Defence Committee - Minutes of EvidenceHC 106

Back to Report

Oral Evidence

Taken before the Defence Committee

on Wednesday 18 April 2012

Members present:

Mr James Arbuthnot (Chair)

Mr Julian Brazier

Thomas Docherty

Mr Jeffrey M. Donaldson

John Glen

Mr Dai Havard

Mrs Madeleine Moon

Sandra Osborne

Bob Stewart

________________

Examination of Witnesses

Witnesses: John Bassett, Associate Fellow, Cyber-security, Royal United Services Institute, Professor Brian Collins, Chair of Engineering Policy, Faculty of Engineering Science, University College London, and Professor Sir David Omand GCB, Visiting Professor, Department of War Studies, King’s College London, gave evidence.

Q1 Chair: Gentlemen, welcome to the Defence Committee. I am sorry to have kept you waiting outside. We will get on as speedily as we can. Would you like to begin, please, by introducing yourselves for the record?

Professor Collins: My name is Brian Collins. I am professor of engineering policy at University College London.

John Bassett: I am John Bassett. I am associate fellow for cyber-security at the Royal United Services Institute.

Professor Sir David Omand: I am David Omand, currently visiting professor at King’s College London, previously security and intelligence co-ordinator and, probably of relevance here, Director of GCHQ.

Q2 Chair: You are all most welcome. This is our second Cyber-security inquiry, and we will be doing a third in due course. The SDSR described the National Cyber-Security Programme and its impact as transformative. Do you think it has been?

Professor Sir David Omand: Transformation is needed, and transformation will take time. It would be wrong to say that the programme has already been transformative, but it has the potential to make significant improvement in the vulnerabilities, which we will no doubt discuss, in a number of areas of national life that are subject to cyber-threat.

Q3 Chair: Do you think there has been a change of approach since 2009, or merely a promise of a change of approach?

Professor Sir David Omand: More money has been allocated, and that makes a big difference. The conceptual approach is very similar. I do not detect a great difference in that. The strategy itself is perhaps more clearly mapped out in terms of the areas of priority, and there are some important political statements, notably the importance of the cyber-realm for future national prosperity and economic growth, and the social benefit that will come from having it. I think it is more clearly stated that the purpose of cyber-security is to secure those gains. It is not an activity in its own right.

Q4 Chair: Would either of you like to add to that?

John Bassett: I endorse Sir David’s comments. It seems to me that the benefits there have been from this and the previous strategy are essentially conceptual; that there is recognition of the nature of the threat that is faced and what we need to protect. There is also some sense that it is going in the same direction, and that it is evolving and will continue to evolve if we are successful, because there are still some areas of lack of understanding. We just do not know exactly how the internet will impinge on society. It is healthy that it continues to evolve, and I look to other strategies in due course to replace this one over a period of years rather than decades.

Q5 Chair: Professor Collins, what do you think the 2011 Strategy does well, and what do you think it does badly?

Professor Collins: I would reinforce the comments that have just been made with regard to an overarching strategy that is designed to pull together the whole Government around the issue, rather than it being seen as an intelligence issue, a defence issue, or probably a Home Office issue in isolation. It is holistic for the well-being of the Defence of the Realm; the military aspect is only one part of that. What it does well is to do that.

What it does not address is the pace of change that is needed. The organisational inertia that exists in Whitehall will get in the way of delivery. Perhaps as a codicil to that, going back to your previous question, there is an assumption that there will be continuity of stewardship of the strategy over a period of many years. History shows us that continuity of stewardship of strategies of this nature is quite difficult to achieve through our democratic process. We need to flag up the fact that that is so important to the well-being of our society-and, indeed, developed societies around the world, because we are not in isolation from other developed societies. That is what cyber-space does to us: it connects us richly to everywhere else on supply chains and economic and social well-being. Unless we maintain that stewardship over a period that is much longer than the five-year electoral cycle, we will fail to deliver the desired outcomes.

Q6 John Glen: Building on that, is not one of the issues the internal co-ordination within Government? One of the challenges is how you identify who should be responsible for what among the National Security Council, the Ministry of Defence, the Armed Forces and the GCHQ, and how they fit together. How do you see the effectiveness of that cyber-security planning process at the moment?

Professor Collins: I would say it was work in progress. It is getting better, from my perception, given where it was, let us say, seven or eight years ago, when in a previous role I worked for the Defence Academy as a professor educating the military on information assurance and cyber-security matters. It was clear that that was completely disconnected from what was happening in the rest of the commercial world-and other parts of Government, even. Now we are beginning to see a much deeper understanding of the interconnectedness and interdependency between these various elements of our well-being. We are moving in the right direction, but I still come back to the fact that the threat is moving much faster than we are.

Q7 John Glen: Is it not a fact that, in some cases, some of the actors can be benign, curious individuals, versus actually identifying where malign intent exists? Does that not create ambiguities and uncertainties over who should take responsibility? How are those things being resolved, in terms of who owns it? The Whitehall structures tend to focus on a single point of ownership yet, by its very nature, it necessitates the involvement of multiple agencies. How is that resolved at the moment?

Professor Sir David Omand: I am not sure that I would put it quite that way. One of the improvements that has been brought in is to have central policy co-ordination. It is a very small team, located in the Cabinet Office. I have questions about whether there are enough people in that team with really deep expertise but, in principle, that is the right place to have that co-ordination.

Then we have to look, for example, to the Ministry of Defence to be responsible for safeguarding its own networks and transactions, for making sure that its networked equipment and network-enabled capability is not sabotaged by cyber means and so on. That is clearly its responsibility. Where does it look for its professional technical advice? It has capability of its own in the defence scientific and technical laboratories (DSTL), but the national centre of expertise is in GCHQ in Cheltenham. Again, one of the innovations that has been introduced is to set up the cyber-operations centre (CSOC) down in Cheltenham as a joint organisation, with representation across the interested Departments, so that there is that connection.

As a nation, we cannot afford-particularly in the current circumstances-to duplicate expertise. It would be nice to have different centres of expertise but I don’t think that we can afford it, so what has happened is we have put it in one place and made sure that everyone is contributing to it, and can draw from it, particularly in relation to the most sophisticated, advanced persistent threats, where there is now a centre of expertise. The Ministry of Defence can go there for advice and technical assistance. That seems okay to me.

Then you go round the rest of Government. HMRC has a big cyber problem with all its networks. It is its responsibility to sort that and make sure that it takes on the right kind of professional technical expertise to do it. I do not think that it is so difficult. As Brian has said, what is more difficult is looking ahead. How will this evolve? Will we be ahead of the curve and spot the next generation of threat appearing? I hope that research is going into that but I am outside the system now so cannot comment.

John Bassett: If I might make just one observation, looking at international partners and so on, we are rather better joined-up than some of our international partners. Accepting that it is work in progress, and that it is still ongoing, there seems to me to be quite a lot more co-ordination and jointery here than overseas, in some cases.

Professor Sir David Omand: To add a specific example, which perhaps goes to your point, I would advise the Office for Security and Counter-Terrorism at the Home Office to put more effort into the cyber domain, not because we currently face a big threat from terrorist use of the cyber method, but because we very well could, and it needs to start thinking about that. It needs to start thinking about the role of the police in being able to access social media to derive intelligence, for example, to help in riots and crowd control, and all the rest of it. There are lots of things that Departments like the Home Office need to be thinking about now, all within the overall strategy that the centre is setting up.

Q8 Chair: Do you think that the 2011 strategy represents a proportionate approach to the different types of cyber-threat, for example, in relation to cyber-crime, terrorism and other national security threats?

Professor Sir David Omand: There is a real problem in trying to devise something called a strategy that would meet your standards of connecting ends, ways and means, because this is a big, baggy monster of a subject. It covers everything from the vandalism of websites at one end to what putatively could be acts of armed aggression at the other, with crime in between.

I would limit the expectations of what you should look for in a national strategy. You have to break the subject back down into, for example, financial crime or countering espionage and then really have sub-strategies looking specifically at those kinds of threat. There is a limit to how far you can take strategising at the grand level on a subject like this, and it is moving so fast.

Professor Collins: The Government are not the only organisation that have a strategy in this domain. Clearly, if you work in the financial markets in the City, you will find that all the major banks, clearing houses and insurance companies have major strategies and major investment. Some of that might dwarf what the Government are doing because they are seeing real money being put at risk, in the way that the Government have other things that they value being put at risk. You have to take a more holistic view of what the total investment-financial and political-is in this subject. To answer your question in a more accurate way, just to look at the Government piece is not sufficient.

Q9 Chair: The Strategy talks about "exploiting the cyber environment for our own national security needs". What do you think that means?

Professor Sir David Omand: I could hazard a guess.

Q10 Chair: Would you care to do so?

Professor Sir David Omand: It may be completely wrong, since I did not write the document.

Chair: Of course.

Professor Sir David Omand: I suspect that it is a euphemism for the fact that, while cyber-security focuses on defending ourselves from aggression from elsewhere, we, too, would be capable should it come to it to use the cyber-domain for our own offensive purposes, for example, in taking out an air defence system where we are engaged in military operations. We have to look not just at the defence, but at the potential offence within the law, within international humanitarian law and within all the constraints that armed force would normally find itself. That is one possible explanation-we can actually exploit this.

John Bassett: Perhaps one would add that ongoing active intelligence gathering that the state would wish to do will be done in cyber-space as well as in other areas. That is another activity that would fit into that description, I believe.

Q11 Chair: Professor Collins, would you like to add to this?

Professor Collins: No, I concur with what has just been said.

Q12 John Glen: Some of what I ask has been covered in your answers. The Intelligence and Security Committee report identified 18 departmental bodies that were interested in cyber-security. You have explained how there has been a significant effort to co-ordinate efforts into a single entity, but each of those bodies will have a different perspective on the threat and its nature. Going forward, it is difficult to see how the MoD would have the same perspective on malign threats as the Home Office, for example. There will surely need to be some movement in terms of who takes responsibility and ownership. If that central co-ordinating agency does not do justice to the interests of one part of it, it will, of necessity, become fractured. How do you see that organisational model evolving? How will different ownership for the different bits of cyber-security evolve as the threats and people’s interpretations of the risks differ across different parts of government?

Professor Sir David Omand: I shall answer that slightly indirectly, by saying, "Were you to ask me in 1910 the same question in relation to the invention of the internal combustion engine, you would immediately see that here is a transforming technology." Every part of government has a potential interest. There is a big upside in economic growth, and the nation needs to develop the technology to master the use of such devices, but there is a dark side. There was a dark side to the motor car-criminality, warfare. In exactly the same way, in the cyber-domain, we can see a dark side. Every part of government has got to be involved in this. I would be very against trying to over-centralise this kind of thinking about cyber.

Q13 John Glen: The Department for Transport, in the end, owned it, with respect.

Professor Sir David Omand: It has a policy responsibility. In the case of cyber, that is what we must look for from the central Cabinet Office policy team. It is at a high level. Work will continue on the cyber-implications of the work of Government Departments and their communications, their databases and so on, and the public’s use of these. For example, the Government might use social media to inform the public about their responsibilities, benefits that they might need and so on. In an emergency, they might give the public information about what is going on. That, too, will need analysis.

As I say, you have to be quite devolved about this, and then have a powerful centre that can lay down some high-level policy and sort out arguments, when they arise, about whether it is more important to go for economic advantage or try to get more security over there, because there will be conflicts. For example, I think there is a conflict for defence between the current fashion for buying things off the shelf at the cheapest price and taking the time and expenditure to write computer code that is genuinely secure. Somewhere, somebody in defence has to strike a balance between those. Most of the successful cyber-attacks have come about because of flaws in the computer code that should not have been there if it had been written properly. If we go about just buying stuff off the shelf, including computer software that has been bundled together from pre-existing blocks of software, then I am afraid we are making ourselves vulnerable. But that costs, so somewhere there are trade-offs. For some of these higher-level issues, again I look to the co-ordinating policy centre to put this before Ministers and try to get some guidance on where to strike the balance.

Q14 John Glen: Thank you; that is a very helpful analogy.

John Bassett: I wonder if the historical perspective isn’t helpful in this in a slightly different way. If we look to the cold war, we would see then that the Home Office would have a particular set of national security concerns, which might be in the espionage area, and the Ministry of Defence might have interests that are in the nature of the deterrent or the central front. In some ways, that is the kind of reconciliation we would need now. It isn’t so very different from the kind of reconciliations that we have done in the past with some degree of success. I don’t know that the co-ordination challenges are so very different from some of the challenges we have faced in this and the previous century.

Professor Collins: I would add one point, if I may, John, that does complicate things, and that is the complexity of the nature of the multifarious threats that we face and the lack of clarity, as you have indicated, as to what their purpose might be. Is it bravado or is to damage or steal something valuable? That complexity compounds the difficulty of this co-ordination process strategically. Tactically, I don’t think we are in bad shape at all. However, to be in a situation in which you can anticipate where some of these things might be coming from is a combination of intelligence-gathering, which we should not go into here, together with some idea of where individuals or groups might be taking their thinking, when we would regard that as undesirable for us. That horizon-scanning function is a piece that I see missing. We don’t appear to have resourced that as effectively as we could have done. Although there are words in the strategy that say that is what should be done, I don’t think we have put enough anticipatory investment in place, not just in Government, going back to my previous point, but Government with others who play in this space. The need for national secrecy sometimes impedes that collaborative activity.

Q15 John Glen: That is exactly my point. The nature of that collaboration means that compromises are made in order to have co-ordination and a single view.

Professor Collins: There shouldn’t be any within Government, but my point relates to between Government and other bodies inside the nation-not international collaboration, which has its own problems of course-such as the City, other operators and other critical national infrastructure activities.

Q16 John Glen: I just want to get to the bottom of this point with respect to the MoD. If the MoD felt as a single Department that that horizon-scanning was inadequate-those that were represented in the central planning body-then it would probably be a failure if it decided to undertake a separate departmental activity that was in some way extended.

Professor Collins: It would certainly be less efficient than it might be.

Q17 John Glen: That is a reasonable measure of success perhaps.

Professor Collins: Yes. That is entirely right. However, at the technical level I should have mentioned that I left the position of Chief Scientific Adviser in BIS and DFT last May, so I sat on the National Security Council sub-committee for Science and Technology, as one of all the chief scientific advisers involved in this matter who sat at that table. That body was the one that would advocate a rise in scanning activity in a pan-departmental way, at least about social science and the physical sciences. I emphasise that because we were very keen to ensure that more social science research was done on futures and horizon-scanning. That was work in progress. I am no longer on that body so I don’t know whether that work is proceeding. There are indications that it is. I still do not believe that it is being resourced as effectively as it could be. There is maybe too much emphasis on the short-term tactical as opposed to the longer-term strategic.

Q18 Chair: You said earlier, Professor Collins, that the strategy did not pay sufficient attention to the pace of change. Are you able to give us any quick example of that?

Professor Collins: If I had suggested three years ago that people would be organising riots in the streets using Facebook, no one would have even understood what the words meant. Last summer, that is what we saw. Now, if you say to law enforcement or, indeed, maybe to parts of our military operations, "Do you expect to see those sorts of applications being used to organise a significant threat to us?", I do not believe that we have the mechanisms in place a priori, as opposed to by way of response, to anticipate where some of those things may be hitting us. That is one example not so much in the defence domain as in law enforcement, but you can clearly see how that could be expanded into more international domains, which would be of interest to the Ministry of Defence.

Professor Sir David Omand: Another interesting cyber-example, which I certainly did not predict and I am not sure that the Ministry of Defence had anticipated, was what the impact of soldiers and Service personnel equipped with mobile telephones with cameras would have on the home front-the blogging and the sending-back of real-time video of combat. It is completely unheard of in history to face that kind of situation, and I think people are just getting their minds round it now.

John Bassett: If I may make one point to build on those themes, these examples, whether it is Facebook and the riots or mobile phone cameras and so on, are existing forms of technology, but they are used in different ways. Facebook had been around for some years before it was used in the riots and cameras likewise. It is important to think of cyber-security not just in terms of changing technology but, perhaps critically, in terms of how people are using that technology. The technology develops and can develop quickly, but people are actually capable of using these things in unexpected and unforeseen ways very much sooner than the technology changes. It is the people who, as ever, are most adaptive and the fastest moving.

Q19 Mrs Moon: I am just wondering whether the people of Tunisia, Egypt and Libya are not absolutely grateful that the technology to predict what has been organised is not in place. We can talk about it in terms of riots, but it has also had beneficial effects for people living with tyranny, so I do not think that we should underestimate that. I certainly have seen the police force using Facebook to look at criminal networks, but can you give us a summary of threats to the Ministry of Defence and Armed Forces networks and of the nature of cyber-security threats?

Professor Sir David Omand: As I read it at the moment, they perhaps fall into four or five categories. The first is straightforward criminality. The MoD, as any other large organisation, has bills to pay and staff to pay, and it has to protect itself from criminal activity. That is no different from any other organisation, but it is quite a big organisation, so it has to be taken rather seriously.

Then we have a trio of espionage, subversion, and sabotage, which are not cyber-war. They are far short of cyber-war, but they are very serious. So that means stopping hacking into networks in order to gain intelligence, either on equipment or on military activity. What I would regard as subversion is the Jihadist websites and suchlike. There is also the possibility of sabotage, where the particular bit of network or kit that you are relying on in combat suddenly does not perform as it should because it has been degraded and you did not know that a Trojan had been planted.

Not currently, but in the future, we have the possibility of more widespread and more serious cyber-attacks, which, in a situation of national emergency, could mean that the electricity does not work and you have attacks on the infrastructure. That is of interest to the Ministry of Defence, because it will of course depend on that infrastructure both to mobilise and then actually to support military operations. That would be my spectrum.

Q20 Chair: That’s three.

Professor Sir David Omand: No, that’s five.

Q21 Mrs Moon: Can you give us some examples of where this has actually happened, not necessarily in the UK but where a military network or operational asset around the globe has actually been impacted? Are there key ones that stand out as good examples for us to look at?

Professor Sir David Omand: That might be a question you want to address in a closed session. I can only rely on what I read in the newspapers.

On espionage, there is plenty of evidence of penetration. The Canadian discovery of GhostNet, as they called it, was a major penetration by a state power looking for intelligence and commercial information. The Australians also suffered in the same way, and they did actually pin that to a Chinese source. Again, that was for commercial purposes. I think we are all familiar with the subversion side and the jihadist websites.

I am not aware of many properly documented cases of sabotage in which somebody has planted some Trojan or virus. Stuxnet is the one everyone talks about, but, in my view, people jumped to the wrong conclusions on the Stuxnet experience. What Stuxnet shows, now that the code has been examined in very great detail, is that it was a very specific attack on the centrifuges at Natanz, although, as viruses do, it actually spread elsewhere. The virus would not have harmed anything else, because it was written and designed, and had to be written and designed, only to attack that target, including the specific location of the centrifuges and the way they were patterned. All of that is clear, I am told, from the code.

So there is a relationship: the more damage you want to do, the more specialised your attack has to be. Therefore, if you really want to knock out the enemy’s air defence system, you are going to have to design something very specifically for that purpose. It won’t knock out their civil infrastructure. Not only that, to design it you are going to have to have a huge amount of intelligence-detailed technical intelligence, and probably insider knowledge and insider help. Finally, you have to be attacking a system that has some flaws in it. If the system is really well designed and protected, you will find it rather hard. As we know with Stuxnet, they were attacking a Siemens control system that everybody knew had a flaw in it. As far as I know, the flaw still hasn’t been fixed. That is the kind of approach that I take.

The thought I would leave with you on that is that the threat of sabotage at the moment is probably relatively low, but it is likely to rise because knowledge of how to do this is likely to increase. It would be a reasonable prediction to say that this kind of threat will increase. So now is the time to start work on it and now is the time to do the research and development, but I would not overwrite it or overhype it. As I say, we haven’t faced a massive cyber-threat of sabotage of our systems. That is only one view, and I could be wrong.

John Bassett: It seems to me that, if we take Stuxnet as in any way representative of cyber-weapons, Sir David’s comments are very apposite. This is something that has clearly had a huge amount of intellectual capital poured into it. Sir David has illustrated very clearly that it could only be used once for one thing, so we are really talking about almost hand-crafted weapons in that sense. This is not something where one can easily imagine a production line of high impact cyber-weapons. I may be wrong in saying that, but that is just my perception, if we can in any way see this one example of Stuxnet as indicating anything of the future.

Professor Sir David Omand: A modern anti-radiation missile fired from an aircraft will home in on the sorts of frequencies you would expect from an air defence radar. What we are talking about here is spending a lot of time and energy building something that will attack only one specific kind of system. That will rather tend to limit it, and it is one of the reasons why I do not personally believe in cyber-war. This is a helpful adjunct in some circumstances to some nations, giving them perhaps a bit of an edge in certain circumstances, but we are not going to see battles going on in something called cyber-space.

Q22 Chair: Professor Collins, do you disagree?

Professor Collins: I do not disagree with the position we are currently in, but I think anyone who has the ambition to make things much more difficult for us will realise the limitation of what has just been described, and will be starting to look at targets that we have that do not have those very singular properties, so that they can not only attack, but mount campaigns-in other words, sets of attacks in different dimensions, whether social, technical, or political-in order to achieve their objectives. I do not think we should be in any way complacent about investigating what that might look like hypothetically, in order to at least understand what the threat mindset might look like, were they to go down that road. They will be looking for the appropriate economic balance between what it costs them to mount the threat versus what the impact will be. As has just been described, it is probably disproportionate against them at the moment, but they will not tolerate that for very long. They will be looking for softer ways of achieving what they want to achieve.

For instance, one example that I have had conversations with colleagues in the Department of Energy and Climate Change about is smart meters. If there are 35 million of them littered throughout households and industrial premises in this country, and there is a degree of uniformity about them, so that electricity monitoring can be carried out easily and at a very low cost to us, that uniformity-in contrast to what has just been described about Stuxnet-provides a blanket mode of attack. You can attack all of them all at once and disable them, subvert them or do things with them. Although defence may be one stage away from relying on the energy systems of this country, were the electricity to disappear for very long, I think MoD would have some problems. That is just one hypothetical example of where we are actually putting in systems that have uniformity, and we are putting them in at scale.

Q23 Mr Brazier: My question follows straight on from that last point. The rather good pamphlet, I thought, by Graeme Lamb and Richard Williams makes the point that we tend to focus on security in cyber and protecting our systems, and we have missed the opportunities for offensive warfare as we move from the industrial to the information age. In the First World War, we were not trying to design anti-tank weapons before we built tanks. Do you think that there is a very significant offensive capability in the cyber world?

Professor Collins: There will be a capability, but whether we should use it for our national purposes is one issue. It is rather like chemical and biological weapons: we had treaties to stop us doing it, but that did not stop us thinking about what such things might look like, so that we could defend ourselves appropriately. I think we are in exactly the same space. We have to try to put ourselves in the threat mindset to understand what they might try to create that would cause us damage. That is not quite answering your question. In doing that, we will understand-were we to want to, and were we to feel it was ethical and legal to do so-that we would be in a position to go down that road. That is a decision one would have to take at that time.

Q24 Mrs Moon: Professor Collins, in terms of the actors that we might be needing to defend ourselves against, a lot of focus has been on criminality, anarchistic groups and terrorist groups, but what about state actors? How significant is state-sponsored action thought to be, where one state uses cyber as a way of attacking another state? Is that a realistic expectation of the threat that we face?

Professor Collins: Clearly, you would not expect me to answer specifically whether it is a realistic one, in the sense of knowing whether such a thing exists, in open session. Is it realistic to assume that it might be possible? Yes, because it has happened in the past, and we should not repeat the mistakes of history by not examining what happened in the past, which I think we have a propensity for doing.

Q25 Mrs Moon: In that case, you are probably not going to like my next question. Where do you think the attacks would come? Would they come on supply chains, a particular asset, or networks, or would they be trying to influence the individual in the field-their communication systems, or the particular weapons that they carry?

Professor Collins: The answer to all of it is yes, because all of them have value propositions to a threat. I think what one has to understand is the value proposition to the threat in attempting to disrupt, destroy or steal from an asset that we would regard as valuable. That is the very simple equation that I think we need to examine. It goes back to my much earlier comment about horizon scanning. Part of what horizon-scanning activity ought to be doing is looking at those sorts of possibilities in this space, much as the Ministry of Defence does in its more traditional military operations space over a 30 to 50-year horizon. It looks at geopolitics. I know, because I have been involved in it. Is it doing that as vigorously and thoroughly in this space, in collaboration with other Departments, as it could? I suspect not.

Professor Sir David Omand: From a slightly different point of view, the most prevalent form of attack that falls into the state-versus-state category is espionage and the theft of intellectual property. It is very much in certain nation’s interests, for economic and commercial purposes, to get an edge by getting early sight of research work done in pharmaceutical labs, oil exploration, or whatever, so I think that is where we will see the leading edge of threat. Why would a state attack another state only with cyber-weapons? It wouldn’t. You could just about construct a scenario where a competent state used a proxy-Iran and Hezbollah, for example, if Iran were particularly pissed off with us and decided that something ought to be done. However, it gets far-fetched quite quickly, as against rather more straightforward ways of using your proxy to cause trouble. So I do not see this is as cyber-domain stuff.

Professor Collins: No, nor do I.

Professor Sir David Omand: I see this as a question of whether states can use the knowledge that they now have of the cyber-world to improve their military capabilities-and yes, they can. The other point, at the risk of dampening down enthusiasm for all this, is that we are quite a small player in all of this. We are not really at the leading edge, when you look at the size of effort that goes on in the United States and, I imagine, other countries such as China. We just need a slight sense of proportion about that.

Q26 Mrs Moon: But it was a small State-Estonia-that faced a particular threat and experience, which woke people up.

Professor Sir David Omand: It woke people up, but it was actually only a denial-of-service attack.

Q27 Mrs Moon: As the Armed Forces are increasingly looking at network technology, are the increased risks to those new network-enabled weapons systems bringing a new level of risk?

All witnesses: Yes.

Q28 Mrs Moon: Or is the level of risk greater than when we were using simpler weapons, if you see what I mean?

Professor Collins: When I was a professor at the Defence Academy in Shrivenham, I gave lectures on network-enabled vulnerability, which is exactly your point. Yes, it has to be thought about in a systematic way across the new development. Every new development that the MoD puts in should be thought about in terms of what it does, especially-I am sorry, that is not very articulate. When it is networked, what does that do with regard to enhanced vulnerability that had not been there before it was networked? You are absolutely right.

Q29 Mrs Moon: So we need to offset enhanced capability against enhanced-

Professor Collins: New benefits normally do have new risks.

Q30 John Glen: Do you think it is useful to describe cyber-space as a new domain? I think, from Sir David’s comments, that he does not think it is, and I recognise that there is a present and a future. Obviously, if you get into that language, it has implications, in terms of how resources are employed and so on, particularly for the Armed Forces, in terms of acting in a different domain. I realise that there is a bit of a debate on this. It would be interesting to hear your three views, even with respect to the present and the future.

Professor Sir David Omand: My instinct is against thinking about cyber as a domain, because it is ubiquitous. If you are looking at land, sea and air and operations in those environments, they all involve activity that could be influenced by cyber, so it is not something to put in a compartment and say, "Within the Ministry of Defence, cyber is done by this little group in isolation". That said, obviously you need to have some focus of activity and some command and control, but I am just nervous about people thinking that because it is a separate domain, you are going to get separate activity. In the end, with cyber, it is real people who get hurt, real money that gets stolen and real intellectual property that gets pirated.

Q31 John Glen: You have cyber-war and cyber-weapons, do you not?

Chair: Maybe you do not have cyber-war.

Professor Sir David Omand: I think that the idea of cyber-war is very unlikely. Cyber-assisted war is very likely.

John Bassett: On balance, I can see some use for the concept of cyber as a domain at present, principally for the reasons that David has outlined-that it helps focus thinking on it. It is unclear to me whether in five years’ time we will think of it as a domain or not. I would say, yes, very gently and cautiously, at this stage let’s consider it a domain, but let’s be willing to drop it quite quickly if it proves that that is not the best way of handling it-not a very robust form of conceptualisation, I am afraid.

Professor Collins: I do not think that it is new at all. There is a very interesting book, published some years ago, called "The Victorian Internet", which is worth reading, because it is the history of the telegraph in the mid-19th century. In particular, there is an interesting military story whereby the military discovered that a telegraph message could be sent to the Crimea in about a day and a half. It took them six weeks to get the reinforcements there, by which time, of course, everyone was prepared for the reinforcements to arrive. That was when they woke up to the fact that the telegraph travelled more quickly than ships-a very salutary story. The relevance of it is to do with time constants, and the rapidity and global range and reach of what we now call cyber-space compared with where it was maybe even 10 or 20 years ago.

The parameters have changed, the nature of how cyber stuff interacts with all the other physical and organisational stuff, and those things are different. That is where I think that the acceleration of the rate of use, the rate of range and the reach of cyber stuff has changed the nature of how it interacts with all the stuff that we have traditionally done, and I am not sure that we have really bottomed that at all yet, as to what the impact of that change of time constant is. "The Victorian Internet" describes that in terms of days and months; we are now talking seconds, and that is really rather different for us, compared with where we were even 10 years ago. It is not new, but it does have aspects that are different.

Q32 Mrs Moon: From what you are saying, we are always playing catch-up, so what are the priorities that you see now for the next Defence and Security Review? Are we able to project that forward, or are we always waiting for the technology to come along to know what we have to start building our security around? Do you know what it is now for the next four years?

John Bassett: On a personal basis, I think that it is all about the people. It is about ensuring that we have enough good people in the Ministry of Defence, other parts of Government, academia and industry, and I think that we do not have anything like enough at the moment. I think that growing and skilling the people is, for me, the single most important thing for us to do.

Professor Sir David Omand: Iain Lobban, the Director of GCHQ, last year introduced the idea of the 80:20 division-you can get 80% of the security that you need through good hygiene, looking after people and your information, patching your systems up and ensuring that everything is up-to-date. For the remaining 20%-the really dangerous attacks and the advanced, persistent attacks-you really have to get into the intelligence space, understand who is attacking you and how you are being attacked, and work with the security industry to fix that.

One of my priorities would be getting the relationships right between the Government’s capability, particularly down at GCHQ but in defence as well; the security industry, which has a great deal of capability in this area; and their customers-the critical national infrastructure, the financial system, the defence companies and so on-so that we make a real impact on stopping the theft of intellectual property. I think it is possible to do that.

Another priority-this is not a defence priority-would obviously be in relation to criminal activity for gain, trying to cut down on losses from cyber-attacks for criminal gain. Those would be the things that occur to me first.

Q33 Mrs Moon: I am intrigued by what you said about the interrelationship between Departments and the private sector, and the sort of communication between them. What about building that relationship in relation to research and development, and building sovereign capability? Is that relationship in place, or is that something you need to develop?

Professor Sir David Omand: It was highlighted in the National Strategy, and my assumption is that people are working away trying to develop it. I would not hazard a guess how far it is there yet, but I think people are trying things out, and new relationships are being developed. I know that a number of companies have been working very closely with GCHQ and being given much more information-highly classified information-about the kind of attacks that are going on to steal intellectual property. It seems that that sort of trusting relationship-circles of trust-is essential. The Government cannot do all this themselves, working directly with the thousands of different companies that are under attack. We have to mediate it through the industry.

Professor Collins: There is a joint programme that Research Councils UK and GCHQ are funding, which announced only last week new centres for academic excellence-I think six universities in this country, it was announced. It is exactly aimed at providing the bigger pool of expertise that we need, but it will take time.

Q34 Chair: We are just about to go into private session with those responsible for this within the Ministry of Defence. Is there anything you feel that we should know that you have not been asked questions about, or that would be the key question that we failed to ask? What would you answer to that?

Professor Sir David Omand: The question I would ask, I have to say-looking behind me at the people you are about to address it to-would really be about priority. The cyber-security domain was put up as one of the top four national security priorities. If we are going into defence, the question I would ask would be: does it have an equivalent priority within defence? Is it being taken sufficiently seriously? Are the organisation and the levers in place to enable those who are co-ordinating this work to make sure that every aspect of it is taken seriously? As I was saying at the beginning, we are dealing with an enormous range of potential threats, some of which may be at the more trivial end, but some of which are extremely serious. I hope that the Ministry of Defence is really up for this.

John Bassett: If I were you, I would ask what the metrics for success in this area are, particularly in the softer areas of cyber-security, as in the strategy. What does success look like? How do we determine whether we have succeeded? What are the metrics? It is not an easy thing to answer, but I think it is a good question to ask.

Chair: This is very helpful, because you are giving those who are just about to answer the questions the chance to work out what it is that they are going to say in response to these questions.

Professor Collins: Recent history shows that the Ministry of Defence has undertaken almost no operations without being part of an allied group. How does cyber-security work in the context of working with allies, some of whom we have worked with continuously for some time, and some of whom, as it were, we are meeting for this occasion, whatever that operation might consist of. How does that work out? Have we got existing protocols or established mechanisms by which we set up those alliances, and the cyber-security that needs to exist within it, quickly and effectively?

Professor Sir David Omand: The other thing that I would ask in a closed session is about the advantage that our long-standing relationship with the United States gives, in both military and intelligence terms, in getting a handle on some of these technological developments.

Chair: Thank you very much indeed for informing us and our session, and also our next session.

<?oasys [np[pg6,cwe1] ?>Examination of Witnesses

Witnesses: Air Vice-Marshal Jonathan Rigby, Director, Cyber, Intelligence and Information Integration, and Major-General Jonathan Shaw, Assistant Chief of Defence Staff (Global Issues), gave evidence.

Resolved, That the Committee should sit in private. The witnesses gave oral evidence. Asterisks denote that part of the oral evidence which, for security reasons, has not been reported at the request of the Ministry of Defence and with the agreement of the Committee.

Q35 Chair: Thank you very much for coming to inform us, in an entirely private session, about some of the questions that we have to ask. Would you mind giving a very brief summary of what you both do, please?

Major-General Shaw: Major-General Jonathan Shaw. For the past year and a bit-since its inception, in fact-I have been the head of the Defence cyber-security programme, which I may go into a bit more detail about, but which effectively means that I am responsible for the £90 million that came across from the Cabinet Office as part of the national cyber-security programme. This post was created in response to SDSR, and it was the MoD taking cyber seriously for the first time. I leave in about a week’s time, and my colleague to my right will be the next head of the Defence cyber-security programme. I am handing over to him, so you have the past and the future.

Chair: Right. Thank you.

Air Vice-Marshal Rigby: I am John Rigby; I took up my post about three weeks ago. The post was originally intelligence capability, and it has grown, as part of the normalisation process for cyber, to include cyber-capability and elements of information operations. That is the role.

Q36 Chair: Okay. Thank you very much. Can you describe the chain of command in relation to the cyber issue? It is defence security within the MoD and within the armed forces. If you could stick within the Ministry of Defence part to start with, we will then broaden it out.

Major-General Shaw: I think it is best here to talk about the future rather than the past. The future is tentative and there are areas that I will highlight as being in discussion. What we are really talking about now is the creation of the Joint Forces Command, which took effect from 2 April. It instituted a new process, which has yet to bed in and yet to be finally decided upon.

In effect, the chain of command for cyber operations follows the chain of any other form of operation, in that if we were doing an integrated operation, there would be cyber elements within it. From that point of view, the command and control of actual cyber operations within the military domain are run as in any other operation, because the whole key about cyber is to look at the effects you are hoping to achieve and, if it were part of military effect, it would be merely one of the tool bags. It goes back to some of the discussion in the open session earlier, whereby cyber is not seen as something separate-a completely discrete stove-pipe-but merely another golf bag that the military commander has at his disposal.

Therefore, the cyber effect needs to be woven into the overall effect that is being achieved by the Joint Commander. That is very much the model we have and, therefore, the operational chain-if we are talking about delivering the operational effect-remains as it has always been, with Permanent Joint Headquarters and the Chief of Defence Staff, and those lines of operational authority. The confusion has perhaps arisen from the fact that the Joint Forces Command is there to generate capability to be used by defence on those operations, and there the chain of command is in flux, because hitherto we have had part of the cyber-defence bit being owned down at Corsham under one chain of command. There was also the targeting and information operation function in the main building, as well as various disparate bits.

The whole point of the creation of my post was to bring all that together into one coherent package. The point of the creation of the Joint Forces Command is to provide one focus, which will be my successor here, who will be driving the development of capability across defence, so the various bits of force generation and cyber-capability will be developed in accordance with the plan at Joint Forces Command. That is the single service piece; it is the joint cyber unit at Cheltenham; it is the operations taking place at Corsham; ***

There are two chains of command: an operational chain of command that remains much what it was, and the capability development chain of command, which very much centres on the Joint Forces Command. The operational command and the capability development command both sit at Northwood within the structure of the Joint Forces Command. I do not know whether anyone wants to comment on that.

Air Vice-Marshal Rigby: I have just a couple of things to say. On reducing the cyber risk or seeking to achieve a cyber effect, that would come directly out of a contingency plan or the campaign plan. As we have just said, it would be another element of the military capability portfolio that one either needs to protect or use in a defensive role. We would then be working very squarely with GCHQ among others, but we would then actually ensure that our capability was delivered in order to achieve the commander’s effect.

The only other thing I would add is that the DOC is currently conducting an audit into the detailed command and control relationships between the different components of the cyber world. That is due to go to the Secretary of State at the end of May.

Q37 Chair: Who is conducting the audit?

Air Vice-Marshal Rigby: The director of operational capability is conducting an audit into progress thus far and recommendations for detailed command and control arrangements. I am squarely responsible, but it is on how we achieve unity, and it goes to the Secretary of State at the end of May.

Major-General Shaw: I think that it is worth commenting that the critical issue is something called *** which you may have heard about. Hitherto, it was the mission to defend our network-pretty much the focus of MoD’s effort in cyber-space and the protection of our own networks. It was called ***. It was run by the Chief of Defence Matériel. In many people’s judgment-I am one of those who believe it-what we have learned over the past year about the nature of operating in cyber-space means that the idea that we can just have cyber-defence as one hived-off piece has been overtaken conceptually.

Actually, there is no such thing as pure cyber-defence. If you want to secure your networks, you have to manoeuvre in cyber-space. If you are going to manoeuvre in cyber-space, yes, you need some defensive elements, but you also need the ability to punch the enemy as well, if I can use that metaphor. ***

Certainly my recommendation, as it went to the Joint Forces Command, was for it as a standing operation, running our networks and defending them. That is very much how conceptual evolution is affecting our organisational structures. As I say, it is that decision that will go to the Secretary of State in the next few weeks, as per the DOC audit. I have not seen the DOC report, but I would hope that that is the answer it gives.

Chair: At 3.49 pm, there is likely to be a vote-perhaps more than one. Julian Brazier needs to go at some stage. I have more questions about the chain of command, but I wonder whether I can ask Julian Brazier to ask his question first.

Q38 Mr Brazier: Thank you very much. Following straight on from the answer that you have just given, what planning assumptions will inform the development of your future cyber-force? You have told us what it will look like structurally, but that is too general a word. What sources are you looking at? You have been given a significant amount of money, and you have thought a lot about structures. What is the bible on what the threat is out there? What are the assumptions?

Major-General Shaw: I think the first assumption that we would make is that we are aiming at a moving target and that, whatever we come up with now, we will have to test and adjust with reality, if not anticipate it. We have come up with various force levels, which are the basis of the DCOG-the Defence Cyber Operations Group. That is the programme of new line serial numbers for personnel operating inside Cheltenham, working with GCHQ in the Joint Cyber Unit, Cheltenham.

Q39 Mr Brazier: Uniformed people?

Major-General Shaw: Those are uniformed people working inside Cheltenham, helping them to come up with national capabilities. Here it is worth stepping back a stage and saying that the British response to the cyber threat-this is very much what you hoped for-is to create a national bucket of capability, from which everyone draws. As for what David Omand said, there is only thing I would disagree with: I do not believe that it would be nice to have separate stove-pipes of capability. I think that the UK is significantly advantaged by having one bucket of expertise. That one bucket of expertise is GCHQ. We are contributing personnel into it to ensure that in the development of cyber-capability there are military people there, both to add their expertise to that development and to give the military input on what sorts of effects we might be looking for in cyber-space.

Q40 Mr Brazier: Following directly on from that, I was encouraged to hear what you said about the manoeuvrist point ***. To what extent will you be looking to reservists and the private sector for skills for this? Obviously, you already have the specialist signals groups.

Major-General Shaw: Well, there are minimalist and maximalist options here. At the moment, General Brealey, who is heading up the study on behalf of Defence, is starting it small, with the unit you have just mentioned and with formed units and nice haircuts and people doing drill-what you might call conventional cyber-reservists. My vision on cyber is very much inspired more by the Estonian model, by thinking more broadly about the sort of people that UK Ltd needs as a reserve capability, because so much of our cyber-resilience, if we were to suffer an attack and needed reserve capability, is not about uniformed people as such.

If you go down to Corsham and look at the Joint Cyber Unit, Corsham, which handles our defensive aspects, you are hard pushed to tell who is a service person and who is a civilian, because cyber-capability breaks down all the barriers between civilian and military, and it breaks down the barriers between war and peace. It is ever-present and it is a capability. If we are facing a national crisis, we will need a national reserve more than we will need a military reserve. I can see where there may be cases where we need to send some military cyber operations overseas, and that will have to be service people, but the grander vision for reserves is to go for a national reserve that really will attract people with ponytails and earrings and will not force them to go through the same military strictures that we conventionally think of, so that we pull in the people with the requisite talent to get involved in the national effort. That will take a different sort of mindset and a different kind of approach.

Q41 Mr Brazier: A very quick point, if I may throw it in, because we will have to vote any second: the point that those in the specialist signals group made to me was that they really think that they are getting those sorts of people. They are getting a very wide variety, but in terms of sending teams abroad to do some of the quite exciting, chunky things they have done-normally a two-man team-they always like one of those two people to have had some military experience in another context. Simply putting a guy into a job who has not got any military experience-they are all cyber experts and they all do it for a living and that is brilliant-is actually less valuable in that, working on his own.

Chair: Are you asking a question here?

Mr Brazier: No, I am not. I am making a point.

Chair: ***

Air Vice-Marshal Rigby: ***

Chair: I am afraid that we are going to have to vote. We do not know how many times we will be voting. We will come back as soon as we can. We aim to get this evidence session over by 5 o’clock, if that is okay, come hell or high water. Thank you very much. We will be back soon.

Sitting suspended for Divisions in the House.

On resuming-

Q42 Chair: Julian Brazier was in the middle of asking you questions about, among other things, the Defence Cyber Operations Group and what planning assumptions will be used. We heard the phrase "cyber-hygiene" from David Omand before. What are you actually doing to instil cyber-hygiene across not only the Ministry of Defence, but the armed forces in general, and also the rest of Government? I suppose that may not be your responsibility.

Mrs Moon: And the Defence Committee.

Chair: And the Defence Committee.

Major-General Shaw: It isn’t, you’re right, but you have touched on a wider theme. The interconnectedness of us all means that there is a national issue about education on cyber-hygiene. As part of the training needs analysis work that we undertook as part of the defence cyber-security programme, one of the strands was personnel and training and skills needs. That broke down into an analysis of the specialists. We would need the top-end specialists with hybrid skills doing bits of this and the other stuff, and a sort of general level of awareness that everybody needs across the bottom end. That work has just reported at the end of March. Those plans are being put into place now across Defence. Just as the Government have issued the "Get Safe Online" document both in hard copy and online, so within the MoD we are stepping up our cyber-hygiene efforts to educate all personnel in the requirement for cyber-hygiene.

Air Vice-Marshal Rigby: There are two aspects. The first is counter-intelligence to make sure that if there were an insider threat-someone with malicious intent within the forces-we would need to get them and make sure that that threat did not materialise. We have recently taken on responsibility within defence intelligence for doing CI, and we are increasing the number of analysts set aside to make sure that our people are safe, so that they do not have the opportunity. ***

The other thing with GOSCC at Corsham is to ensure that the patches that we put on the systems and on the network are up to date, and they are very professional at doing that. You can never be there all the time, but as long as the gap between a threat being identified and a new patch going on the system is minimised, then your system-just like at home-is more protected than it would otherwise be. Those are two other aspects that are really important for hygiene.

Q43 Chair: Which brings up the question that Professor Collins raised about working with allies, and whether there are decent protocols in place, particularly working with the United States-something that Sir David Omand raised ***.

Major-General Shaw: Cyber is just another effect, or rather, to put it another way, it is merely the latest medium through which to achieve effect. Therefore, all the normal effects that we try to achieve, and all the normal relationships that we have, suddenly have a cyber dimension to them or cyber ways of achieving them. Hence everything that we have tried to do before and all our international relations now have a cyber-annexe on them.

That is easier in some areas than it is in others. For instance, our relationship with the United States is, inevitably, the most mature. The close relationship between GCHQ and the NSA has built on historical ties. The new kid on the block, but coming right into equal top place, is Australia with its Defence Signals Directorate, which is its GCHQ equivalent. Unlike in Britain, where our GCHQ does not sit in the MoD, their DSD sits within their MoD. That is their national centre of excellence. The primary relationship that we have internationally is between the United States, ourselves, and Australia-the three Departments of Defence. That memorandum of understanding between the three of us really opens the doors to closer co-operation between the three of us. The ambition now is to make that memorandum of understanding actually substantive in terms of operational co-operation.

Here we run up against one of the issues, which comes back to the point that we mentioned earlier about stove-pipes. Whereas Australia and Britain find it very easy to co-operate together-they have similarly fluid legal arrangements and one national centre of excellence, so agreements can be made fast ***

***We have good talks with France, but, again, we have hit problems that are familiar from other areas where we are working with France. *** What you will note about what I am saying, though, is that we are starting to talk now about bilateral relations, because we find that bilateral relationships are where you can make progress. The more people you have in the group, the harder it is to make progress. That absolutely is epitomised by the problems that we are facing in NATO, trying to get agreement on this. The NATO team is very much run by the Estonians, because they are the people who have been stung the most, so they have put the most effort into it. They are in what I would describe as post-attack mode, and they are determined that it should never happen. I sense that the rest of us are slightly, in national terms, rather hoping that it does not happen and not taking it quite as seriously as perhaps we should. In terms of creating unified NATO policy, I think that is a very slow boat indeed. That policy is coming along, like all NATO policy, at the speed of the slowest runner. There is, therefore, reluctance to sign up to very strong NATO-wide protocols, which is regrettable, but that is symptomatic of the problems you have with an alliance of that size.

Q44 Bob Stewart: Would we really want it-the NATO-wide protocol? Could we trust it?

Major-General Shaw: These are the questions, aren’t they? None the less, the fact remains that NATO, if it is to operate as a unified alliance, needs to trust its systems. It needs to be able to trust all the people who are buying into that system. Setting standards within NATO is proving very difficult. The question was mentioned in open forum about setting standards; setting standards and measures of effect in cyber-space is an extremely difficult task, which, frankly, Government have not answered yet. No Government really have, to my mind; I have never seen a satisfactory set of metrics for what success looks like in any concrete terms.

Air Vice-Marshal Rigby: Just to emphasise a couple of points, Commander JFC *** went to the States specifically to look at the cyber challenge, in the week that Commander JFC took up command. I hope that emphasises *** important it is to Commander JFC to get a grip of this and to move forward with the Americans.

Q45 Chair: Okay. Thanks. So when John Bassett said to ask what the metrics for success are, you would say, "There aren’t any."

Major-General Shaw: Best effort, I am afraid. If you asked me what the risks were, I would say it is the potential for incoherence or uneven response across Government with regard to how much effort people put into their defences. Given that the nature of cyber is that it exploits the weakest link, there is a very real problem with the potential for there being an uneven response across Government. This issue has been given to the CIO of MoD to suggest some standards, and I know he is working on that topic. People are aware of the question and they have given it to John Taylor in the MoD to sort out, but I do not envy him his challenge.

Air Vice-Marshal Rigby: I think we could get some metrics, but they would not be end-benefit metrics, if you know what I mean. They would not say how good we were at cyber or how bad we are at cyber, but one would perhaps look towards how many trained personnel we have got towards a trained standard. We might look towards how many contingency plans we have that have got decent cyber-annexes, and how many options we have on the shelf in order to conduct an offensive cyber-attack. The metrics would not say whether we were good or bad, but they would give milestones towards us progressing the cyber-agenda.

Q46 Chair: So it would be an input agenda rather than an output process agenda.

Air Vice-Marshal Rigby: Yes, I think so. It is always the problem with things such as intelligence, because it is almost Rumsfeldian.

Chair: That is a new word I have not heard before, but I understand what you mean.

Air Vice-Marshal Rigby: You might want to look at the gap between malware being detected and your ability to put a patch in accordingly, even though that goes towards the information assurance thing. There are a lot of input measures that are of value, but output measures are going to be tending towards impossible to get, and we would just waste our time, I suggest, trying to find those.

Q47 Chair: Okay. Do you mind if we ask you all the other questions about a chain of command, the roles of the joint cyber units, and the relationships with the DCOG and the GOSCC in writing? That will save time now.

All witnesses: Yes.1

Chair: Now I want to move on to Madeleine Moon’s question.

Q48 Mrs Moon: We have got lots of Government Departments, each responsible for different aspects of their departmental security. Are there rules of engagement that decide which cyber attacks the Ministry of Defence will respond to, or is it only an attack that affects the Ministry of Defence directly in its services? What are the principles on which you make that decision, and who makes it?

Major-General Shaw: The Ministry of Defence’s remit is limited. Effectively, it is to look after its own systems and to prepare capabilities to be used in case of conflict under the law of armed conflict, so our remit is quite limited. In terms of protecting the national infrastructure, that resides with another Department. The CPNI looks after that. Our remit is quite simple, and it is quite clear when MoD would or would not be involved. The exception to that is, as with any national disaster, if the effect of the attack is such that central Government in their normal way decide that they want military assistance: the normal rules of MACA apply and the MoD might become involved. As I say, if the nation feels that it is under attack, cyber is merely the latest golf club in the golf bag of potential responses that UK Ltd might use. So standard procedures apply.

Q49 Mrs Moon: So it would not be altered by, say, the motivation of the attack, the nature of the attack, the target or the impact? If the whole national infrastructure, as you say, was taken out, the Ministry of Defence might be called in purely because of its personnel capacity, rather than because of a particular skills base?

Major-General Shaw: I think it depends on the nature of the attack and the proportionality. There are all sorts of issues. What you are implying is that the MoD would respond in some way and then the issues of proportionality, attribution and intent all come into play. Those are very real and particular problems with executing cyber-responses to an incident.

Q50 Chair: Is a cyber-attack considered to be an article 5 attack under NATO?

Major-General Shaw: I think that is a political judgment about the severity of the attack and how big it was.

Q51 Chair: So it could, potentially?

Major-General Shaw: I see no reason why it couldn’t be.

Air Vice-Marshal Rigby: I do not believe that Estonia quoted article 5 when it was attacked by Russia, so I do not think there is a precedent for that.

Major-General Shaw: But potentially it could. The danger that that question exposes is that we get obsessed with the means by which the effects are delivered. The key thing about cyber is to note that it is a new domain through which to achieve an effect, and it is the effect that matters. Just as you can rob a bank with a pistol or through cyber, the critical thing is that the crime, the robbed bank, is the effect. Could a cyber-attack lead to an article 5? Of course, if the effect of that attack is so severe that it is judged to be an article 5 attack. So it is the effect that matters, not the means through which it is delivered.

Q52 Bob Stewart: To follow up that point, who in our country-it is not just the Ministry of Defence, it is all the other Departments, too-is actually sitting there 24 hours a day on the operations desk and saying, "We’re under attack! This is something the National Security Council needs to know about now"? Where is that desk or that position?

Air Vice-Marshal Rigby: That is physically at Cheltenham-it is CSOC-but it is a pan-Government agency.

Q53 Bob Stewart: But there is some person, not just a panel?

Air Vice-Marshal Rigby: Correct.

Q54 Mr Donaldson: Gentlemen, what can you tell us about the nature and extent of the cyber-security threat to the MoD’s assets, networks and interests?

Major-General Shaw: I’d answer in the same way that I have already indicated. Cyber is merely the latest means that people are using to achieve the same effects. As David Omand said: espionage, subversion, disruption and attack. All the traditional effects that people have tried to achieve against us they will now try to achieve through cyber-space. Those are ongoing.

***

Mr Donaldson: ***

Major-General Shaw: ***

Q55 Mr Donaldson: And those *** would you describe those as direct targeted attacks on MoD systems, rather than generic attacks?

Major-General Shaw: It’s a combination of the two, I would say.

Q56 Mr Donaldson: So even within the *** only some of those would be direct targeted attacks.

Major-General Shaw: That’s my judgment.

Air Vice-Marshal Rigby: I think another way to come at the problem is to recognise the vulnerability, both of the networks and of the systems-the air, land and maritime systems-because they are connected, they do have computers in them and, as soon as you connect to the internet, which you might need for operational reasons to get your operational agility going, you have a vulnerability. We don’t wish to sweep the vulnerability under the carpet. We need to recognise what the vulnerability is and then protect against that vulnerability. Then the threat is an entirely different approach, which is why I think we need to be linked up to the intelligence agencies to be able to guard in the longer term, and in the short term, against those threats.

Q57 Mr Donaldson: Looking back over the past five or 10 years, how do you assess the change that has taken place in terms of the nature of the threat? How do you expect it to evolve over the next five to 10 years?

Major-General Shaw: The first thing to say is that over the past five to 10 years, our dependence on cyber-space for the business we do has become much greater. Cyber-technology, the digital technology, has become ever more ubiquitous. Hence, we are ever more vulnerable.

Plus, technical developments continue apace. They continue on both sides. On the offensive, there is the malicious software, the criminal gangs competing with each other, the individual locked away in his room at 2 am competing with his mate across the road. That sort of stuff is spinning off the people trying to attack. Equally, the defensive technology has spun off as well. That competition will grow and continue for ever.

Over the next five to 10 years, I think exactly the same is going to happen. I can only see us becoming ever more dependent on cyber-space and the competition between the offence and the defence will continue throughout. The critical response to that is not to abandon cyber-space because it is too dangerous, nor fling our hands up in horror because it is too difficult. All organisations and all people need to make a very severe and clear judgment on what is their vital information that they really want to lock away, and what level of risk they are prepared to take with all their information.

It is like household security. You have garden furniture out there that you take the risk that no one is going to nick. You have got stuff inside the house; you then have got your crown jewels that you lock away in your safe. You have equally got something that you probably lock away in the bank in the town. You have different levels of security because you have looked at your physical possessions and decided how you want to secure them.

Cyber is a distracting word. When I start my speeches on this I always say we are not talking about cyber, we are talking about living in a digital age. The digital age is all about information. We all have a duty-in defence as everywhere else-to prioritise our vital information and to give it the requisite security. That means that what you have is a graduated response, because you can’t defend everything. You take risks on certain bits. That’s how you cope with a penetrated system, ***. They live through it; they don’t bother trying to secure it. They just accept that it is penetrated. We all do the same thing in our daily lives. I see this as part of getting used to living in a digital age, getting used to this sense of security, and making very clear commanders’ judgments about what information is vital and how tightly you are going to protect it, and what bits we are just prepared to operate. As John was saying about using the internet, you need to use it but accept that it is vulnerable. That is just the way we will have to learn to go about it.

Q58 Mr Donaldson: Presumably that changes as the nature of the threat changes and we learn lessons.

Major-General Shaw: Absolutely. It is a very fluid environment and we have to remain very agile on this. One of the difficulties about the nature of the earlier question, about what our planning assumptions are, is that that implies a sort of top-down, directive approach to what we need. The reality is that we are playing it on more "recce pull", if I can say. In a sense, we are all too old to play this game. We have to listen to the people at the coal face and the young kids who are doing this. They are going to be telling us the reality, and we will need very agile policy decision-makers to keep up with the reality of the threats facing us. If there is one risk that was mentioned earlier, it was about pace, and it is the fact that the threat is evolving probably faster, I would say, than our ability to make policy to catch up with it.

Q59 Mr Donaldson: With that evolving threat, looking ahead, with state and non-state actors, to what extent do you think they are developing the capacity to weaponise this kind of cyber-space cyber-activity? Is it premature or hyperbolic to talk about cyber-war?

Air Vice-Marshal Rigby: To answer your first question to a degree, standing here, looking back five years, we have seen cyber-attacks on a nation-to nation-basis, on an oligarchy-to-nation basis, and cyber-espionage-serious levels of those sorts of things. Ten years ago, we would not have been debating that sort of thing, so it is real.

We must recognise that cyber is essentially an asymmetric form of warfare. So it is far easier to go on the offensive than defend against all the threats that are out there. Thus, I think people will be developing things-bespoke military-grade, if you like, cyber-threats-but a lot of them do not need to. A lot of that capability is already out there on the internet, and it may well be that the vast volume of the threats coming our way is from people who pick stuff up on the internet, and that is the volume we need to defend against. That does not mean that there isn’t going to be a Stuxnet-type thing with our name on it, but there is a volume-against-complexity thing that we are going to have to face. What is really interesting is the point Mrs Moon made about motivations, and I think what we need to look for over the next zero to 10 years is the motivation of people with these tools, and how they might choose to use them against critical national infrastructure.

Major-General Shaw: You asked the question about weaponising cyber-space. The language implies that there is something evil about this, but I would turn it on its head: given that we are going to have wars-they keep happening-and that our current ways of taking out enemy capability involve kinetic destruction, which involves collateral damage and civilian death, if there is a technical option that would allow us to achieve the same effect on a Government, with no loss of life, you could turn the argument on its head, saying that there is a moral argument about why we should develop these, because they are a more humane way of conducting competition between states. I just offer that thought.

Q60 Mr Donaldson: Okay. Is it just a moral argument at the moment, or are we beyond that?

Major-General Shaw: No, I think there is quite a good practical argument for doing it as well. However, I do not think we should underestimate-we were talking about Stuxnet earlier-the difficulty of creating these weapons or weaponising cyber-space. The intriguing shift that we shall see is that, whereas Stuxnet, as was described in the open forum earlier, was very much tailor-made to the target, it may be possible to create a rack of off-the-shelf options that you can apply, or it may be that all cyber-targets are going to be, almost by definition, bespoke. That is a very interesting technological development, which we are all considering at the moment.

Q61 Mrs Moon: Are we maintaining technologies that otherwise we would have thought of as redundant, in case we need to bring them back, in the event that we need to operate without cyber-capabilities? I am thinking of something like Morse code.

Major-General Shaw: I think the nation has moved beyond reversionary modes, and we need to face that fact.

Q62 Mrs Moon: But are there differences between the forces, in terms of how reliant they are on network infrastructure? Is the RAF, the Army or the Navy more vulnerable?

Air Vice-Marshal Rigby: I’m not sure. It depends on how modern the systems are that each of the services is operating. The Joint Strike Fighter is completely dependent on computer wizardry, but I imagine that the next generation of the Combat Vehicle will be equally dependent.

Practically-this is something that defence has to get its head round as it moves from fighting in Afghanistan towards contingency operations again-we have to go back. In the cold war we made sure that we could cope without our principal systems. We must have fall-back and contingency methods of operating, particularly in command and control. I think the Americans will be particularly stunned by this. Where they have complete situational awareness, they will have to learn and understand again how to operate without it.

Q63 Mrs Moon: Are we still teaching map-reading?

Air Vice-Marshal Rigby: Oh yes.

Major-General Shaw: Oh yes-at one of my schools.

Q64 John Glen: One of you used the analogy of different levels of security within a home. I want to push that a bit further. Clearly, there are relationships between what you have in the bank and what you have in the safe in the home, and what you have in the garden. The same is sort of true in terms of having an operational environment that can exist at a tier 1 level of risk that would be satisfactory, to the extent that if all environments were compromised, you would still have sufficient resources within a very tight core. Is that a sensible way in which to look at the necessary levels of completeness that you need?

Air Vice-Marshal Rigby: ***

Q65 Chair: What can you tell us about the offensive use of cyber? You have mentioned it, so it must exist.

Major-General Shaw: And clearly it does. You can do offensive cyber in many ways. The kinetic bomb is quite a useful cyber weapon in that if it destroys a node, it takes down the communication network. You therefore achieve a cyber-effect, which comes back to what I said earlier about effects. Effects delivered via cyber-space is one of the areas in which we are trying to play catch-up. One of the big difficulties with it is that it depends very much on knowing your enemy. Even when you have worked out what target you want to attack, the lead time for preparing the target set can be quite long. Then it needs policy decisions about whether you wish to do what inevitably becomes more invasive technological intrusions, if you like, into other systems with a view to downstream activity. The pre-planning required for offensive cyber should not be underestimated.

***

Q66 Chair: Is there any deterrent value in cyber-capabilities?

Major-General Shaw: There may well be, but it is early days. The deterrent value of cyber is overstated at the moment, because there are huge problems with attribution. To take the simple example of Estonia, to all intents and purposes, the attack on Estonia came from California. It makes it extremely difficult. Until you attribute it, until you can work out a proportionate response and definite intent, it is a murky area. We should be hesitant to leap straight to nuclear deterrent, to theology, and apply it to the world of cyber.

Q67 Chair: That may not work any more, either. I gather that to all intents and purposes, the cyber-attack on Georgia came from the American state of Georgia, which is amusing.

Air Vice-Marshal Rigby: I think Estonia is a good example. It is, I think, the most connected state in Europe, and yet the attack did not stop Estonia from working. I think we have to recognise that, with that as a sign of what a big cyber-attack can do, perhaps it is not that great a deterrent.

Chair: Okay. We have no more than five minutes left.

Q68 John Glen: In terms of developing cyber-capabilities, how will that differ, from your perspective, from developing conventional military capabilities? Is there a cyber strand within defence lines of development, for example?

Air Vice-Marshal Rigby: ***In terms of information protection, that is a defence line of development and would be run through the usual defence methodologies and prioritised accordingly.

***

Q69 Chair: Is that a joint computer unit?

Air Vice-Marshal Rigby: Joint cyber-unit? No, it is beyond that. It is in the programme board structure that we are working with Cheltenham.

Major-General Shaw: Yes. It has to be a national response rather than an MoD response, because the tools are very similar. It is more about the application.

Air Vice-Marshal Rigby: The joint cyber-unit is far more about the *** as opposed to running the programme for capability development. When we normalise it in four years-all the money is coming on top of this money at the moment-we will have to work out how we conduct business then.

Q70 Chair: David Omand’s question: what are the priorities for cyber-security within the Ministry of Defence and the Government as a whole? Do you think that those priorities are the right ones? Do you think that cyber is high up enough in the priorities of Government?

Major-General Shaw: Having cyber as one of the top four priorities is absolutely the right place for it. We shall see with PR12 whether it has a high enough priority within defence. We still do not know, as the results of that are still embargoed, but it hints at a wider risk that I think exists across Government: the difference in funding for each Department.

Whereas the national cyber-security programme of £650 million was money for new stuff, that was merely the tip of the iceberg. Far greater than that is the bill that every Department faces for looking after its own internal security of its existing systems. That money was for Departments to allocate, and one of the greatest risks I see in the entire national response to the cyber-threat is an unbalanced response, where there is new money for new stuff, but Departments, which are so strapped for cash, will not give sufficient priority to the security of legacy systems and new systems. That is a much bigger part of the iceberg underneath the water.

That challenge exists for the MoD as well. Certainly, last year, in PR11, we bid for new money from defence for the other part of the cyber equation. We got nothing. This year, we made a more modest and more realistic bid-we hope. It is still surviving and it is still there. I do not know if it has finally got over the line; we shall see. I think that illustrates the real challenge we face and the danger that there is an unbalanced response across Government on this one.

Q71 John Glen: Which inherently creates a new risk. If you have vulnerability in one Department that has chosen not to or is not able to achieve internal defence, you could create a bigger concern for the core, combined entity. Presumably, the combined entity must be assessing those risks across different Departments.

Major-General Shaw: Yes, you would hope so.

Chair: I think we will leave it there. Thank you very much indeed. That was very helpful and most interesting. We will, as is usual, give you the transcript of this for redaction before any publication takes place. We are most grateful.


[1] Ev 44

Prepared 12th March 2013