The Government must be more vigorous in its approach to cyber security, according to the Defence Committee of MPs in a report published in Janaury. Cyber threats can evolve with speed and serious consequences for the wider nation’s security beyond government – including the critical national infrastructure (CNI).
Commenting on the report, Major General Jonathan Shaw, the former cyber-security man at the Ministry of Defence and former Colonel Commandant of the Parachute Regiment told the BBC Radio 4 News programme Today that he welcomed it. He said that while the country was ‘extremely vulnerable’, the Government was doing a lot. He called for the Government to launch a ‘cyber hygiene’ campaign, likening it to the 1980s campaign against AIDS, picking up the point in the MPs’ report that a weakness to the Government was in its supply chain. The pace of change meant that you could never be immune from threat. He stressed that cyber security was a matter for private industry and everyone; as the internet was in the private sector and should remain so.
Speaking earlier on Today, the chair of the Committee, the Conservative MP James Arbuthnot, made the point that cyber-attack could come from a foreign power; criminals; or a teenage hacker.
On launching the report, he said: “There is a consensus that cyberspace is a complex and rapidly changing environment. It was therefore important for us to consider the implications for UK defence and security. It is our view that cyber security is a sufficiently urgent, significant and complex activity to warrant increased ministerial attention. The Government needs to put in place – as it has not yet done – mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyberspace presents.”
In the report, MPs say Government is working with GCHQ to develop a cyber kite-marking system for Government suppliers generally. As for the risk coming to Government from the supply chain, civil servants told MPs that they balanced the potential risk, against cost, speed and efficiency of delivery, and how urgently a piece of kit was needed. As for the common bugbear in cyber-security – that companies may try not to admit breaches, as it may lead to bad publicity and be bad for business, which however means weaknesses can persist – the civil servants admitted that contractors may have been ‘reticent for commercial reasons to admit to cyber-security incidents’, but civil servants claimed that contractors are increasingly willing to ask for help. MPs added that an admission of the problem did not take Government close to resolving the problem.
Evidence to the committee suggested that in the event of a sustained cyber attack the ability of the armed forces to operate effectively could be fatally compromised as they so depended on information and communication technology. James Arbuthnot said: “We have asked the Government to set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so – and urgently create some.”
The committee said that it was impressed by aspects of the co-operation and joint working between the Ministry of Defence (MoD) and private sector contractors. It welcomed the Government’s commitment to foster a vibrant and innovative cyber security sector in the UK including a distinct role for the MoD to deliver military capabilities both to confront high-end threats and to provide a potential offensive capability.
Mr Arbuthnot said: “The opportunity created by cyber tools and techniques to enhance the military capabilities of our armed forces is clear. We want to see the MoD explore this thoroughly. For this reason, we support the use of National Cyber Security Programme funding to develop these capabilities, but also wish to be assured that the MoD will maintain its investment in existing defence intelligence services which provide a vital UK cross-government capability.”
As background, the National Cyber Security Programme (NCSP) was launched in October 2010 and has spent £650m so far. The committee ended by raising the question of who owns the coordinated response to a national cyber-security incident. Put another way; who would you call? The answer given to MPs seemed to be: it depends.
Industry comment
Ross Brewer, managing director and vice president, international markets at IT security product company LogRhythm
“It is unfortunate that most government-led cyber security policies focus on catching and punishing criminals as opposed to preventing computer crime. It’s therefore no surprise that public calls for urgent and more aggressive government action are gathering steam. LogRhythm’s own research
“However, any pre-emptive strike could incite disturbing consequences such as the execution of even more sophisticated attacks on the UK’s critical infrastructure. Rather than attacking ‘enemy’ networks, the scale and nature of today’s cyber threat calls for proactive, continuous monitoring of IT networks to ensure that even the smallest intrusion or anomaly can be detected before it becomes a bigger problem for all – after all, you can only defend against that which you can see.
“The other serious issue when it comes to cyber attacks on the military is that even once a cyber breach has been remediated and any potential damage minimised, there often remains an enormous amount of uncertainty surrounding the origins of the attack. Without confirmation of the source of attacks, inaccurate finger-pointing can and often occurs – and when this happens between nation states, diplomatic tensions can arise. As such, further forensic analysis of the breach is often required, which traditional point security solutions, such as anti-virus or firewall tools, cannot provide. A holistic IT security strategy focusing on the continuous monitoring of IT networks provides the network visibility and intelligent insight needed for deep forensic analysis. Only with this deep level of network visibility can the UK armed forces ensure cyber attacks are mitigated and accurately attributed to the correct perpetrators.”
Andrew Beckett, Head of Cassidian Cyber Security Consulting Services has worked in cyber security for the PM’s office and the United Nations. He welcomed the report which he said highlighted the need to address the issue of effective, rapid and orchestrated cyber defences.
“However the report stops short of calling for greater pressure to be placed on the international community to create a common response policy to events in cyberspace, which is of paramount importance when cyber attacks do not recognise national boundaries.
“There is no current legislation to facilitate the prosecution of cyber crime. If an attacker sits in the Ukraine and attacks a server in Texas to gain control and mount another attack on a UK organisation then whose jurisdiction does the crime fall under? Who can prosecute it and under which law?
“There is currently no extradition treaty and no agreements in place for the exchange of evidence which means that criminals are able to operate with impunity.
“The UK Government’s greater involvement with the NATO Cyber-Defence Centre of Excellence has been slow and the UK now needs to move quickly to position itself as the leader in this area that it should be, based on our national capabilities”.
Cassidian, the Security and Defence division of EADS, added that it manages more than 90 per cent of the UK MoD fixed and deployed local area networks as part of the Atlas Consortium, including the provision of security services that detect, isolate and neutralise cyber attacks.
And David Harley, a senior research fellow at internet security firm ESET, commented: “It’s not new news that modern military forces are highly reliant on information technology, or that attackers might look for ways in which to subvert that technology. New technologies always inspire new counter-technologies and evasive strategies; ‘Electronic Pearl Harbours’ constantly recur in political commentary.
“No military strategist or tactician in the 21st century is going to assume that technology is unbreakable, and codifying rules of engagement is an important task at national and international level. However, it’s just one part of a very complex problem, and the organisation’s IT security strategy should be based on expert opinion from within the military and security services, not just the opinions of MPs.”
Yogi Chandiramani, senior manager of systems engineering, Europe at FireEye
“The UK government’s investment into the National Cyber Security Programme is a promising sign that the issue is finally being acknowledged by the powers that be, however urgent action must be taken to protect both the British military and the general public from the potentially devastating effects of a cyber attack or even prolonged cyber espionage campaign – as the stakes have never been higher. As traditional security tools are no longer fit for purpose in tackling the threat alone – governments and organisations must start deploying defences that are as sophisticated as the threats they are trying to thwart. Quite simply, there can be no room for complacency when it comes to this issue, and the growing prevalence of high-profile data breach victims and the emergence of highly advanced malware should be taken as an urgent call to action.”
