skilling the people is, for me, the single most important thing for us to do.

Professor Sir David Omand: Iain Lobban, the Director of GCHQ, last year introduced the idea of the 80:20 division-you can get 80% of the security that you need through good hygiene, looking after people and your information, patching your systems up and ensuring that everything is up-to-date. For the remaining 20%-the really dangerous attacks and the advanced, persistent attacks-you really have to get into the intelligence space, understand who is attacking you and how you are being attacked, and work with the security industry to fix that.

One of my priorities would be getting the relationships right between the Government’s capability, particularly down at GCHQ but in defence as well; the security industry, which has a great deal of capability in this area; and their customers-the critical national infrastructure, the financial system, the defence companies and so on-so that we make a real impact on stopping the theft of intellectual property. I think it is possible to do that.

Another priority-this is not a defence priority-would obviously be in relation to criminal activity for gain, trying to cut down on losses from cyber-attacks for criminal gain. Those would be the things that occur to me first.

Q33 Mrs Moon: I am intrigued by what you said about the interrelationship between Departments and the private sector, and the sort of communication between them. What about building that relationship in relation to research and development, and building sovereign capability? Is that relationship in place, or is that something you need to develop?

Professor Sir David Omand: It was highlighted in the National Strategy, and my assumption is that people are working away trying to develop it. I would not hazard a guess how far it is there yet, but I think people are trying things out, and new relationships are being developed. I know that a number of companies have been working very closely with GCHQ and being given much more information-highly classified information-about the kind of attacks that are going on to steal intellectual property. It seems that that sort of trusting relationship-circles of trust-is essential. The Government cannot do all this themselves, working directly with the thousands of different companies that are under attack. We have to mediate it through the industry.

Professor Collins: There is a joint programme that Research Councils UK and GCHQ are funding, which announced only last week new centres for academic excellence-I think six universities in this country, it was announced. It is exactly aimed at providing the bigger pool of expertise that we need, but it will take time.

Q34 Chair: We are just about to go into private session with those responsible for this within the Ministry of Defence. Is there anything you feel that we should know that you have not been asked questions about, or that would be the key question that we failed to ask? What would you answer to that?

Professor Sir David Omand: The question I would ask, I have to say-looking behind me at the people you are about to address it to-would really be about priority. The cyber-security domain was put up as one of the top four national security priorities. If we are going into defence, the question I would ask would be: does it have an equivalent priority within defence? Is it being taken sufficiently seriously? Are the organisation and the levers in place to enable those who are co-ordinating this work to make sure that every aspect of it is taken seriously? As I was saying at the beginning, we are dealing with an enormous range of potential threats, some of which may be at the more trivial end, but some of which are extremely serious. I hope that the Ministry of Defence is really up for this.

John Bassett: If I were you, I would ask what the metrics for success in this area are, particularly in the softer areas of cyber-security, as in the strategy. What does success look like? How do we determine whether we have succeeded? What are the metrics? It is not an easy thing to answer, but I think it is a good question to ask.

Chair: This is very helpful, because you are giving those who are just about to answer the questions the chance to work out what it is that they are going to say in response to these questions.

Professor Collins: Recent history shows that the Ministry of Defence has undertaken almost no operations without being part of an allied group. How does cyber-security work in the context of working with allies, some of whom we have worked with continuously for some time, and some of whom, as it were, we are meeting for this occasion, whatever that operation might consist of. How does that work out? Have we got existing protocols or established mechanisms by which we set up those alliances, and the cyber-security that needs to exist within it, quickly and effectively?

Professor Sir David Omand: The other thing that I would ask in a closed session is about the advantage that our long-standing relationship with the United States gives, in both military and intelligence terms, in getting a handle on some of these technological developments.

Chair: Thank you very much indeed for informing us and our session, and also our next session.

Prepared 22nd May 2012