Feeds

UK armed forces could be 'fatally compromised’ by cyber attack

Say MPs, after gang-briefing from cyber-military complex

The Essential Guide to IT Transformation

UK armed forces’ dependence on information and communication technology could leave the nation vulnerable in the event of a cyber attack, according to a study by a committee of MPs.

A report by the Commons' Defence Committee suggests that the UK Government still has some ground to cover in its approach to the nation’s cyber security even two years after placing cybersecurity as a tier one threat against the UK, on a par with global terrorism. The National Cyber Security Programme allocated £650m over five years to boost the UK's cyber-security defences. The MoD received a £90m slice of this pie.

Then in 2012-13 alone, the MoD is reaching into its own coffers to supplement these funds by £30m. But it seems even this is not enough.

The MPs heard concerns that the “trend” of using off-the-shelf commercial products is increasing military vulnerability to cyber-assault. There were also suggestions that people with the necessary skills for cyber warfare might be recruited and brought into the military, perhaps as reservists.

Chair of the Committee, Rt Hon James Arbuthnot MP, said extra ministerial attention ought to be applied to develop improved cyber security.

"The Government needs to put in place – as it has not yet done – mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyberspace presents,” argued Arbuthnot.

Evidence received by the Committee suggested a sustained cyber assault could impede the ability of the armed forces to "operate effectively" due to their dependence on information and communication technology. The Committee quizzed MoD witnesses about its backup systems in these circumstances.

“We have asked the Government to set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so – and urgently create some,” Arbuthnot added.

Details of what types of cyberattack might be possible were left out of the committee's report.

The MPs heard testimony from academics (including John Bassett, associate fellow of Cyber-security at the Royal United Services Institute, Professor Brian Collins, chair of engineering policy at University College London, and others; military personnel including Air Vice-Marshal Jonathan Rigby, Major-General Jonathan Shaw, assistant chief of defence staff and Air Commodore Tim Bishop, head of global operations security control centre; as well as Cabinet ministers Nick Harvey MP, minister for the armed forces, and Rt Hon Francis Maude MP, the Cabinet Office minister.

Written submissions were provided by McAfee, Symantec and Trend Micro as well as BAE Systems, EADS and Raytheon. That group of six from the military industrial anti-malware complex accounted for more than half the written submissions.

Unsurprisingly after this, the MPs came away with the idea that improved MoD and industry collaboration, tied together with increased spending on cyber-security technology, was a good idea.

In a statement, the Committee said it was "impressed by aspects of the co-operation and joint working between the MoD and private sector contractors". The MPs also supported attempts to boost the cyber security sector in the UK, which would help the MoD "deliver military capabilities both to confront high-end threats and to provide a potential offensive capability".

Arbuthnot added:

“The opportunity created by cyber tools and techniques to enhance the military capabilities of our Armed Forces is clear. We want to see the MoD explore this thoroughly. For this reason, we support the use of National Cyber Security Programme funding to develop these capabilities, but also wish to be assured that the MoD will maintain its investment in existing defence intelligence services which provide a vital UK cross-government capability.”

Vendors broadly welcomed the committee's report. Martin Sutherland, Managing Director of BAE Systems Detica commented:

“The UK’s ability to defend itself against cyber attacks does not rest in the hands of any single entity. Ensuring our national and economic security in an increasingly interconnected world requires all organisations – government, public and private sector – to put in place robust cyber security defences as well as appropriate response procedures in the event of a successful attack.

“To improve the effectiveness of these measures we need to encourage more organisations to share best-practice approaches to cyber security and provide more information about the nature of the attacks they’re seeing, particularly given that many private sector firms act as suppliers to Government or are delivering essential services that our nation relies upon every day," he added.

Sutherland said that the UK is perhaps more prepared for cyber-attack than the defence committee gave it credit for.

“The UK's strategy is still going through a process of implementation; however it is progressing well and has a mature approach in comparison to many other nations. Interestingly, the UK was placed first of the G20 in its ability to withstand cyber attacks and deploy the appropriate infrastructure for a productive economy, according to Booz Allen Hamilton’s recent Cyber Power Index. However, there is still a long way to go before we can say that we are successfully countering cyber threats."

Rob Cotton, chief executive of global information assurance firm, NCC Group, stressed the need for the UK military to develop comprehensive information security policy.

“£650m has allegedly been invested in this country's cyber defences, yet instead of being drilled into real expertise it's been juggled between departmental budgets. It's particularly worrying that the best advice offered is repeatedly to simply update antivirus protection – far more sophisticated and sustained responses are needed.

"The targets of a sustained cyber threat would almost certainly include private sector businesses - from energy companies to manufacturing firms and public transport operators – as well as the military itself," he added. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.