145. Governments across the world, multinational
bodies such as NATO and the EU, commercial and non-commercial
organisations, in fact all of us have a stake in cybersecurity.
Many foreign governments, and in particular the US Government,
have recognised the scale of the threat posed by cyberattack and
are taking robust action. Early in 2009, President Obama commissioned
a 60-day review of cybersecurity that made recommendations to
ensure that the US Government adopts a cohesive and comprehensive
approach in this area.
The US Defence Secretary, Robert Gates, has ordered the establishment
of a unified cybercommand to improve preparations to conduct offensive
and defensive computer warfare.
The EU is also taking action on cybersecurity. The European Commission
is proposing to impose harsher penalties on people who use the
internet to commit crimes. It is also planning to fund cybersecurity
projects from a budget of £47 million over the next four
146. NATO adopted a policy on cybersecurity in January
2008, which was subsequently endorsed by Member States at the
Bucharest Summit. The main tangible result of this policy has
been the opening of the NATO Cyber Defence Centre of Excellence
in Tallinn, Estonia, in May 2008. We visited this Centre and learned
about its important work in conducting research and advising NATO.
147. We also learned that, despite the strategic
importance of the centre, it does not receive core NATO funding.
Instead, it relies on the sponsorship of individual Member States
Estonia, Latvia, Lithuania, Germany, Italy, the Slovak Republic
and Spain. Other NATO centres of excellence are also funded in
a similar way. Estonian Government representatives that we met
argued that NATO members, including the UK, should show greater
support for the Cyber Defence Centre of Excellence. We asked the
Minister for NATO why the UK Government was not funding the Centre.
there is a limit to what you can do collectively
in terms of cybersecurity [
] We were asked if we wanted
to contribute to the Cyber Defence Centre but we felt that other
things we were doing were more important and we should concentrate
148. On 25 June 2009, the Prime Minister launched
the UK's first national cybersecurity strategy. The Government
announced the creation of a dedicated Office of Cybersecurity,
within the Cabinet Office, that will lead on cybersecurity across
government. A new multi-agency cybersecurity operations centre
in Cheltenham will also be established to provide the coordinated
protection of the UK's information technology infrastructure.
149. During our inquiry we were unclear of the exact
contribution of the MoD to national cybersecurity. We requested
a memorandum to clarify this matter. The MoD describes its contribution
to the Government's policy in the following terms:
The MOD provides technical advice and expertise to
the civilian agencies responsible for the UK's national information
infrastructure. It is closely involved in the cross-Departmental
project led by the Cabinet Office to consider the UK's overall
approach to cybersecurity and develop a National Cybersecurity
As in the case of more traditional forms of attack,
the Government would be able to draw on a range of instruments
of national power in responding to a cyberattack. Along with technical,
legal, political, economic and other instruments, the threat or
use of military force is also of course an option in cases of
very serious attack.
150. In taking forward work on cybersecurity, we
were told during our visit to the Cyber Defence Centre in Estonia
that there were significant legal and political issues to be resolved.
Rain Ottis, one of the Centre's senior scientists, was reported
In the absence of a clear legal framework for dealing
with cyberattacks, it's very hard to decide whether to treat them
as the beginning of armed conflict.
UK, alongside many other countries, faces an increasing threat
of cyberattack. Cybersecurity is an issue of increasing significance
for the UK and NATO as society becomes increasingly dependent
on information and communication technology. The cyberattacks
on Estonia and Georgia demonstrate the importance of the UK and
NATO developing robust resilience.
152. We welcome
the Government's publication of a National Cybersecurity Strategy
and the establishment of new offices to coordinate and implement
cybersecurity measures. Despite information from the MoD, we are
still not clear what the exact role and contribution of the MoD
is towards national cybersecurity. In the Government's response
to our Report, we recommend the Government to set out more clearly
the MoD's current and future work in relation to national cybersecurity.
The MoD should also ensure that the importance of cybersecurity
is reflected within its planning and resource allocation.
153. Given the
importance that the Government now attaches to national cybersecurity,
we call on it to explain its decision not to sponsor the NATO
Cyber Defence Centre of Excellence. The UK Government should urge
NATO to recognise the security challenge posed by electronic warfare
in NATO's new Strategic Concept. NATO should give cybersecurity
higher priority within its planning to reflect the growing threat
that this poses to its members. NATO should ensure that the work
of the Cyber Defence Centre of Excellence is fully supported,