Defence CommitteeWritten evidence from Dave Clemente, Researcher, International Security Programme, Royal Institute of International Affairs, Chatham House

This evidence focuses on three aspects of cyber security which are of relevance to this inquiry: (a) division of authorities, (b) development of skills and expertise, and (c) measuring success or failure. While the current fiscal environment is constrained, the Government has identified cyber security as an area of particular interest. Additional investment may be necessary in some areas, while gains through efficiency and cooperation will suffice in other areas.

1. Regarding the role of the UK MoD and Armed Forces in national cyber security, their primary responsibility must be to protect their own information and the networks that hold this information.

2. In a conflict situation it may be necessary for the military and wider Government to operate in a degraded or insecure cyber environment. This requires acceptance that total control of “UK cyberspace”—however defined—is impossible. As the late Prof Philip Taylor (University of Leeds) noted, “full spectrum dominance is impossible in the global information environment.”1 This was meant in the context of military psychological operations, but it holds equally true when attempting to secure highly inter-dependent computer networks and information systems.

3. Protection of critical national infrastructure (CNI) is an area of significant importance and one that is becoming more difficult to analyse as inter-dependency increases between CNI sectors. The 2011 UK Cyber Security Strategy notes the status of the Centre for Protection of National Infrastructure (CPNI), but the centre has a light-touch role that focuses on delivering advice and building partnerships and relationships between the public and private sectors.2

4. The role of the UK military in protecting CNI remains poorly defined, but the UK is not exceptional in this respect. The debate over appropriate authorities for protecting CNI has been going on for some time in the US. The US Senate recently held hearings on proposed legislation—the “Cybersecurity Act of 2012”—which included discussion of the roles of the military and the intelligence community in protecting critical infrastructure.3 As the responsibilities of the UK National Cyber Security Programme become clearer, it may become increasingly necessary and appropriate for the Government to engage the public regarding the role of the Armed Forces and the intelligence community in protecting critical infrastructure.

5. Cross-government communication and cooperation remains essential to more effective national cyber security. At the moment there are few clear lines of authority across the public and private sectors for carrying out protective measures in cyberspace. In most domains it is possible to ascertain who is attacking and why, and the answers to these questions determines which entity serves as protector. This is rarely the case in cyberspace, which creates a high level of ambiguity about who protects (military, law enforcement, lawyers, etc).4

6. The UK 2011 Cyber Security Strategy allocated the majority of National Cyber Security Programme investment (73%) to the Single Intelligence Account (59%) and MoD (14%). While the military and the security services are essential components of protecting the UK in cyberspace, they may not be the most appropriate organizations to deal with problems that are causing some the most immediate pain (eg cyber crime/fraud/identity theft, malware, etc).

 

7. Future government cyber investment may wish to devote additional attention to areas such as public awareness of basic/intermediate cyber security measures, as well as to early education in various aspects of information technologies (eg programming). Informed policy-making in these areas is increasingly necessary for the development of a highly skilled work force and is essential to remain competitive in the 21st Century.

8. The development of cyber skills, capacity and expertise are essential to adapt and innovate. The UK retains superb institutional memory from its involvement in the evolution of the internet and cyberspace more broadly. The people involved (often eminent academics) are irreplaceable, and their insight can be used more extensively to benefit the next generation of HMG policy-makers.

9. There are gains to be made from encouraging and rewarding cyber skills and expertise within the military bureaucracy. Some sensitive tasks cannot be contracted to foreign nationals, and it will be necessary to develop UK talent as well as implement processes that value and promote skilled individuals.

10. Talent retention is a regular concern and one that is becoming more urgent. Cyber security experts can earn far more in the private sector than in government, and more thought needs to be given to retaining and incentivising talent. In evidence given to the UK Parliamentary Intelligence and Security Committee in 2011, the Director of GCHQ noted that “I need some real internet whizzes in order to do cyber and I am not even sure they are even on the contractor market, so I need to work on that. They will be working for Microsoft or Google or Amazon […]. I can offer them a fantastic mission, but I can’t compete with their salaries. But I probably have to do better than I am doing at the moment, or else my internet whizzes are not going to stay.”5

11. Improvement in all these areas is highly dependent on accurate measurement. What metrics will the UK Government use to (a) judge success or failure in cyber security, (b) set benchmarks that can assist with these judgements and (c) preserve the institutional memory within government necessary to innovate and improve in cyber security?

“Security investment in the absence of security metrics will only result in overspending or underprotecting. No game play improves without a means of keeping score; decisions about developing, implementing and terminating cyber security programs are no exception. In fact, improving cyber security metrics programs is a meaningful goal in its own right. […] The cyber security problem cannot be solved absent a succinct mission goal. Reactive actions, however good, cannot drive policy. At the highest level of abstraction, the mission goal of cyber security is to:

move from a culture of fear,

to a culture of awareness; and

to a culture of measurement.”6 , 7

20 February 2012

1 Jason Vest, “Missed Perceptions”, Government Executive, 1 December 2005, http://www.govexec.com/magazine/features/2005/12/missed-perceptions/20710/

2 UK Cabinet Office, The UK Cyber Security Strategy Protecting and promoting the UK in a digital world (London: Cabinet Office 2011) https://update.cabinetoffice.gov.uk/resource-library/cyber-security-strategy, p. 28.

3 Kim Zetter, “McCain: Cybersecurity Bill Ineffective Without NSA Monitoring the Net”, Wired, 16 February 2012, http://www.wired.com/threatlevel/2012/02/cybersecurity-act-of-2012/

4 Todd Bishop, “Q&A: The latest from Microsoft security guru Scott Charney”, TechFlash, 15 Feb 2011, http://www.techflash.com/seattle/2011/02/qa-microsofts-scott-charney.html

5 Tom Jowitt, “GCHQ Boss Complains Of Cyber Brain Drain”, TechWeek europe, 14 July 2011, http://www.techweekeurope.co.uk/news/news-security/gchq-boss-complains-of-cyber-brain-drain-34212

6 Daniel E. Geer, Jr, “How Government Can Access Innovative Technology”, in Kristin M. Lord and Travis Sharp ed. America’s Cyber Future: Security and Prosperity in the Information Age, Volume II (Center for a New American Security, May 2011) http://www.cnas.org/cyber, p. 186.

7 Daniel E. Geer, Jr, “Cybersecurity and National Policy”, Harvard National Security Journal Volume 1, April 7, 2010, http://harvardnsj.org/wp-content/uploads/2011/01/Volume-1_Geer_Final-Corrected-Version.pdf

Prepared 8th January 2013