UK armed forces could be 'fatally compromised’ by cyber attack

UK armed forces’ dependence on information and communication technology could leave the nation vulnerable in the event of a cyber attack, according to a study by a committee of MPs.

A report by the Commons' Defence Committee suggests that the UK Government still has some ground to cover in its approach to the nation’s cyber security even two years after placing cybersecurity as a tier one threat against the UK, on a par with global terrorism. The National Cyber Security Programme allocated £650m over five years to boost the UK's cyber-security defences. The MoD received a £90m slice of this pie.

Then in 2012-13 alone, the MoD is reaching into its own coffers to supplement these funds by £30m. But it seems even this is not enough.

The MPs heard concerns that the “trend” of using off-the-shelf commercial products is increasing military vulnerability to cyber-assault. There were also suggestions that people with the necessary skills for cyber warfare might be recruited and brought into the military, perhaps as reservists.

Chair of the Committee, Rt Hon James Arbuthnot MP, said extra ministerial attention ought to be applied to develop improved cyber security.

"The Government needs to put in place – as it has not yet done – mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyberspace presents,” argued Arbuthnot.

Evidence received by the Committee suggested a sustained cyber assault could impede the ability of the armed forces to "operate effectively" due to their dependence on information and communication technology. The Committee quizzed MoD witnesses about its backup systems in these circumstances.

“We have asked the Government to set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so – and urgently create some,” Arbuthnot added.

Details of what types of cyberattack might be possible were left out of the committee's report.

The MPs heard testimony from academics (including John Bassett, associate fellow of Cyber-security at the Royal United Services Institute, Professor Brian Collins, chair of engineering policy at University College London, and others; military personnel including Air Vice-Marshal Jonathan Rigby, Major-General Jonathan Shaw, assistant chief of defence staff and Air Commodore Tim Bishop, head of global operations security control centre; as well as Cabinet ministers Nick Harvey MP, minister for the armed forces, and Rt Hon Francis Maude MP, the Cabinet Office minister.

Written submissions were provided by McAfee, Symantec and Trend Micro as well as BAE Systems, EADS and Raytheon. That group of six from the military industrial anti-malware complex accounted for more than half the written submissions.

Unsurprisingly after this, the MPs came away with the idea that improved MoD and industry collaboration, tied together with increased spending on cyber-security technology, was a good idea.

In a statement, the Committee said it was "impressed by aspects of the co-operation and joint working between the MoD and private sector contractors". The MPs also supported attempts to boost the cyber security sector in the UK, which would help the MoD "deliver military capabilities both to confront high-end threats and to provide a potential offensive capability".

Arbuthnot added:

“The opportunity created by cyber tools and techniques to enhance the military capabilities of our Armed Forces is clear. We want to see the MoD explore this thoroughly. For this reason, we support the use of National Cyber Security Programme funding to develop these capabilities, but also wish to be assured that the MoD will maintain its investment in existing defence intelligence services which provide a vital UK cross-government capability.”

Vendors broadly welcomed the committee's report. Martin Sutherland, Managing Director of BAE Systems Detica commented:

“The UK’s ability to defend itself against cyber attacks does not rest in the hands of any single entity. Ensuring our national and economic security in an increasingly interconnected world requires all organisations – government, public and private sector – to put in place robust cyber security defences as well as appropriate response procedures in the event of a successful attack.

“To improve the effectiveness of these measures we need to encourage more organisations to share best-practice approaches to cyber security and provide more information about the nature of the attacks they’re seeing, particularly given that many private sector firms act as suppliers to Government or are delivering essential services that our nation relies upon every day," he added.

Sutherland said that the UK is perhaps more prepared for cyber-attack than the defence committee gave it credit for.

“The UK's strategy is still going through a process of implementation; however it is progressing well and has a mature approach in comparison to many other nations. Interestingly, the UK was placed first of the G20 in its ability to withstand cyber attacks and deploy the appropriate infrastructure for a productive economy, according to Booz Allen Hamilton’s recent Cyber Power Index. However, there is still a long way to go before we can say that we are successfully countering cyber threats."

Rob Cotton, chief executive of global information assurance firm, NCC Group, stressed the need for the UK military to develop comprehensive information security policy.

“£650m has allegedly been invested in this country's cyber defences, yet instead of being drilled into real expertise it's been juggled between departmental budgets. It's particularly worrying that the best advice offered is repeatedly to simply update antivirus protection – far more sophisticated and sustained responses are needed.

"The targets of a sustained cyber threat would almost certainly include private sector businesses - from energy companies to manufacturing firms and public transport operators – as well as the military itself," he added. ®