Defence CommitteeWritten evidence from BAE Systems

Introduction

1. The Government’s commitment in the National Cyber Security Strategy is a key element of the UK’s response to cyber-attack on public and private sector organisations. The Ministry of Defence (MoD) has a critical role to play in delivering this strategy.

2. The National Cyber Security Strategy clearly articulates the role of the private sector in improving cyber security. The key to success will be ensuring that private companies see it as beneficial to their business to work in partnership with government, and for them to understand how, and in what way, they should engage with government most effectively.

3. BAE Systems welcomes the House of Commons Defence Select Committee’s intention to conduct an inquiry into cyber security. BAE Systems Detica, part of BAE Systems, has over 30 years of experience working with government and is a leading provider of cyber security services and solutions in the UK. BAE Systems is pleased to be able to contribute to this inquiry and would be happy to discuss with the Committee any points raised in this submission.

The Cyber-Security Threat

4. In a knowledge based economy, every organisation relies on information assets and systems to operate and compete. A cyber-attack which compromised the confidentiality, integrity or availability of its information would damage performance and bring operational and reputational risk to the organisation. Generic and MoD specific examples are shown below.

Generic

MoD Specific

Leakage of confidential and personal emails

Publication of confidential email between senior staff during budget decisions

Compromise of real-time control systems for operational equipment

Loss of the command channel to operational remotely operated vehicles

Compromise of core planning and control processes to direct the overall operation of the organisation

Logistics information relating to deployed operations being visible to an adversary

Publication of Intellectual Property (IP) regarding the future products or services of the organisation, including an understanding of how they may themselves be compromised

Performance details of future weapons systems being visible to an adversary

5. A growing range of threat actors are mounting such attacks including:

“hacktivists” intent on causing reputational damage;

“insiders” as individuals or supported and motivated externally through advanced social engineering; and

“corporate” and “state-sponsored” attacks determined to steal high value IP or to reduce the operational ability of the organisation.

6. The increasing use of COTS products and dependency on internet protocol (as opposed to proprietary) networks will have brought a wider range of vulnerabilities into MoD systems. Some of which will already be known to attackers.

MoD and the UK National Cyber Strategy

7. It is essential that the governance of cyber security across government clearly defines the roles and responsibilities of government departments and public bodies individually and in collaboration. Without this clarity:

outcomes would be weaker given the limited resources available; and

private sector companies would find it difficult to engage effectively with government, reducing their contribution and their benefit.

8. We believe MoD’s role and responsibility will include internal activities and activities conducted collaboratively with other government departments and the private sector. Examples are as follows:

Internal Activities:

ensure security of its own Department;

assure security of its supply chains; and

establish active defence and offensive capabilities.

Collaborative Activities:

implement effective exchange of information on a trusted basis across government and the UK defence industrial base and, possibly, other industry verticals;

contribute to the secure implementation of cross-government networks (eg the central Government “Public Services Network”); and

support the security of Critical National Infrastructure (CNI).

9. Possible approaches to these collaborative areas range from sharing “best practice” to the provision of a shared network security service and support to CNI. (For example, is the MoD required to provide the cyber-security equivalent of “military aid to a civil power”?). MoD and others will need clarity regarding remit to ensure expectations are met.

10. MoD has well-established Information Assurance (IA) processes for reviewing cyber risk, and should continue to share knowledge and expertise with other government departments and private sector organisations. We suggest five areas of specific focus: defining the perimeter of the MoD; sharing threat intelligence; increasing the efficiency and effectiveness of IA processes; secure by design; and policy.

Defining the “perimeter” of MoD

10.1 The nature of cyber threat means the supply chain is also liable to attack and its vulnerability being, potentially, a “weak link” access to MoD systems. Risk mitigation actions might include sharing threat intelligence, providing “best practice” guidance and improving identity and access management. Government policy is to encourage the use of SMEs in the defence supply chain. These companies may require additional support to accelerate their cyber-security maturity.

Sharing threat intelligence

10.2 The trusted sharing of each organisation’s operational experiences will improve the overall cyber security posture. Individual risk assessments will be informed by wider experience enabling them to deliver up to date and valuable conclusions and, hence, more timely mitigation. The UK Government’s Cyber Security Operations Centre should be a key part of this exchange.

Increasing efficiency and effectiveness of IA processes

10.3 MoD can ensure that a “lean” IA approach, driven from a close understanding of business risk, is applied. This will be more effective in that it will ensure assets are appropriately protected rather than a broad brush approach which may over-protect some assets and under-protect others.

Secure by design

10.4 MoD could lead wider government in endorsing “secure by design”. Through its understanding of the threat MoD could encourage its suppliers to adopt an affordable risk based approach to information security and, hence, reinforce that security is an essential, rather than excessive, differentiator.

Policy

10.5 MoD should explore the policy options for “rules” governing operations in cyber space and its increased freedom of action; the extent to which it can actively defend its assets and interests in near real-time without need to invest time seeking higher approvals. It would need to determine how to deliver these operations given limitations in critical skills.

11. MoD could also explore, within the context of the existing national crisis response, any requirement to refresh the command and control mechanisms to ensure they are “fit for purpose” in the cyber age.

12. The development of a business case for investment in cyber defence can be challenging due to the requirement to quantify the risk of cyber-attack through measures of vulnerability and threat. The private sector has the identical challenge. It follows there is an opportunity to share approaches. In addition to simply sharing “best practice” this has the potential benefit of common understanding of “return on investment” in cyber-security which would avoid the scenario where one party chooses to invest and one does not hence rendering the investment worthless.

Resource Availability and Management

13. Cyber expertise is scarce across the UK and the market is very competitive. In common with many organisations, MoD is likely to find it difficult to recruit and retain suitably qualified and security cleared staff.

14. The National Cyber Security Strategy sets out a range of initiatives to address this resource gap. It follows that MoD should encourage government to develop an action plan to implement these initiatives and to close the skills gap as a priority. In the US, for example, the public/private “US Cyber Challenge” has been established to find 10,000 new cyber security professionals.

15. In the short-term MoD may need to draw on resources from the private sector although this is likely to be a partial mitigation. For example, an active defence and offensive capability will be particularly difficult to establish as this capability is not normally required within the private sector.

16. It is possible, with new delivery models, that the private sector could not only be a source of skilled resources but deliver “surge capacity” through a “cyber reserve”. In addition, the private sector can be a partner in addressing the national shortage of cyber skilled professionals. Here MoD, wider government, the private sector and academia could work together to identify core security skills and to encourage and provide education and accreditation of relevant professionals.

17. To inform the development of the appropriate skills base, the MoD must understand the scope and scale of resource required to counter the current threat, and then predict the change in cyber threat and forecast the impact on resource requirements.

18. The pace of change in cyber threats to information systems and platforms will require the MoD, working with its supply chain, to maintain a fast-moving, agile defence:

the commercial contracting structures that the department employs with the supply chain should enable this to happen;

the security requirements for new platforms must be considered from the outset as an integral part of the overall requirement definition; and

the security requirements for many long term equipment and platform refresh programmes may have been baselined well before the understanding of cyber threat reached its current state of maturity, and may now need case-by-case review.

20 February 2012

Prepared 8th January 2013