U.K. MoD’s CYBER SECURITY CAPABILITIES QUESTIONED
By Yvonne Headington
Contingency Planning
The Defence Committee has cast doubt on the MoD’s ability to deal with the consequences of a sustained cyber attack. One of the main conclusions of the Committee’s report on Defence and Cyber-Security, published on 9th January 2013, is that the Armed Forces are now so dependent on information and communications technology that their ability “to operate effectively could be fatally compromised” should such an attack happen. “We have asked the Government to set out details of the contingency plans it has in place should such an attack occur.” said the Rt Hon James Arbuthnot, Chair of the Committee. “If it has none, it should say so – and urgently create some.”
Last July the Intelligence and Security Committee gave a similar warning, albeit in less strident tones. The Committee’s Annual Report 2011-2012 notes that delays in developing cyber capabilities “give our enemies the advantage” adding that: “We are therefore concerned that much of the work to protect UK interests in cyberspace is still at an early stage”.
Funding Priorities
Government work on cyber-security is being delivered through a four-year National Cyber Security Programme (NCSP) as set out in the 2010 Strategic Defence and Security Review. The NCSP is managed by the Office of Cyber Security and Information Assurance (OCSIA) within the Cabinet Office under the leadership of Francis Maude, the Minister for the Cabinet Office. £650m is being invested in projects under the NCSP with the aim of transforming the UK’s cyber security skills and capabilities by 2015. More than half of this investment has been allocated to the intelligence and security agencies, mostly to the Government Communication Headquarters (GCHQ).
The MoD’s cyber focus is two-fold: protecting Defence networks which facilitate Operations and developing capabilities which could be used to enhance Operations. The Defence Cyber Security Programme is receiving funds of £90m under the NCSP but this is largely for new strands of work and does not address network security since, according to the OCSIA, this, “ought to be business as usual for the MoD.”
In evidence to the Committee Major General Jonathan Shaw, then the Assistant Chief of the Defence Staff (Global Issues) highlighted the problem faced by cash-strapped Departments in prioritising between legacy and new systems. General Shaw described the issue as “a much bigger part of the iceberg underneath the water. That challenge exists for the MoD as well.”
The problem of funding legacy network resilience is compounded by an apparent lack of contingency measures should networks become compromised. General Shaw told the Defence Committee that the UK had moved beyond, “reversionary modes” i.e. a reliance on simple back-up systems. In essence the MoD’s risk-based approach to cyber threats addresses questions of prioritising responses and improving security measures. However, the Committee concluded that “it is not enough for the Armed Forces to do their best to prevent an effective attack.”
Internal Structures
The responsibility for defending and operating networks is based with the MoD’s Global Operations and Security Control Centre (GOSCC). GOSCC employs a mixture of military and civilian personnel, including individuals from industry (including Fujitsu, BT DFTS, Cassidian, EADS, Babcock and Paradigm). A Joint Cyber Unit has also been established within GOSCC providing a link across all three Services and GCHQ. The Defence Committee is, “impressed with the GOSCC as a model of how industry contractors with particular expertise can be integrated with MoD personnel,” and considers that the organisation, “should be held up as a Centre of Excellence to promote good practice within the MoD and other Government Departments.”
The Defence Cyber Operations Group (DCOG) provides the hub for developing cyber capabilities, reporting to the Joint