Estrategia - Relaciones Internacionales - Historia y Cultura de la Guerra - Hardware militar. Nuestro lema: "Conocer para obrar"
Nuestra finalidad es promover el conocimiento y el debate de temas vinculados con el arte y la ciencia militar. La elección de los artículos busca reflejar todas las opiniones. Al margen de su atribución ideológica. A los efectos de promover el pensamiento crítico de los lectores.

sábado, 19 de enero de 2013

La política de ciber-defensa británica


PARLAMENTO BRITÁNICO.

 
El presente informe fue ordenado por la Casa de los Comunes para ser impreso el 18 de Diciembre de 2012.



Introduction

There is a consensus that cyberspace is a complex and rapidly changing environment. In the remainder of this report, we consider the implications for UK defence and security. (Paragraph 23)


MoD networks, assets and capabilities

The evidence we received leaves us concerned that with the Armed Forces now so dependent on information and communications technology, should such systems suffer a sustained cyber attack, their ability to operate could be fatally compromised. Given the inevitable inadequacy of the measures available to protect against a constantly changing and evolving threat, and given the Minister for the Cabinet Office's comment, it is not enough for the Armed Forces to do their best to prevent an effective attack. In its response to this report the Government should set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so - and urgently create some. (Paragraph 28)

The MoD's most important cyber-security responsibility is to manage and protect the systems and networks on which the UK's Armed Forces depend. The Committee was impressed with the GOSCC as a model of how industry contractors with particular expertise can be integrated with MoD personnel, and reassured by the clarity with which its mission was communicated. It is clearly a world-class facility. Changes to the MoD's procurement function will also have a bearing on the responsibilities of Information Systems and Services as a whole, and we ask that the Secretary of State keep Parliament informed about the impact of such changes on ISS's cyber functions. (Paragraph 34)

The GOSCC constitutes a pool of expertise which can be drawn on to spread good 'cyber hygiene' and awareness of everyday threats throughout the Defence workforce. In its response to this report the MoD should explain how the GOSCC's capability and the experience of its staff can be linked to the responsibility of the DCOG for bringing cyber-security into the forefront of all Government does. We consider that the GOSCC should be held up as a Centre of Excellence to promote good practice within the MoD and other Government Departments. (Paragraph 35)

We appreciate the MoD witnesses' frank assessment of the work still to be done on securing its supply chain and industrial base. Despite this frankness, the witnesses gave the impression that they believed that an admission of the problem took them close to resolving the problem. It does not. It is imperative that we see evidence of more urgent and concrete action by suppliers to address this serious vulnerability, and of energy and determination on the part of the MoD to enforce this action. This evidence should include, for example, efforts to improve the technical processes involved, identification of adequate resources, and provision of training to address the human aspects of good cyber defence. (Paragraph 42)

We consider that the opportunity created by cyber tools and techniques to enhance the military capabilities of our Armed Forces should be explored thoroughly by the MoD. To this end, we support the use of National Cyber Security Programme funding for the purpose of developing such capabilities. In addition, the opportunity to draw upon capabilities from strategic partners, particularly the USA, should be fully exploited. (Paragraph 53)

Good cyber-security practice needs to permeate the whole of the MoD and the Armed Forces. It would be a cause for concern if different units were to compete for particular roles and resources, if lines of accountability were to be unclear, if they were to operate in silos that would obstruct the best use of skills across the organisation, or if policy were to become fragmented. (Paragraph 56)

The MoD's thinking on the best internal structures for cyber-security appears to us to be still developing, particularly as the Joint Forces Command becomes more established. Getting this right must be a top priority. We recommend that the MoD should report to Parliament regularly about proposed and actual changes to those structures, and improvements in delivery that come about as a result. (Paragraph 57)

At present the stated unifying role of the DCOG is more illusory than real, and among its long list of tasks are some which appear to overlap with those of the GOSCC or Information Services and Systems more generally. We urge the MoD to communicate its cyber-security structures a more comprehensible fashion, setting out strands of work and lines of accountability unambiguously. Only by doing this can we be assured that there is indeed clarity about roles and responsibilities within the MoD and the Armed Forces. We recommend, in particular, that the respective roles of the Chief Information Officer and the Joint Forces Commander are clarified in relation to cyber-security. (Paragraph 58)

Military activity in cyberspace - conceptual framework

Events in cyberspace happen at great speed. There will not be time, in the midst of a major international incident, to develop doctrine, rules of engagement or internationally-accepted norms of behaviour. There is clearly still much work to be done on determining what type or extent of cyber attack would warrant a military response. Development of capabilities needs to be accompanied by the urgent development of supporting concepts. We are concerned that the then Minister's responses to us betray complacency on this point and a failure to think through some extremely complicated and important issues. We recommend that the MoD makes development of rules of engagement for cyber operations an urgent priority, and that it should ensure that the necessary intelligence, planning and coordination functions are properly resourced. (Paragraph 67)

We recommend that the Government ensure that civil contingency plans identify the military resources that could be drawn upon in the event of a large-scale cyber attack, such as additional staff, planning resources or technical expertise. In its response to this report the Government should set out what work it is doing to identify the reliance of the Armed Forces on the integrity and resilience of the Critical National Infrastructure, the steps it has taken to ensure that the CNI will remain sufficiently robust to meet the needs of the Armed Forces and its contingency plans for the event that any relevant part of the CNI should fail. (Paragraph 69)

Relationships with allies

We welcome the Government's decision to play a more active role in the future work of the NATO Cyber-Defence Centre of Excellence. We ask that the MoD keeps Parliament fully apprised of future decisions regarding participation in this and other international co-operative arrangements. (Paragraph 74)

Resources and skills supporting military activity in cyberspace

The rapidly changing nature of the cyber threat demands that a premium be placed on research and development to enable the MoD to keep pace with, understand and anticipate that threat. We recommend that this should be addressed. The Government should also make it a priority to develop robust protocols for sharing information with industry to allow expertise to be pooled, and we recommend that the MoD set out clearly in its response to this report how it will do so. (Paragraph 81)

We recommend that the 'Cyber Future Force' work focuses on the development of career structures for MoD and Armed Forces personnel that will allow them not only to develop, but build on, their cyber skills. The MoD may not be able to compete with the private sector on salary terms, but it must be able to give staff opportunities and responsibility as well as rewarding work. (Paragraph 90)

MoD thinking about how reservists will help to deliver cyber-security is evolving, with many issues to be resolved. Although we welcome the initial steps taken by the MoD to develop the Joint Cyber Reserve it is regrettable that information about its establishment was not shared with us during our evidence taking. As a consequence, we were unable to explore with Ministers the details of this important development. (Paragraph 93)

We recommend that the MoD should build on existing strengths in the ways reservists contribute to cyber-defence and operations, and to retain the particular reserve-led command structures that facilitate those contributions. If any new reserve structure is to succeed, it is important that reservists who work in the civilian world should play a part in its design. The close relationships that have been established with contractors at the GOSCC could provide an avenue for recruiting more reservists from those companies, and we recommend that the MoD prioritise, as part of Future Reserves 2020, a strategy for recruiting personnel with specialist skills from the private sector. (Paragraph 94)

We recommend that the MoD must be rigorous in ensuring that all cyber-security activity—legacy and routine work as well as new initiatives—is fully funded. We were encouraged by the then Minister for the Armed Forces' explanation that spending on cyber would be included as a matter of course in future programme budgets. Continued investment in skills and resources is vital. We seek the MoD's assurance that this will not in practice mean cuts in other areas. Quantifying the 'right' amount to spend on cyber-security is a challenge which the MoD must not shirk; military and wider Government intelligence capability depends on it. (Paragraph 99)

It is vital not only that the MoD and the Government have ways of measuring their own progress in cyber-security, but also of communicating that progress to Parliament and the public. We are pleased that the MoD is engaging with the challenge of devising appropriate metrics and measurements for assessing progress. We acknowledge the difficulty of this task, and look forward to seeing how pan-Government, international and cross-sector thinking influences the outcomes of this work. We recommend that the MoD should provide Parliament with a report on cyber incidents and performance against metrics on at least an annual basis. (Paragraph 102)

Cyber-security across Government

It is our view that cyber-security is a sufficiently urgent, significant and complex activity to warrant increased ministerial attention. The relevant minister should have the authority to direct government departments to take action if they are not performing as required. We also consider that the National Security Council should dedicate time, with the relevant minister in attendance, to consider cyber-security matters on a more regular basis. (Paragraph 113)

The National Cyber Security Programme requires robust governance and we note that the Minister for the Cabinet Office chairs the Programme Board. However, the Programme represents only the tip of the iceberg of the necessary cyber-security activity across government. High-profile and authoritative leadership is required for all such activity. (Paragraph 114)

In a previous inquiry we expressed concern that no one government department was identified to take immediate lead responsibility should there be a severe space weather event. The machinery in the event of a cyber attack appears to be under development, with an important role being played by the Cyber Security Operations Centre. However, before a 'lead Government Department' is identified for a particular cyber incident there is a potential gap during which the Cabinet Office has a coordinating role but the location of executive authority is not clear. It is vital that clear procedures are in place, and communicated, about how ownership of incident response is escalated when necessary from individual departments to higher, central authorities. We recommend that the National Security Council review these arrangements to ensure that the UK's response to major cyber-incidents is as streamlined, rapid and effective as it can be, and that a programme of regular exercises, involving ministers as well as officials, is put in place to test the arrangements. The MoD should also conduct exercises for its own internal arrangements and their interface with the rest of government. (Paragraph 120)

Conclusion

We recommend that the MoD and the National Security Council keep under review the delineation of the military role in national cyber-security, not with a view to expanding that role unnecessarily, but to ensure that threats are dealt with in the most appropriate and effective manner, and that the MoD can focus its resources accordingly. (Paragraph 122)

The cyber threat is, like some other emerging threats, one which has the capacity to evolve with almost unimaginable speed and with serious consequences for the nation's security. The Government needs to put in place - as it has not yet done - mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyber presents. It is time the Government approached this subject with vigour. (Paragraph 123)

  1. Introduction

The 2010 National Security Strategy (NSS) identified "hostile attacks upon UK cyberspace by other states and large-scale cyber crime" as one of four Tier One risks, explaining that "Government, the private sector and citizens are under sustained cyber attack today, from both hostile states and criminals."[1]

Recent examples of high profile cyber attacks include:

the leaking of thousands of British email addresses and encrypted passwords, including those of 221 British military officials, 242 NATO staff, and staff of the Joint Intelligence Organisation;[2]

a 'denial of service' attack on HSBC;[3] and

the loss of £800 million in revenue by a British company following cyber attacks by a foreign state.[4]

In November 2011 the Government published the second UK Cyber Security Strategy (the first was in 2009), Protecting and promoting the UK in a digital world.[5] The Strategy has four main objectives:

The UK to tackle cyber crime and to be one of the most secure places in the world to do business in cyberspace;

The UK to be more resilient to cyber attacks and better able to protect our interests in cyberspace;

The UK to have helped shape an open, stable and vibrant cyberspace which the UK public can use safely and that supports open societies;

The UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber-security objectives.[6]

The Cyber Security Strategy emphasises the limits of the Government's powers to act in this arena, and the close collaboration that will be needed with industry and academia.

A National Cyber Security Programme (NCSP) has been launched under the management of the Office of Cyber Security and Information Assurance in the Cabinet Office, and the oversight of the Minister for the Cabinet Office. £650 million has been allocated to the NCSP over the period 2011-2015, of which 14% (£90 million) has been allocated to the Ministry of Defence, and 59% to the Single Intelligence Account. (The Cabinet Office, Home Office, Business Innovation and Skills and Government ICT account for the remainder.)

The Strategy states that around half of the £650 million funding will go towards "enhancing the UK's core capability, based mainly at GCHQ at Cheltenham, to detect and counter cyber attacks. The details of this work are necessarily classified, but it will strengthen and upgrade the sovereign capability the UK needs to confront the high-end threat."[7]

In his evidence, Francis Maude MP, Minister for the Cabinet Office, commented that, in an "incredibly tight financial settlement generally, this was one of the few areas to which additional funds were apportioned, as a recognition that it was a growing threat".[8]

Asked what the £90 million set aside for the Defence Cyber Security Programme would be used for, Nick Harvey MP, then Minister of State for the Armed Forces, told us that the intention was to "mainstream cyber into all of our departmental business". He continued:

It will be up to an SDSR and a National Security Strategy in 2015 to assess how far we have got and how much more of an investment we will need to make in it from there forward.[9]

The inquiry

This report is the second in a series examining what we have termed "developing threats", the first of which examined the risks posed by Electro-Magnetic Pulses.[10] Some of the themes of that inquiry—the need for a joined-up response across Government, and the vulnerabilities inherent in our ever-growing reliance on technology—feature in this report as well. We announced the following terms of reference on 19 January 2012:

The nature and extent of the cyber-security threat to Ministry of Defence and Armed Forces systems, operations and capabilities;

The implications of the 2011 UK Cyber Security Strategy for the Ministry of Defence; including:

the MoD's role in cross-governmental cyber-security policy and practice, including the protection of critical national infrastructure;

the relationship of MoD's actions and planning to the National Security Council, the Cabinet Office and GCHQ.

How the Ministry of Defence and the Armed Forces are managing and planning responses to threats in the cyber domain; including:

skills, capacity and expertise within the MoD and the Armed Forces, including in research and development;

how MoD and National Cyber Security Programme resources are being used to address cyber-security.

The full list of organisations from which we received written evidence is published at the end of the report, along with the list of those who gave oral evidence. We held three oral evidence sessions, including one, which focused on the role of the Cabinet Office, in which we took evidence from the Minister with overall responsibility for cyber-security across Government, Rt Hon Francis Maude MP. We also visited the Global Operations Security Control Centre (GOSCC) at MoD Corsham in Wiltshire, and benefited from a number of briefings by Ministry of Defence staff and Service personnel. We are grateful to all who assisted us in the course of our inquiry, to our Specialist Advisers, particularly Graham Wright, for their advice and insight, and to our staff.[11]

In this report we discuss first the two tasks which the MoD has told us are its principal cyber-security responsibilities: protecting its own networks in order to enable military operations, and developing cyber capabilities which could in future be used to enhance military operations. We then go on to consider some of the challenges which the MoD will need to address in order to fulfil those responsibilities, including the development of concepts and the provision of resources to support its cyber-activity. We offer our assessment of the progress the MoD is making towards tackling these challenges, indicating the areas in which it seems to us more rapid progress is required at this stage, and those to which we are likely to return in a future inquiry.

Finally, we consider the role of the MoD as part of the Government's wider approach to cyber-security. Threats to national security cross organisational boundaries, and in order to assess the effectiveness of one department's contribution, it is necessary to understand how it fits into the whole and how effective that whole is.

Nature of the threat

Professor Paul Cornish and colleagues, Chatham House, describe the nature of the threat:

In cyberspace the boundaries are blurred between the military and the civilian, and between the physical and the virtual; and power can be exerted by states or non-state actors, or by proxy. [...] Cyberspace has made it possible for non-state actors, commercial organisations and even individuals to acquire the means and motivation for warlike activity.[12]

The UK Cyber Security Strategy notes that a number of different groups—criminals, terrorists, politically-motivated 'hacktivists', foreign intelligence services and militaries—are active today against the UK's interests in cyberspace, "but with the borderless and anonymous nature of the internet, precise attribution is often difficult and the distinction between adversaries is increasingly blurred".[13] Threats to security and information in the cyber domain include state-sponsored attacks, ideological and political extremism, serious organised crime, lower-level/individual crime, cyber protest, cyber espionage and cyber terrorism.

The UK Cyber Security Strategy states that:

Some of the most sophisticated threats to the UK in cyberspace come from other states which seek to conduct espionage with the aim of spying on or compromising our government, military, industrial or economic assets, as well as monitoring opponents of their own regimes. 'Patriotic' hackers can act upon states' behalf, to spread disinformation, disrupt critical services or seek advantage during times of increased tension. In times of conflict, vulnerabilities in cyberspace could be exploited by an enemy to reduce our military's technological advantage, or to reach past it to attack our critical infrastructure at home.[14]

The Strategy notes that "some states regard cyberspace as providing a way to commit hostile acts 'deniably'. Alongside our existing defence and security capabilities, the UK must be capable of protecting our national interests in cyberspace."[15]

Techniques used by hostile actors in cyberspace are various: malicious software (malware), networks of 'botnets'[16] and 'logic bombs'[17] can be employed to navigate target systems, retrieve sensitive data or overrule command-and-control systems. GCHQ estimates that 80% or more of currently successful cyber attacks could be defeated by simple best practice, such as updating anti-virus software regularly.[18]

'Advanced Persistent Threat' (APT) is the term used most often to describe subtle threats that are unlikely to be deterred by simple cyber hygiene measures[19]. Traditional 'boundary' defences may not be effective against "more subtle threats like APT and social engineering techniques"[20] such as manipulating people into performing actions which lead to confidential information being divulged.

Acts of aggression or malice in cyberspace differ from those in other domains. Cyberspace is regarded as an asymmetric domain, meaning that even adversaries of limited means can pose a significant threat to military capabilities. Attribution of attacks is difficult, time-consuming and sometimes impossible, as is discerning motives (some security breaches may owe as much to intellectual curiosity as intent to do harm). The then US Deputy Secretary of Defense William J. Lynn further wrote:

In cyberspace, offence has the upper hand. The Internet was designed to be collaborative and rapidly expandable and to have low barriers to technological innovation; security and identity management were lower priorities. For these structural reasons, the US government's ability to defend its networks always lags behind its adversaries' ability to exploit US networks' weaknesses.[21]

The Intelligence and Security Committee in its Annual Report 2010-11 considered the activities of state actors in cyberspace:

Cyber space means that countries no longer have to invest in global networks and pursue complex operations with high-level agents when it comes to espionage: they can access much of the same information using relatively inexpensive cyber attacks. The Director General of the Security Service told us in February 2011 that "the barriers to entry to cyber espionage are quite low. We have found a number of […] countries taking an interest in this".[22]

In evidence provided to that Committee, GCHQ had elaborated on the source of the threat:

The greatest threat of electronic attack continues to be posed by State actors and, of those, Russia and China are [suspected of carrying out] the majority of attacks. [...]. Their targets are in Government as well as in industry. [...]. There are also a number of other states with credible electronic attack capabilities [...].[23]

We note the finding of the Intelligence and Security Committee that the main purpose of such attacks is espionage and the acquisition of information; however, there is a concern that this capability could be turned towards disruption activities - for example, interrupting supply of utility services.

The UK Cyber Security Strategy's executive summary states that:

The networks on which we now rely for our daily lives transcend organisational and national boundaries. Events in cyberspace can happen at immense speed, outstripping traditional responses. Although we have ways of managing risks in cyberspace, they do not match this complex and dynamic environment. So we need a new and transformative programme to improve our game domestically, as well as continuing to work with other countries on an international response.[24]

Asked whether current cyber threats were containable, the Minister for the Armed Forces said:

I think that it would be bold to say that. It is a very fast-changing threat. We recognise how serious it is and that is why we give it the priority that we give it. [...] It is something to which we take a very cautious approach.[25]

There is a consensus that cyberspace is a complex and rapidly changing environment. In the remainder of this report, we consider the implications for UK defence and security.





























25 Q 95 Back

  1.  MoD networks, assets and capabilities

The increasing dependence of the Armed Forces on information and communication technology—in weapons systems, in satellite networks and in intelligence-gathering—introduces into operations many more points of vulnerability to cyber attack.[26] Symantec set out some of the ways in which cyber attackers could threaten or compromise military networks and operations:

Depending on the motivation of the attacker, the objectives could range from traditional signalling intelligence, in which case the targeted systems are likely to be communication and information systems, all the way to the creation of a deceptive picture in the command structure, where sensor systems and observation systems such as radars or satellites, or even Command and Control systems, may be targeted. Attacking systems controlling the logistical supply may also be an option in order to limit and strain the regular supply of a running operation. Perhaps the most worrisome scenario of all is a cyber attack that could render dysfunctional main combat units such as airplanes or ships, or that could limit their operational capability or reliability. [...] Moreover the increased utilisation of robotic devices such as drones, battlefield robots and UAVs over the battlefield has numerous advantages, but also creates a new type of information security challenge that is not yet fully understood, studied or realised.[27]

The UK Cyber Security Strategy stated that "there can be no such thing as absolute security". The Government would, therefore, "apply a risk-based approach to prioritising our response."[28] General Shaw, Assistant Chief of Defence Staff, elaborated on what this meant in practice:

All organisations and all people need to make a very severe and clear judgement on what is their vital information that they really want to lock away, and what level of risk they are prepared to take with all their information. [...] what you have is a graduated response, because you can't defend everything. You take risks on certain bits. That's how you cope with a penetrated system. [...] making very clear commanders' judgments about what information is vital and how tightly you are going to protect it, and what bits we are just prepared to operate.[29]

We asked General Shaw about the extent to which the Armed Forces retained the ability to operate in a compromised cyber environment. He stated that the UK had moved beyond "reversionary modes"[30], meaning that we could no longer depend on simple backup systems. However, Air Vice-Marshal Rigby, Director, Cyber, Intelligence and Information Integration, stated that: "In the Cold War we made sure that we could cope without our principal systems. We must have fall-back and contingency methods of operating, particularly in command and control."[31] We therefore asked the Minister for the Armed Forces how the MoD was mitigating the risks posed by the reliance on networked technologies. His answer focused on improving security measures rather than reverting to back-up non-networked technologies. He responded:

Belt and braces and backups—sort of defence in depth, I suppose you would say. By working with intelligence and security agencies to assess the threat to our systems. By putting in place, as far as we can, technical measures to protect ourselves, restrict access and protect key data from compromise. By carefully segregating the most sensitive systems, carefully patrolling the links and gateways between different elements of systems and ensuring elements are completely autonomous. It is almost a sense of replicating in the cyber domain some of the approaches we would take to security in the physical space.[32]

Francis Maude MP, Minister for the Cabinet Office, told us that "One of the challenges is that we do not know what threat we will be facing next month, let alone in a year's time"[33].

The evidence we received leaves us concerned that with the Armed Forces now so dependent on information and communications technology, should such systems suffer a sustained cyber attack, their ability to operate could be fatally compromised. Given the inevitable inadequacy of the measures available to protect against a constantly changing and evolving threat, and given the Minister for the Cabinet Office's comment, it is not enough for the Armed Forces to do their best to prevent an effective attack. In its response to this report the Government should set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so - and urgently create some.

Operating and defending the network

Securing the networks on which UK military operations depend is the foremost cyber-security responsibility of the MoD. This role is not funded by the National Cyber Security Programme, as, in the words of James Quinault, Director, Office of Cyber Security and Information Assurance, Cabinet Office, it "ought to be business as usual for the MoD".[34] In 2010, the MoD put in place three 'network authorities' which have been assigned responsibilities for the governance and security of the networks on which the MoD and the Armed Forces depend. They are as follows:

The Network Capability Authority - led by the Deputy Chief of Defence Staff (Capability), deals with the cyber-proofing and information requirements of future systems;

The Network Technical Authority - develops technical solutions to meet capability requirements and ensures that systems and platforms linking with the Defence network are able to communicate and will not introduce vulnerabilities;

The Network Operating Authority - provides day-to-day operational management of the defence network, monitoring and managing more than 750,000 configurable IT assets.[35]

The latter two are teams within Defence Information Systems and Services (ISS), part of Defence Equipment and Support, which provides the procurement and support functions for integrated information and communication services across the Armed Forces, the Ministry of Defence and to overseas bases, operations and ships. The Director of ISS reports to the Chief of Defence Materiel.

The Network Operating Authority, which delivers and operates the MoD's own networks and defends them from attack, is based within the Global Operations and Security Control Centre (the GOSCC). The rationale for combining the two roles of 'operating' and 'defending' the networks is not only that overlapping skills are needed, but that defenders need to have an in-depth understanding of how the network is used in order to identify abnormal performance which might indicate the presence of threats. They also need to be able to strike a balance between the two roles because "in general, networks that are optimised to support business needs are more vulnerable to cyber attack".[36] The Head of the GOSCC is empowered to take rapid action without direction from above to defend the network when necessary. The Centre is also responsible for ensuring that software applications, updates and patches are applied consistently across MoD networks.

Staff at the GOSCC are a mix of military, MoD civilian and contractor personnel from major industry partners involved in delivering and supporting the MoD network; these include Fujitsu, BT DFTS, Cassidian, EADS, Babcock and Paradigm.[37] These delivery partners have all been encouraged to establish their commercial Network Operating Centre or Security Operating Centre physically within the GOSCC.[38] Of the staff, only military personnel can be sent to operational theatres if the need arises.[39] A Joint Cyber Unit ("joint" meaning across all the three services, but also with links to GCHQ) has been established at the GOSCC; MoD has described the GOSCC's role as "to proactively and reactively defend MoD networks 24/7 against cyber attack to enable agile exploitation of MoD information capabilities across all areas of the Department's operations."[40]

Changes to structures elsewhere in the MoD, particularly the evolving role of Joint Forces Command and nature of Defence Equipment and Support, will have an impact on cyber functions in terms of who sets the requirements for and procures cyber capabilities and equipment, and their relationship to those who operate those capabilities and manage the networks that they use.

The MoD's most important cyber-security responsibility is to manage and protect the systems and networks on which the UK's Armed Forces depend. The Committee was impressed with the GOSCC as a model of how industry contractors with particular expertise can be integrated with MoD personnel, and reassured by the clarity with which its mission was communicated. It is clearly a world-class facility. Changes to the MoD's procurement function will also have a bearing on the responsibilities of Information Systems and Services as a whole, and we ask that the Secretary of State keep Parliament informed about the impact of such changes on ISS's cyber functions.

Promoting good cyber-security practice throughout MoD

Teams within the GOSCC have oversight of cyber-security housekeeping and hygiene issues: spotting missing patches to software and updating anti-virus measures, promoting the use of complex passwords, spreading awareness of how personal information or personal devices might be employed by cyber attackers, and running exercises to check on progress. 'Mainstreaming' of cyber-security throughout the MoD workforce is, however, also a responsibility of the Defence Cyber Operations Group (DCOG) (discussed later in this report). The GOSCC constitutes a pool of expertise which can be drawn on to spread good 'cyber hygiene' and awareness of everyday threats throughout the Defence workforce. In its response to this report the MoD should explain how the GOSCC ¡¯ s capability and the experience of its staff can be linked to the responsibility of the DCOG for bringing cyber-security into the forefront of all Government does. We consider that the GOSCC should be held up as a Centre of Excellence to promote good practice within the MoD and other Government Departments.

Securing the supply chain

Military operations depend not only on the security of networks, but the security of equipment and components and the supply chain which delivers them. The MoD therefore needs to have confidence in the resilience of its industrial base and supply chain to cyber attack. The UK Cyber Security Strategy and the "National Security Through Technology" White Paper published in February 2012 both committed the Government to raising the standard of cyber-security expected from suppliers of sensitive equipment.[41] The Cabinet Office has a supporting role in advising about the cyber-security aspects of acquisition, and the Department for Business, Innovation and Skills is working with GCHQ to develop a cyber kite-marking system for Government suppliers more generally.[42] However, it is the MoD's responsibility to manage relations with its own suppliers.[43]

BAE Systems warned that "the increasing use of Commercial Off-the-Shelf products and dependency on internet protocol (as opposed to proprietary) networks will have brought a wider range of vulnerabilities into MoD systems, some of which will already be known to attackers."[44] Professor Sir David Omand, King's College London, argued that:

there is a conflict for defence between the current fashion for buying things off the shelf at the cheapest price and taking the time and expenditure to write computer code that is genuinely secure. Somewhere, somebody in defence has to strike a balance between those two. [...] If we go about just buying stuff off the shelf, including computer software that has been bundled together from pre-existing blocks of software, then I am afraid we are making ourselves vulnerable.[45]

We asked MoD witnesses what cyber-security measures it requires its suppliers to take. The MoD's Chief Information Officer, John Taylor told us that:

This is an area that we are giving increasing attention to. I am not convinced we have got this quite right yet. As you rightly say, we are very dependent on those suppliers. Having [...] got our own house in reasonable order, we are now starting to work particularly with our key suppliers to help them raise their game in this space. I am clearly not going to talk about any individual supplier but I think we are getting an understanding of what that landscape looks like.[46]

The Minister for the Armed Forces added:

There is a mutual recognition of and understanding of the problem and a determination and will to help each other improve our defences. I think that the ingredients are there to get us to where we need to be, but it is a big task. As we have already commented a couple of times, there is an ever-changing, fast-evolving threat. You have to be very sure of yourself to say that you have cracked the problem.[47]

MoD witnesses described the range of factors that are balanced when decisions are made to procure equipment and network components 'off-the-shelf'. The Minister for the Armed Forces acknowledged there was a potential risk, but this had to be balanced with cost, speed and efficiency of delivery, the urgency with which the piece of kit is needed, "and the extent to which you have any known concerns about the product that the supplier is potentially going to supply to you. If it has any components that you have a concern about, you have quite a complex risk balance to perform."[48] He told us that "there is no reason why you wouldn't" use commercial off-the-shelf products in cyber-defence systems, subject to advice from the National Technical Authority about whether the specific product was appropriate for the job.[49]

The relationship of the MoD with its industrial suppliers also depends on robust and honest information-sharing about attacks and potential vulnerabilities. Contractors may in the past have been reticent for commercial reasons to admit to cyber-security incidents affecting their organisations, but MoD witnesses offered the view that such relationships are becoming more open, and contractors are increasingly willing to approach the MoD for help in the event of an incident.[50]

Under the UK Cyber Security Strategy, a pilot for a joint private-public sector forum for pooling threat information was established, defence being one of five sectors involved. In its first annual progress report on the Cyber Security Strategy, the Government reported that 160 companies had engaged successfully in the pilot. The Government, in conjunction with industry, is now developing a permanent information sharing environment called CISP (Cyber-security Information Sharing Partnership) to be launched in January 2013. Initially, this will be open to companies within Critical National Infrastructure sectors, but membership will be made available more broadly, including to SMEs, in a second phase.[51]

We appreciate the MoD witnesses' frank assessment of the work still to be done on securing its supply chain and industrial base. Despite this frankness, the witnesses gave the impression that they believed that an admission of the problem took them close to resolving the problem. It does not. It is imperative that we see evidence of more urgent and concrete action by suppliers to address this serious vulnerability, and of energy and determination on the part of the MoD to enforce this action. This evidence should include, for example, efforts to improve the technical processes involved, identification of adequate resources, and provision of training to address the human aspects of good cyber defence.

Developing military cyber capabilities

If the foremost responsibility of the MoD is to enable and protect military operations, its next most important role is to explore how military operations might be enhanced by exploiting cyber tools and techniques. Witnesses told us that 'cyberwar'—in the sense of a conflict entirely fought and decisively won in cyberspace—may be a distant prospect, but it was reasonable to expect the armed forces to explore how they might gain a military advantage by delivering effects through cyberspace.[52] Cyber can in this sense be regarded as a 'fifth domain' of warfare, presenting an opportunity as much as a threat, and the Minister (Nick Harvey) set out an aspiration for the UK's Armed Forces to do everything in cyberspace that they do in every other domain: prevent, deter, coerce or intervene.[53]

The development of military cyber-capabilities also requires substantial investment in research and intelligence. Witnesses emphasised the long lead-in times for cyber-weapons, and that the effectiveness of such weapons depends on intelligence and a willingness to tailor-make weapons particular to each target.[54] Professor Sir David Omand stated:

if you really want to knock out the enemy's air defence system, you are going to have to design something very specifically for that purpose.[55]

Talking about the Stuxnet worm[56] as an example of a cyber-weapon, John Bassett noted that:

this is something that has clearly had a huge amount of intellectual capital poured into it. [...] it could only be used once for one thing, so we are really talking about almost hand-crafted weapons in that sense. This is not something where one can easily imagine a production line of high impact cyber-weapons.[57]

The Strategic Defence and Security Review stated that the Government would "work to develop, test and validate the use of cyber capabilities as a potentially more effective and affordable way of achieving our national security objectives".[58] The National Cyber Security Programme's funding to the MoD is partly to be used for the purpose of developing such capabilities.[59] Joint Forces Command is to take the lead in the "development and integration of defence cyber capabilities", but the main focus for this activity will be the Defence Cyber Operations Group (DCOG), which reports to the Joint Forces Commander.

The DCOG, due to be fully operational by March 2015, is a federation of cyber units working closely together to deliver a defence capability. It will mainstream cyber-security throughout the MoD and ensure the coherent integration of cyber activities across the spectrum of defence operations.

The role of the DCOG was described by MoD as to "ensure coherence across Defence planning for cyber operations and ensuring that commanders have situational awareness of the impact of cyberspace on their operations, and [are] able to use cyber tools and techniques to assist them in conducting successful operations."[60] General Shaw, Assistant Chief of Defence Staff, told us that: "What we have learned over the past year about the nature of operating in cyberspace means that the idea that we can just have cyber defence as one hived-off piece has been overtaken conceptually."[61] He argued that the military needed to reach the stage where "cyber is not seen as something separate". He continued:

Cyber is just another effect, or rather, to put it another way, it is merely the latest medium through which to achieve effect. Therefore, all the normal effects that we try to achieve, and all the normal relationships that we have, suddenly have a cyber dimension to them or cyber ways of achieving them.[62]

The full list of tasks and responsibilities given to the DCOG is long and varied, and includes developing a recognised career structure in cyber, "agile procurement and rapid pull through of research and development", putting in place robust structures for intelligence support with GCHQ, and factoring in cyber resilience to all MoD equipment.

We were told by the MoD after the final evidence session that it is currently working on plans to form a Joint Forces Cyber Group (JFCyG), with the aim of bringing all aspects of cyber affecting operations under one unified command structure. The JFCyG will not replace the DCOG, but brings a number of the elements that previously existed within it together to improve coordination of effort and increase efficiency in operational planning.

A Joint Cyber Unit within DCOG—distinct from that based within the GOSCC—is to work with GCHQ on developing "new tactics, techniques and plans to deliver military effects, including enhanced security, through operations in cyberspace," and will be fully operational by 2015.[63] GCHQ is recognised as the pre-eminent national repository of expertise in the cyber field, and is, according to the Minister for the Armed Forces, "performing the central role that in some of our allied countries would be exercised somewhere within the defence arena".[64] General Shaw told us that:

the British response to the cyber threat [...] is to create a national bucket of capability, from which everyone draws. [...] That one bucket of expertise is GCHQ. We are contributing personnel into it to ensure that in the development of cyber-capability there are military people there, both to add their expertise to that development and to give the military input on what sorts of effects we might be looking for in cyber-space.[65]

Air Commodore Bishop, Head of the GOSCC, explained that information and staff exchanges between the MoD and GCHQ were well developed, and included the sharing of "for want of a better word, our tradecraft: tactics, techniques and procedures, and the way we would address issues when they arise".[66] Air Commodore Bishop also assured us that command and control arrangements were "very clear".[67]

We consider that the opportunity created by cyber tools and techniques to enhance the military capabilities of our Armed Forces should be explored thoroughly by the MoD. To this end, we support the use of National Cyber Security Programme funding for the purpose of developing such capabilities. In addition, the opportunity to draw upon capabilities from strategic partners, particularly the USA, should be fully exploited.

Structures within the MoD

Structures and lines of responsibility within the MoD for cyber-security appear not yet to be set in stone. In mid-2012, MoD conducted a Directorate of Operational Capability review of command and control "governance" and "the detailed relationships between the different components of the cyber world".[68] John Taylor, MoD Chief Information Officer, told us that this came about as a result of transformation processes within the MoD, notably the formation of the Joint Forces Command.[69] General Shaw, Assistant Chief of Defence Staff, described the purpose of the DOC audit as to consider "how we achieve unity". He also commented that the creation of the Joint Forces Command "instituted a new process, which has yet to be finally decided upon".[70]

The MoD has said that the DCOG, which is part of Joint Forces Command, would assist in concentrating all cyber expertise in one structure. There are, however, significant exceptions to this: the GOSCC, the Research and Development function at Porton Down, and "cyber policy" in MoD Main Building all remain outside the ambit of the DCOG. The logic for the organisational split between GOSCC and DCOG is not clear to us: the skills, techniques and tools required for network defence and for the development of capabilities overlap significantly. The relationship between the Chief Information Officer and the Joint Forces Commander has been described by the MoD as "operating together closely in a 'supporting' and 'supported' relationship to achieve a Single Information Enterprise across Defence", a description which does little to help us understand where responsibility ultimately lies.

Good cyber-security practice needs to permeate the whole of the MoD and the Armed Forces. It would be a cause for concern if different units were to compete for particular roles and resources, if lines of accountability were to be unclear, if they were to operate in silos that would obstruct the best use of skills across the organisation, or if policy were to become fragmented.

The MoD's thinking on the best internal structures for cyber-security appears to us to be still developing, particularly as the Joint Forces Command becomes more established. Getting this right must be a top priority. We recommend that the MoD should report to Parliament regularly about proposed and actual changes to those structures, and improvements in delivery that come about as a result.

At present the stated unifying role of the DCOG is more illusory than real, and among its long list of tasks are some which appear to overlap with those of the GOSCC or Information Services and Systems more generally. We urge the MoD to communicate its cyber-security structures a more comprehensible fashion, setting out strands of work and lines of accountability unambiguously. Only by doing this can we be assured that there is indeed clarity about roles and responsibilities within the MoD and the Armed Forces. We recommend, in particular, that the respective roles of the Chief Information Officer and the Joint Forces Commander are clarified in relation to cyber-security.

















































70 Q 36 Back

  1.  Military activity in cyberspace - conceptual framework

If cyberspace is to be considered a 'fifth domain' of warfare, any military activity in that domain will require a firm basis in terms of doctrines, rules of engagement and clarity about when an Armed Forces contribution or lead is justified or expected. In 2010, Nick Harvey MP, then Minister of State for the Armed Forces, said that while cyber activity added a new dimension to conflict, "what it seeks to achieve should be subject to the same strategic and tactical thought as a conventional military operation."[71]

Whether the Armed Forces should engage in cyber warfare will depend on whether particular actions in cyberspace are considered to be acts of war. Symantec elaborated on some of the scenarios in which it might be difficult to decide whether or not a cyber-security incident was 'military' in nature:

Is an attack on a defence contractor, for example, enough to justify involvement of the military on the basis of the fact that the compromise is likely to impact sensitive information of military interest? What would be the 'rules of engagement' that would trigger the involvement of the military? Would the involvement of the military be linked to a particular political context, for example escalating tensions with a particular country and the possibility of military confrontation when cyber attacks are attributed to that country? Or, would military involvement be linked to defending a specific target of military interest, such as the control of a weapons system? Would this extend also to systems that are critical to the performance of military operations but do not belong to the core of the military functions, for example parts of the national telecommunication network? Or would the military be involved in the case of a cyber attack that would not target defence assets but would be of such catastrophic proportion and effect for the nation that could constitute the equivalent of an armed attack? An example here could be the use of cyber attack to sabotage a nuclear power plant. These are very difficult questions to answer and policy makers may well need to leave open some of their options, because any of these possibilities, as well as others we cannot imagine, may lead to situations that justify the involvement and use of defence assets and ultimately of the MoD. [72]

As yet there is no internationally-accepted definition of a breach of sovereignty in cyberspace, nor is it clear what types of response would be deemed proportionate to particular types of breaches. Responses to cyber attack would not need to be themselves in the cyber domain—they could be economic, judicial or of a conventional military nature.

Addressing the "policy, doctrinal and legal basis surrounding the use of cyber tools and techniques" is one of the tasks that has been given to the Defence Cyber Operations Group (DCOG). Internationally, the NATO Co-operative Cyber Security Centre of Excellence in Estonia is working towards the production, in 2013, of a legal manual to cover such issues.[73] We asked the Minister for the Armed Forces about the work that had been done on this issue in the MoD. He responded:

For me, the law of armed conflict applies as much to cyberspace as it does to any other domain of operation. The principles of proportionality, discrimination and humanity apply to actions that we might take in this domain, as they do elsewhere. We should focus on the intent and the consequences, rather than the means of delivering the effect. [...] At this stage we have not sought to develop specific rules of engagement for cyber, but as our understanding of cyber-operations, their potential, their capabilities and the associated norms of behaviour develop and evolve, I could envisage us coming back to that and possibly devising specific rules of engagement at some point in the future.[74]

The Minister expressed confidence that no new legal code was needed to regulate military activity in cyberspace, including the potential application of Article 5 of the North Atlantic Treaty[75] to a cyber attack and the protection afforded to legal combatants: "we think that the application of existing law and norms of behaviour will serve us perfectly well"[76]. General Shaw, Assistant Chief of Defence Staff, argued that a cyber attack could be construed as an armed attack under Article 5 "if the effect of that attack is so severe that it is judged to be an Article 5 attack. [...] it is the effect that matters, not the means through which it is delivered."[77] John Taylor, MoD CIO, commented that the principal challenge was making judgements on proportionality.[78]

One of the military functions which the Minister foresaw the Armed Forces carrying out through cyber means was to deter attacks on UK national interests.[79] The UK Cyber Security Strategy noted that "with the borderless and anonymous nature of the internet, precise attribution [of attacks] is often difficult and the distinction between adversaries is increasingly blurred".[80] General Shaw told us:

The deterrent value of cyber is overstated at the moment, because there are huge problems with attribution. To take the simple example of Estonia, to all intents and purposes, the attack on Estonia appeared to come from California. It makes it extremely difficult. Until you attribute it, until you can work out a proportionate response and definite intent, it is a murky area. We should be hesitant to leap straight to nuclear deterrent, to theology, and apply it to the world of cyber.[81]

The then Minister for the Armed Forces, however, told us that "in terms of cyber attacks on networks, we can in many cases tell pretty much exactly where they have come from—not in all cases, by any means."[82] He saw no inherent problem in applying the concept of deterrence to cyberspace:

Perhaps as we go forward and there are more cyber attacks, or attributable cyber attacks, and people gain a greater understanding of others' capabilities, that will, perforce, begin to play into the psychology and logic of deterrence.[83]

John Taylor acknowledged, however, that certainty in attributing attacks could take "two or three days", which poses challenges for a posture of "active defence".[84] General Shaw, when asked about planning assumptions for cyber, commented that:

We will need very agile policy decision-makers to keep up with the reality of the threats facing us. [...] the threat is evolving probably faster, I would say, than our ability to make policy to catch up with it.[85]

Events in cyberspace happen at great speed. There will not be time, in the midst of a major international incident, to develop doctrine, rules of engagement or internationally-accepted norms of behaviour. There is clearly still much work to be done on determining what type or extent of cyber attack would warrant a military response. Development of capabilities needs to be accompanied by the urgent development of supporting concepts. We are concerned that the then Minister's responses to us betray complacency on this point and a failure to think through some extremely complicated and important issues. We recommend that the MoD makes development of rules of engagement for cyber operations an urgent priority, and that it should ensure that the necessary intelligence, planning and coordination functions are properly resourced.

The MoD and the Cabinet Office have been very clear that the MoD's cyber-security role is confined to defending its own networks and developing cyber capabilities: it does not have any sort of general responsibility for protecting national infrastructure, nor is it expected to take the lead in coordinating a UK response to a major cyber-security incident.[86] The former task is instead the preserve of the Centre for the Protection of National Infrastructure (CPNI), which is a government authority accountable to the Director General of the Security Service.[87] CPNI advises organisations in the national infrastructure—including those in the private sector—on reducing their vulnerability to a range of threats including cyber attack.[88] Some of the evidence we received, however, questioned whether the military role could be so tightly circumscribed. In its written submission, McAfee argued that a military interest in the cyber-defence of Critical National Infrastructure could be justified by the reliance of some MoD functions on that infrastructure, and by the potential of cyber attacks to "threaten real loss of property and life" by targeting those systems.[89]

MoD witnesses conceded that a cyber equivalent of 'military aid to the civil authorities' could be envisaged if the Government felt that military expertise was needed.[90] We recommend that the Government ensure that civil contingency plans identify the military resources that could be drawn upon in the event of a large-scale cyber attack, such as additional staff, planning resources or technical expertise. In its response to this report the Government should set out what work it is doing to identify the reliance of the Armed Forces on the integrity and resilience of the Critical National Infrastructure, the steps it has taken to ensure that the CNI will remain sufficiently robust to meet the needs of the Armed Forces and its contingency plans for the event that any relevant part of the CNI should fail.
























90 Q 48 Back

  1.  Relationships with allies

In addition to its other tasks, the Defence Cyber Operations Group (DCOG) takes the lead in establishing links with "key allies" on cyber.[91] In March 2009, in the course of an inquiry into Russia's relationship with NATO, the Committee visited the NATO Co-operative Cyber-Defence Centre of Excellence in Tallinn, Estonia. In our report, we noted that the Centre did not receive core NATO funding, being funded instead by the contributions of sponsoring nations, and we asked the MoD to explain why the UK was not a sponsor.[92] In its response, the Government stated that it believed the best way of making use of its resources was to contribute to the work of the Centre by assisting with specific workstreams, rather than by attaching personnel permanently.[93] During oral evidence for this inquiry, we asked Francis Maude MP, Minister for the Cabinet Office, who had recently visited Estonia, and James Quinault, Director, Office of Cyber Security and Information Assurance, Cabinet Office, why the UK was still not a sponsor of the Centre. They replied that the Centre was developing "know-how and research" rather than being engaged in operations, which means that it is "not the place from which cyber-defence of NATO would be commanded".[94]

However, since the final oral evidence session, the MoD told us that, as the role of the Centre expands under the auspices of the NATO Cyber Defence Action Plan (CDAP), the MoD has decided, from 2013, to send a national representative and to pay the annual 20,000 subscription using funds from the Defence Cyber Security Programme (DCSP). It is proposed that the UK would initially make a two year commitment, with the intent to review ongoing participation. Long term, the MoD will have to make a decision on the continuation of funding once the DCSP ends.

Provision of a national representative will give the UK a seat on the Steering Committee with the opportunity to influence future work. This action will confirm UK commitment both to the Centre and to broader NATO Cyber Defence activity and, we understand, will be welcomed by close international partners, particularly the United States.

The UK also participates in the NATO Incident Response and Command Centre (a 'GOSCC' for Alliance operations) in Belgium, and pursues cyber work in collaboration with a number of allies, notably the United States and Australia, with whom a tri-lateral memorandum of understanding has been agreed.[95] Cyber is also a strand of the UK-France defence co-operation agreements. General Shaw told us that the UK found that "bilateral relationships are where you can make progress. [...] In terms of creating unified NATO policy, I think that is a very slow boat indeed. That policy is coming along, like all NATO policy, at the speed of the slowest runner".[96]

We welcome the Government's decision to play a more active role in the future work of the NATO Cyber-Defence Centre of Excellence. We ask that the MoD keeps Parliament fully apprised of future decisions regarding participation in this and other international co-operative arrangements.










96 Q 43 Back

  1.  Resources and skills supporting military activity in cyberspace

Research and development

A constant theme in the literature and comment about cyber-security is the rapid pace at which threats develop and evolve.[97] Professor Paul Cornish and colleagues, Chatham House, have written that:

The pace of change can be so abrupt as to render the action/reaction cycle of traditional strategy out of date before it has begun. [...] It is as if a government operational analyst has been sent to observe the effects in battle of the flintlock musket, only to discover upon arrival that the Maxim gun has been invented.[98]

Not only does the technology develop rapidly, but, as John Bassett of RUSI said, "people are actually capable of using these things in unexpected and unforeseen ways very much sooner than the technology changes".[99] As noted earlier in this report, Francis Maude MP, Minister for the Cabinet Office, told us that "One of the challenges is that we do not know what threat we will be facing next month, let alone in a year's time" [100].

Professor Brian Collins, a former Chief Scientific Adviser in the Department for Business, Innovation and Skills and the Department for Transport, argued that the necessary tools are not yet in place across Government to understand and plan in this way:

If I had suggested three years ago that people would be organising riots in the streets using Facebook, no one would have even understood what the words meant. Last summer, that is what we saw. Now, if you say to law enforcement or, indeed, maybe to parts of our military operations, 'Do you expect to see those sorts of applications being used to organise a significant threat to us?', I do not believe that we have the mechanisms in place a priori, as opposed to by way of response, to anticipate where some of those things may be hitting us.[101]

He went on to say that across government "there is maybe too much emphasis on the short-term tactical as opposed to the long-term strategic".[102] He continued:

Tactically, I don't think we are in bad shape at all. However, to be in a situation in which you can anticipate where some of these things might be coming from is a combination of intelligence-gathering [...] together with some idea of where individuals or groups might be taking their thinking, when we would regard that as undesirable for us. That horizon-scanning function is a piece that I see missing.[103]

Francis Maude MP, Minister for the Cabinet Office, told us that he was confident that the Government had the capacity to keep up with the latest threats, pointing out, however, that the Cabinet Office proposals for civil service reform explicitly referred to the need to strengthen horizon-scanning across Government.[104] James Quinault said that "intelligence and anticipation of the threat" was a thread in many of the funding allocations that had been made from the National Cyber Security Programme, and had been a particular feature of the investment in GCHQ. Research strands in other departmental programmes relate to cyber-crime and e-business, where the objectives of attacks may differ, but much of the same technology is employed.

Similarly, Air Commodore Bishop, Head of the GOSCC, highlighted the value of the MoD sharing threat information and security techniques with industry, because the means of attack against both these targets were often the same.[105]

MoD evidence states that £80 million a year is being provided for research in the related areas of cyber and influence, through the Cyber and Influence Science and Technology Centre at Porton Down, by working with research councils, and by investing in pan-Government programmes that place work in universities and designate a number of universities as centres of excellence.[106] The MoD is also funding a programme of studies at Seaford House, London (part of the Defence Academy), to consider the future character of conflict, and the implications of the developing cyber-threat for the security environment.[107] When we invited the then Minister for the Armed Forces to comment on whether the proportion of the Ministry of Defence budget being spent on research and development was, at 1.2%, currently too low, he agreed.[108]

We have considered the issue of the percentage of the defence budget which is spent on research and development in the course of our inquiry into Defence Acquisition: there is general agreement that it is currently too low. This applies to cyber-security as much as to any other field. The rapidly changing nature of the cyber threat demands that a premium be placed on research and development to enable the MoD to keep pace with, understand and anticipate that threat. We recommend that this should be addressed. The Government should also make it a priority to develop robust protocols for sharing information with industry to allow expertise to be pooled, and we recommend that the MoD set out clearly in its response to this report how it will do so.

People - skills and capability

The UK Cyber Security Strategy noted that people with a deep understanding of cyberspace and how it is developing are currently "a scarce resource" across both Government and the business world, and set as one of its main aims the development of knowledge, skills and capability sufficient to underpin all the UK's cyber-security objectives.[109] 'Cyber Future Force' is one of four strands of work in the Defence Cyber Security Programme, and will design the cyber component of Future Force 2020. The MoD's intention is to "embed" cyber skills throughout Defence by 2015, and all MoD personnel will receive some degree of education in cyber awareness. Those in operational command roles will be trained to integrate the cyber domain with operations. Specialist training will be provided to those in dedicated cyber roles, and their skills will be recorded against a cyber competency framework on HR systems.[110] The MoD stated that it would "grow a cadre of dedicated cyber experts".[111]

We note a degree of concern expressed in evidence to our inquiry that the MoD does not have sufficient skills at its disposal in this area.[112] IT industry body Intellect stated that:

The perception of industry is that the MoD does not appear to have sufficient skills available for modern cyber-based warfare. […] there may be scope for an enhanced military-industry partnership to address this capability gap. […] Intellect members commented that within MoD there are individuals with an extremely high level of cyber knowledge, however recent movements in personnel across Government have affected the MoD's cyber capacity.[113]

Intellect concluded that greater investment in education, both within academia and government, was necessary to ensure sufficient future capability.[114] Dave Clemente, a researcher at Chatham House, wrote:

Some sensitive tasks cannot be contracted to foreign nationals, and it will be necessary to develop UK talent […]. Talent retention is a regular concern and one that is becoming more urgent. Cyber-security experts can earn far more in the private sector than in government, and more thought needs to be given to retaining and incentivising talent.[115]

John Bassett, RUSI, when asked what the MoD's priorities in cyber-security should be, responded:

It is about ensuring that we have enough good people in the Ministry of Defence, other parts of Government, academia and industry, and I think that we do not have anything like enough at the moment. I think that growing and skilling the people is, for me, the single most important thing for us to do.[116]

We observed during our visit to the GOSCC that the application of the usual length of Armed Forces rotation to a post in cyber-security results not only in churn, but in potential dissatisfaction for personnel who develop a cyber specialism but subsequently are given little opportunity to build on or pursue this. To counteract this, the GOSCC is not only actively searching for personnel throughout the Forces who may have the necessary skills or aptitude, it is trying to ensure that staff who develop those skills are tracked throughout their careers so that they can be re-deployed in this area if necessary. Air Commodore Bishop described the range of backgrounds that could be put to use in the Centre: "We are looking at people with intelligence backgrounds, we are looking at people with technical backgrounds and we are looking at people with police backgrounds, because there was always a forensic and potential police issue around some of the stuff that we do."[117] John Taylor explained that the MoD was "agnostic" about the paths individuals took into the cyber parts of the organisation, provided they had the skills and training needed to fulfil their role.[118]

Following our final oral evidence session, the MoD told us that it had recently implemented a new Cyber Skills Strategy, setting out the vision and strategic policy for generating and sustaining cyber skills across the Department.

Existing single Service training had been surveyed and tailored interventions delivered to enable a strong base level of cyber-security awareness to be adopted across the Service Commands and the MoD Civil Service. Initial training had been augmented so that the MoD may more easily generate suitable personnel for later employment as cyber specialists. Other training packages had also been reviewed and augmented.

Finally, we were told that the MoD had designed a new cyber competence framework, which was comparable with civilian industry frameworks. Through integration with the Joint Personnel Administration system (Military HR system), it will now be possible to identify, track and better manage suitably qualified and experienced cyber-security personnel.

High demand for these same skills in the private sector may give rise to problems with recruitment and retention. In the short term, the MoD is able to rely on the unique nature of the work it offers to attract and keep skilled personnel and the investment it is willing to make in training.[119] Similarly, Francis Maude MP argued that "By and large, brilliant people do not go and work at GCHQ for the money; they do it because it is fascinating and it is very big-picture, serious stuff."[120] However, it was acknowledged that an upturn in the economy could result in more severe challenges.[121] Air Commodore Bishop stated that, although competition for posts at the GOSCC was currently very stiff:

It would be naive if we thought that, having got some of the best training in the world and then somebody offers a big fat pay cheque, people would not decide to go. We do lose some, but we don't lose very many. A lot of them stay because they do enjoy what they do, and they do have the authority to do the job they have been put in there to do.[122]

We recommend that the 'Cyber Future Force' work focuses on the development of career structures for MoD and Armed Forces personnel that will allow them not only to develop, but build on, their cyber skills. The MoD may not be able to compete with the private sector on salary terms, but it must be able to give staff opportunities and responsibility as well as rewarding work.

Reservists

One important means of securing expertise is through the recruitment of reservists. The Minister for the Armed Forces assured us that he was very interested in developing the potential for reservists to contribute in this area, as a way of complementing the skills that could be developed 'in-house'.[123] BAE Systems suggested that it would be possible for the private sector to deliver a "surge capacity" through a "cyber reserve".[124] We encountered at the GOSCC some enthusiasm for involving more reservists, with the caveat that they had to be available for substantial enough blocks of time to develop sufficient understanding of the normal functioning of the network. General Shaw alluded to a potential culture clash between the Armed Forces and the sort of individuals who might have the expertise the MoD most needs; he envisaged a national reserve:

that really will attract people with ponytails and earrings and will not force them to go through the same military strictures that we conventionally think of, so that we pull in the people with the requisite talent to get involved in the national effort.[125]

Following our final oral evidence session, the MoD told us that it intends to develop a Joint Cyber Reserve whose function will be to provide support to the Joint Cyber Units at the GOSCC and GCHQ and Regular Information Assurance units across all three Services. It is envisaged that the Reserve will be established by the end of March 2013 with full operating capability to be achieved by April 2015.

MoD thinking about how reservists will help to deliver cyber-security is evolving, with many issues to be resolved. Although we welcome the initial steps taken by the MoD to develop the Joint Cyber Reserve it is regrettable that information about its establishment was not shared with us during our evidence taking. As a consequence, we were unable to explore with Ministers the details of this important development.

We recommend that the MoD should build on existing strengths in the ways reservists contribute to cyber-defence and operations, and to retain the particular reserve-led command structures that facilitate those contributions. If any new reserve structure is to succeed, it is important that reservists who work in the civilian world should play a part in its design. The close relationships that have been established with contractors at the GOSCC could provide an avenue for recruiting more reservists from those companies, and we recommend that the MoD prioritise, as part of Future Reserves 2020, a strategy for recruiting personnel with specialist skills from the private sector.

Finance

The funding provided by the national programme to the Defence Cyber Security Programme—£90m over the period to 2015—is being supplemented by the MoD itself to the tune of £30m in 2012-13. This funding is only for specific new strands of work and to improve broader "transformation".[126] General Shaw described the programme work as "merely the tip of the iceberg. Far greater than that is the bill that every department faces for looking after its own internal security of its existing systems."[127] Speaking before the announcement of Planning Round 2012 (PR12) spending plans, General Shaw commented:

one of the greatest risks I see in the entire national response to the cyber-threat is an unbalanced response, where there is new money for new stuff, but departments, which are so strapped for cash, will not give sufficient priority to the security of legacy systems and new systems. That is a much bigger part of the iceberg underneath the water. That challenge exists for the MoD as well. Certainly, last year, in PR11, we bid for new money from defence for [that] other part of the cyber equation. We got nothing. This year, we made a more modest and more realistic bid—we hope.[128]

We were subsequently assured by the then Minister for the Armed Forces that, as part of the mainstreaming of cyber throughout Defence, it would henceforth be "ingrained" in all budgets:

every time we are assembling budgets for any significant programme, this will be part and parcel of it [...] I am envisaging a time when this is so absolutely automatic to everything we do that all the programme budgets we devise to do anything will include ensuring that we have the necessary defences in place to guarantee and assure what we are doing.[129]

We were told that PR12 included a clearly identified stream of funds set aside to address resilience and security.[130] Francis Maude MP, Minister for the Cabinet Office, argued that although it would always be possible to dedicate even more funds to cyber-security, deciding how much was the right amount to spend was not "a perfectly judged and precise science". Given the number of competing claims for the money, Mr Maude argued that it was necessary to pitch spending at a point beyond which additional expenditure would not confer proportionate additional protection.[131]

We also noted the findings of the Intelligence and Security Committee in its Annual Report 2011-2012 regarding Defence Intelligence:

Defence Intelligence (DI) is part of the Ministry of Defence (MoD) and is mostly funded from within the MoD budget. DI provides strategic intelligence to inform MoD policy and procurement decisions and tactical and operational intelligence to support military operations overseas. However, large parts of its strategic analysis work also support wider government - and particularly the Joint Intelligence Committee - and so it has a national role to play alongside the three main intelligence and security Agencies. Indeed, DI has the largest pool of all-source analysts in government.[132]

We recommend that the MoD must be rigorous in ensuring that all cyber-security activity—legacy and routine work as well as new initiatives—is fully funded. We were encouraged by the then Minister for the Armed Forces' explanation that spending on cyber would be included as a matter of course in future programme budgets. Continued investment in skills and resources is vital. We seek the MoD's assurance that this will not in practice mean cuts in other areas. Quantifying the 'right' amount to spend on cyber-security is a challenge which the MoD must not shirk; military and wider Government intelligence capability depends on it.

Measuring progress

We were keen to establish what measures might reasonably be used, in the MoD, in Government more generally, and by us to assess progress and effectiveness in cyber-security. Such measures are crucial to deciding whether money has been spent intelligently and efficiently. However, our witnesses agreed that developing metrics in this area was extremely difficult, particularly if what was sought were concrete outcome measures rather than inputs.[133] Air Vice-Marshal Rigby, Director, Cyber, Intelligence and Information Integration, even suggested that it could be a waste of time to try to identify any, although he believed that a range of input measures could be of value: personnel trained to a particular standard, or the inclusion of cyber in contingency plans, for example.[134] Although information is held on how many attacks have been thwarted, there is always the possibility—even likelihood—of some attacks going undetected, and the extent and nature of the damage averted by thwarting attacks is difficult to judge.[135] Comparisons with business or other institutions are made difficult by the relative attractiveness of Defence and the Government as a target and the sensitivity of the information that needs to be protected.[136] James Quinault, Director, Office of Cyber Security and Information Assurance, Cabinet Office, explained that it was relatively straightforward to tell whether the funding provided by the National Cyber Security Programme was being spent on the desired activity:

but what is less clear, as the Minister [Francis Maude] said, is whether overall that is making the dent in the outcome that we want to see, with the overall problem. The problem there is that we do not have a baseline, we do not know how big the problem is that we are trying to shrink. We are working on that, but if we had waited to solve it before we cracked on, we would be further behind the curve than we are.[137]

The development of metrics is being worked on across Government, led by the MoD's CIO, John Taylor.[138] Mr Taylor told us:

we are doing some work on metrics to give us positive evidence that we are as safe as we need to be. That involves looking at metrics in the business infrastructure space, making sure that we understand what assets we have and that we have processes that review information risk on a regular basis. We then need to look in the technology space, making sure that our information is backed up, that we have up-to-date antivirus software—all the hygiene things that you need to do. Then there is the people space—for example, is our security vetting process working properly?[139]

It is vital not only that the MoD and the Government have ways of measuring their own progress in cyber-security, but also of communicating that progress to Parliament and the public. We are pleased that the MoD is engaging with the challenge of devising appropriate metrics and measurements for assessing progress. We acknowledge the difficulty of this task, and look forward to seeing how pan-Government, international and cross-sector thinking influences the outcomes of this work. We recommend that the MoD should provide Parliament with a report on cyber incidents and performance against metrics on at least an annual basis.















































139 Q 70 Back

  1.  Cyber-security across Government

The National Cyber Security Programme (NCSP) was launched in October 2010 (for more details see paragraphs 4 to 7 of this report).

In its first annual progress report on the National Cyber Security Strategy, the Cabinet Office reported on how the £650 million allocated to the NCSP had been spent so far.[140]How the National Cyber Security Programme money has been spent


Source: Cabinet Office, Progress against the Objectives of the National Cyber Security Strategy - December 2012

Outturn and forecast spending in the first two years of the NCSP was as follows:

National sovereign capability to detect and defeat high end threats (Security & Intelligence Agencies, £157M)[141]

Mainstreaming Cyber throughout Defence (MoD, £31M)

Law enforcement and combating Cyber Crime (Home Office, £28M)

Engagement with the private sector (BIS, £17M)

Improving the resilience of the Public Sector Network (Cabinet Office, £12M)

Programme coordination, trend analysis and incident management / response (Cabinet Office, £9M)

Education, skills and awareness (Cabinet Office, £4M)

International engagement and capacity building (FCO, £2M)

TOTAL = £260M[142]

The fact that many Departments have an interest in aspects of cyber-security means it is important to establish who bears responsibility for what elements of the agenda (beyond all agencies having a responsibility to protect their own data and systems). This is necessary in order to limit duplication, minimise the chance of gaps developing, and ensure that each Department is clear about its mission.

The Intelligence and Security Committee in its 2010-11 Annual Report identified 18 departments, units or agencies with particular responsibilities for aspects of cyber-security, spread across the intelligence and security Agencies, law enforcement, and other government departments including the Home and Foreign Offices, MoD and BIS. That Committee expressed concerns about "structural issues", noting that between them these 18 bodies:

cover policy, management, intelligence operations, protective advice, detection and analysis, with some focused on crime, some on hostile activity from overseas, some on counter-terrorism and others covering all three. This risks duplication and confusion and cannot be cost-effective.[143]

When we put these concerns to Francis Maude, he responded, "It may not be particularly tidy, but we are getting quite a lot done in rather an effective way. [...]I would be concerned if there were only a few departments that had any interest in this, and if they rigidly stuck to concerning themselves only with what lay within their narrowly-drawn boundaries. This is very far-reaching, and it is changing all the time."[144]

Located in the Cabinet Office, the Office for Cyber Security and Information Assurance coordinates cyber-security activity across Government and administers the National Cyber Security Programme under the oversight of the Minister for the Cabinet Office. The Minister chairs the Programme Board, and the Government's Chief Information Officer reports to him, as does the Ministry of Defence CIO, John Taylor, on the specific project of the public sector network. Francis Maude MP explained to us that he did not have the authority to instruct officials in other Departments, but that the Programme Board held Departments to account for their delivery and spending under the NCSP.[145] The Cabinet Office has executive authority for certain aspects of this work, for example the identity assurance programme, but in other respects, Francis Maude told us, "responsibility, very properly, is spread across the Government".[146] James Quinault outlined why the Cabinet Office's role was to coordinate rather than direct:

we see this absolutely as not just a Government and military issue. It touches everything in life, not just everything in Government, which is precisely why the approach to it has to be one of coordinating activity, rather than directing it all from the centre. If you want to reach business, the business Department needs to be mainstreaming this into its other communications with business. [...] It has to lead on that. That cannot be done from the Cabinet Office.[147]

It is the National Security Council (NSC) which identified cyber-security as one of the four most important risks to the UK's national security. The head of the Office for Cyber Security and Information Assurance reports to the deputy National Security Adviser. However, we were told that it was discussed by the NSC as a discrete subject perhaps only two or three times a year and that a session dedicated to the topic in the autumn of 2012, would be the first such meeting.[148] An 'ad hoc' cross-Whitehall ministerial group, chaired by the Foreign Secretary and including Ministers with a cyber-security responsibility in their portfolio, meets roughly every six weeks, and is complemented by a similar officer group.[149]

Professor Brian Collins, Chair of Engineering Policy, UCL, commented on a potential weakness of the UK Cyber Security Strategy:

History shows us that continuity of stewardship of strategies of this nature is quite difficult to achieve through our democratic process. [...] Unless we maintain that stewardship over a period that is much longer than the five-year electoral cycle, we will fail to deliver the desired outcomes.[150]

There is no Minister dedicated to cyber-security; it is one of the responsibilities of the Minister for the Cabinet Office. In the past, ownership of the issue has been vested in ministers of more junior rank, but who had fewer diverse responsibilities to attend to. Francis Maude put it to us that it was important for cyber-security to be represented by a senior figure with authority to operate across many Departments.[151] However, he estimated that some 25-30% of his time was spent on cyber-security, and he described the breadth of his portfolio as that of "Minister for everything else".[152]

It is our view that cyber-security is a sufficiently urgent, significant and complex activity to warrant increased ministerial attention. The relevant minister should have the authority to direct government departments to take action if they are not performing as required. We also consider that the National Security Council should dedicate time, with the relevant minister in attendance, to consider cyber-security matters on a more regular basis.

The National Cyber Security Programme requires robust governance and we note that the Minister for the Cabinet Office chairs the Programme Board. However, the Programme represents only the tip of the iceberg of the necessary cyber-security activity across government. High-profile and authoritative leadership is required for all such activity.

Responsibility in the event of a major cyber-security incident

EADS stated in its memorandum to this inquiry that "at present it is not clear who owns the coordinated response to a national cyber-security incident"[153]. The Institute for Security and Resilience Studies argued that:

There are outstanding practical questions about the coherence of activities in the wake of the 2011 UK Cyber Security Strategy. For example, at the cyber summit hosted by the Foreign Secretary in November last year the French had a clear answer to the question "who would you call in the event of a cyber incident?" It is their Prime Minister. This answer resolves the geographic and thematic contradictions cyber crises can otherwise precipitate. During the conference the answer for the UK was unclear. Subsequently it was said to be the Minister for the Cabinet Office, Francis Maude. Whilst he attends Cabinet, is at the centre of UK Government and can act with the authority of the Prime Minister, it is not clear his post commands the capabilities necessary to be the Lead Government Department.[154]

The Institute also said that it would be difficult to imagine international crises not being handled by the Foreign Secretary, internal crises by the Home Secretary, or incidents in the financial sector pointing to the Chancellor, but that what it calls "the Lead Government Department question" "could create unnecessary duplication of capabilities among government departments".[155]

The then Minister for the Armed Forces, Nick Harvey MP, said:

I think that an analogy might be drawn with the COBR principle. When there is some sort of an incident anywhere within Government, the Cabinet Office has this COBR capability that kicks in. In and of itself, it does not have a great organisational empire at its disposal, but it has a coordinating role among other Government Departments, which have the mechanical functions. In a sense, I think, in the cyber sphere, the small unit in the Cabinet Office operates somewhat similarly. The principal levers at their disposal actually reside in GCHQ. That is where the serious firepower would come from to deal with things in a practical sense.

In the event of some sort of cyber attack against the Government, the coordinating role for a response will be exercised by the Cabinet Office. [...] Depending on the precise nature of the attack and which parts of the Government networks were subject to the attack, a lead Government Department would be appointed. Other Government Departments would render any assistance that they could. [...] Depending on the scale and severity of the attack, it might well be that COBR would meet and bring together Ministers and/or officials from the relevant Departments to coordinate the Government's response.[156]

Asked who would take the lead, and on whose authority, in the event of a major cyber attack on the UK, Francis Maude replied:

It depends on the scale and the nature of it. If it is deemed essential—if it is of a scale that it cannot be dealt with just by the Cyber Security Operations Centre at Cheltenham—then it would come up to the Cabinet Office. If it was of sufficient scale, it could lead to COBR being convened at different levels, depending on the scale, with different Departments, potentially, in the lead, depending on what it was. If it was an attack on the energy infrastructure, for example, unless it was at a level where the Prime Minister would want to chair it, you would ordinarily expect the Energy Secretary to chair COBR. Similarly, if it was an attack on transport infrastructure, the Transport Secretary would, and so on. [...] If something looked like it could be a sovereign attack, that would clearly be for the Prime Minister.

James Quinault described the role of the Cyber Security Operations Centre (CSOC) as: "monitoring and triaging incidents and making sure there is a single version of the truth for Government to act on".[157] CSOC is hosted by and reports to GCHQ rather than the Cabinet Office.[158]

In a previous inquiry we expressed concern that no one government department was identified to take immediate lead responsibility should there be a severe space weather event.[159] The machinery in the event of a cyber attack appears to be under development, with an important role being played by the Cyber Security Operations Centre. However, before a 'lead Government Department' is identified for a particular cyber incident there is a potential gap during which the Cabinet Office has a coordinating role but the location of executive authority is not clear. It is vital that clear procedures are in place, and communicated, about how ownership of incident response is escalated when necessary from individual departments to higher, central authorities. We recommend that the National Security Council review these arrangements to ensure that the UK's response to major cyber-incidents is as streamlined, rapid and effective as it can be, and that a programme of regular exercises, involving ministers as well as officials, is put in place to test the arrangements. The MoD should also conduct exercises for its own internal arrangements and their interface with the rest of government.
























159 Defence Committee, Tenth Report of Session 2010-12, Developing Threats: Electro-Magnetic Pulses (EMP) HC 1552 Back

  1.  Conclusion

Within the complex landscape of cyber-security threats and responses, it is imperative that each agency, department and Minister knows what it is that they are responsible for, either uniquely or in partnership with others. This role must be articulated clearly and understood fully in government at large. The amorphous, boundary-less nature of cyberspace, and the specific skills and capabilities needed to operate within it, mean that responsibilities which apply in the physical sphere cannot simply be read across to the analogous activity in the cyber sphere.

We welcome the Government's commitment to foster a vibrant and innovative cyber-security sector in the UK including a distinct role for the MoD to deliver military capabilities both to confront high-end threats and to provide potential offensive capability. However, we are concerned that in the long term, under unforeseen circumstances, such a narrow role might prove untenable. Our national understanding of 'defence' has widened to encompass a range of security threats not traditionally within the purview of the Armed Forces, and the same may be true of the cyber domain. For this reason, we consider that the Government as a whole needs to base decisions about responsibilities on a clear and conscious rationale, and be prepared to re-examine those decisions as events warrant. We recommend that the MoD and the National Security Council keep under review the delineation of the military role in national cyber-security, not with a view to expanding that role unnecessarily, but to ensure that threats are dealt with in the most appropriate and effective manner, and that the MoD can focus its resources accordingly.

The cyber threat is, like some other emerging threats, one which has the capacity to evolve with almost unimaginable speed and with serious consequences for the nation's security. The Government needs to put in place - as it has not yet done - mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyber presents. It is time the Government approached this subject with vigour.


BT DFTS BT Defence Fixed Telecommunications Service

CDAP Cyber Defence Action Plan

CIO Chief Information Officer

COBR Cabinet Office Briefing Room

CPNI Centre for the Protection of National Infrastructure

CSOC Cyber Security Operations Centre

DCOG Defence Cyber Operations Group

DCSP Defence Cyber Security Programme

DI Defence Intelligence

DOC Directorate of Operational Capability

EADS European Aeronautic Defence and Space Company

GCHQ Government Communications Headquarters

GOSCC Global Operations and Security Control Centre

ISS Information Systems and Services

JFCyG Joint Forces Cyber Group

MoD Ministry of Defence

NATO North Atlantic Treaty Organisation

NCSP National Cyber Security Programme

NSC National Security Council

NSS National Security Strategy

PR12 Planning Round 2012

SDSR Strategic Defence and Security Review

UAV Unmanned Aerial Vehicle






TUESDAY 18 DECEMBER 2012

Members present:

Mr James Arbuthnot, in the Chair

Mr Julian Brazier
Mr Thomas Docherty
Mr Jeffrey M. Donaldson
Mr Dai Havard
Mrs Madeleine Moon
Sir Bob Russell
Bob Stewart
Ms Gisela Stuart

Draft Report (Defence and Cyber-Security), proposed by the Chair, brought up and read.

Ordered, That the draft Report be read a second time, paragraph by paragraph.

Paragraphs 1 to 123 read and agreed to.

Annex agreed to.

Resolved, That the Report be the Sixth Report of the Committee to the House.

Ordered, That the Chair make the Report to the House.

Written evidence was ordered to be reported to the House for printing with the Report, together with written evidence reported and ordered to be published on 26 March 2012, in the previous Session of Parliament (HC 106).

Ordered, That embargoed copies of the Report be made available, in accordance with the provisions of Standing Order No. 134.

[Adjourned till Tuesday 8 January at 2 p.m.






Wednesday 18 April 2012

John Bassett, Associate Fellow, Cyber-security, Royal United Services Institute, Professor Brian Collins, Chair of Engineering Policy, Faculty of Engineering Science, University College London, and Professor Sir David Omand GCB, Visiting Professor, Department of War Studies, King's College London
Air Vice-Marshal Jonathan Rigby, Director, Cyber, Intelligence and Information Integration, and Major-General Jonathan Shaw, Assistant Chief of Defence Staff (Global Issues)

Wednesday 16 May 2012

Nick Harvey MP, Minister for the Armed Forces, Air Commodore Tim Bishop, Head of Global Operations Security Control Centre, and John Taylor, Chief Information Officer, Ministry of Defence

Wednesday 27 June 2012

Rt Hon Francis Maude MP, Minister for the Cabinet Office, and James Quinault, Director, Office of Cyber Security and Information Assurance, Cabinet Office






Ministry of Defence Ev 42






(published in Volume II on the Committee's website www.parliament.uk/defcom)

Dave Clemente, Researcher, International Security Programme, Royal Institute of International Affairs, Chatham House Ev w1

Intellect Ev w3

Trend Micro Ev w4

Russ Bubley Ev w5

BAE Systems Ev w8

EADS Ev w10

Research Councils UK Ev w14

McAfee Ev w17

Raytheon UK Ev w21

Symantec Ev w22

Institute for Security & Resilience Studies, UCL Ev w30






The reference number of the Government's response to each Report is printed in brackets after the HC printing number.

Session 2012-13

First Special Report
Ministry of Defence Annual Report and Accounts 2010-11: Government Response to the Committee's Eighth Report of Session 2010-12
HC 85
First Report
Ministry of Defence Supplementary Estimate 2011-12
HC 99 (HC 577)
Second Report
The Armed Forces Covenant in Action? Part 2: Accommodation
HC 331 (HC 578)
Third Report
MoD Main Estimate 2012-13
HC 133 (HC 607)
Fourth Report and First Joint Report
Scrutiny of Arms Exports (2012): UK Strategic Export Controls Annual Report 2010, Quarterly Reports for July to December 2010 and January to September 2011, the Government's Review of arms exports to the Middle East and North Africa, and wider arms control issues
HC 419
Fifth Report
Future Maritime Surveillance
HC 110 (HC 827)
Fuente: http://www.publications.parliament.uk/pa/cm201213/cmselect/cmdfence/106/10602.htm
 

No hay comentarios: