Defence CommitteeWritten evidence from EADS

Introduction

1. EADS welcomes this opportunity to respond to the Defence Select Committee’s inquiry on cyber-security.

2. This response opens with an executive summary followed by background information on EADS’ presence in the UK and the cyber capabilities of its Astrium and Cassidian units. It then addresses some of the specific issues raised by Committee.

3. Given the Committee’s intention to return to the topic of cyber-security, we would welcome the opportunity to contribute to any further work investigating a broader range of issues beyond the scope of this present inquiry.

Executive Summary

4. The cyber-security threat is real, persistent, and continually evolving. It is targeted at both the public and private sector and knows no international boundaries.

5. The cyber-security threats that are visible represent only the “tip of the iceberg” and in reality a true understanding of the potential dangers is not yet known.

6. A simple “boundary defence” approach will not be sufficient. MoD must defend from within to truly mitigate the developing cyber threat.

7. Industrial partners have a great deal of experience helping public and private sector organisations in the UK and around the world deal with cyber-security threats.

8. In light of this, enhanced, two-way, communication and information sharing between the public and private sector, with government playing a strong coordinating role and providing greater clarity on the nature of the threats they face, would enable the latest international experiences to be used to the benefit of UK cyber defences.

9. Specifically, EADS recommends that industry sits on specially created Cyber Boards where information on the very latest cyber threats, risks and mitigation measures can be shared. Such an approach, as outlined in the government’s Cyber Security Strategy, would help foster a true partnership between industry and government.

10. Another key requirement is bringing the activity to life, and executing the “doing” rather than the planning. Industry is experienced in “doing” cyber and is well positioned to form long lasting strategic partnerships that will offer greater resilience to the Government.

11. Industrial partners are investing a great deal to research and develop solutions to cyber-security threats and are well positioned to assist the government’s decision making process and make up for any shortage of public funding.

12. EADS therefore recommends an approach that looks to improve how government and industry interact on three levels: Communications, Relationships and Resources. We believe that addressing these will ensure the UK has the most robust defence possible against the cyber-security threat we face.

About EADS

13. EADS is a global leader in aerospace, defence and related sectors. The EADS group of industries includes Airbus, the leading manufacturer of commercial aircraft, Eurocopter, the world’s largest helicopter supplier, Astrium, the European leader in space programmes from Ariane to Galileo, and Cassidian, a leading provider of cryptography and other security solutions. EADS is the second largest aerospace and defence company in the world and a major partner in many of Europe’s largest aerospace projects, including Eurofighter Typhoon. EADS has a major industrial presence in the UK. Over 18,000 high value-added, highly-skilled jobs are directly supported at EADS’ 25 key UK sites, and a further 135,000 jobs are indirectly supported throughout the UK supply chain.

EADS in the UK’s Cyber-Security Capabilities

14. EADS’ UK businesses with a specific involvement in cyber-security include:

(a)Astrium. With bases in Stevenage, Portsmouth, Poynton and Surrey, Astrium is a world leader in military and civil satellite systems, Earth observation, science and navigation programmes. It is a $3 billion business, the No.1 space company in Britain and Europe, and No.3 worldwide, after Boeing and Lockheed Martin. Astrium is responsible for delivering secure satellite communications for MoD through the Skynet 5 programme.

(b)Cassidian. Based in South Wales, Cassidian provides lead systems integration, information assurance, cryptography, and other cyber services to support the Armed Forces, Government agencies and Emergency Services in their cyber defence strategies. Cassidian has consolidated its cyber security portfolio and competencies into a dedicated International Cyber Security Centre which shares the knowledge, intelligence and best practice gained from many years of experience in the cyber security domain with its global customers. Its cyber-security activities for the UK Government include computer network defence operations for MoD’s Defence Information Infrastructure programme, provision of Cryptography solutions to many government agencies and Consulting Services to help government customers counter the cyber threat.

15. Cassidian and Astrium’s specialist expertise in providing cyber protection and cyber incident response for defence and government customers around the world provide both companies with awareness of the latest cyber threats. EADS invests significantly in R&D and is actively developing cyber-defence capabilities across many technical domains from secure cryptography solutions to secure satellite communication capabilities. Innovation is key to the R&D development processes as EADS is constantly looking to reuse existing research from other sectors to bolster the company’s knowledge. For example, EADS has expertise in software design methodologies and techniques used to assure safety critical software on commercial and military aircraft which is being further developed to identify security vulnerabilities in software designed for use on both aerospace and terrestrial platforms and systems. In addition, Cassidian is applying technologies developed to protect Critical National Infrastructure Industrial Control Systems to other domains and industries.

16. Security is embedded throughout EADS’ culture and approach to business. Over 500 people in Cassidian and Astrium are actively involved in developing and designing cyber-defence capabilities.

17. Furthermore, as a global organisation EADS is able to apply the significant international resources, experience, skills, and knowledge of the latest cyber threats in a local context.

Detailed Response

Improving communications

18. The nature of the cyber-security threat is real, persistent, and continually evolving. It is targeted at both the public and private sector and knows no international boundaries. It would therefore be dangerous to view this threat as simply a UK issue, and try to deal with it unilaterally.

19. Although the cyber-security threat is recognised, it is not yet adequately defended or managed. In fact the cyber-security threats that are visible represent only the “tip of the iceberg”, and a true understanding of the potential dangers is not yet known. Similarly, the impact of a cyber-attack could be much more severe than is currently generally understood.

20. There is therefore a requirement to assess the impact of an aggressive cyber-attack on power, water and food distribution, and how an adversary could exploit this.

21. Industrial partners have a great deal of experience helping public and private sector organisations in the UK and around the world deal with cyber-security threats.

22. In light of this, enhanced, two-way, communication and information sharing between the public and private sector, with government playing a strong coordinating role and providing greater clarity on the nature of the threats they face, would enable the latest international experiences to be used to the benefit of UK cyber defences. For example, the risk of attack could be reduced by enhancing the mitigation measures currently in place via anti-jamming or Advanced Persistent Threat (APT) monitoring.

23. Given the nature of the cyber-security threat, a more open and advisory approach would have many advantages, and is likely to result in the MoD and Armed Forces being offered a greater range of protective measures (we would draw a comparison to current publicity highlighting the threat of car crime which warns people not to leave their valuables in their car).

24. MoD’s existing cyber capabilities are well positioned to contribute to, and support, the government’s overall approach in this domain. However, command and control of non-MoD capabilities is not currently envisaged, or truly realised, by Government.

25. Astrium and Cassidian are, respectively, the sole partners for delivering MoD’s secure satellite service provision and computer network defence operations for MoD’s network through the Skynet 5 and Defence Information Infrastructure programmes.

26. With this in mind EADS believes the UK Government needs to recognise the power that can be created by defining a group of trusted “Cyber Savvy” industrial partners that both understand the threat and appropriate mitigation strategies and can help all relevant government departments tackle the threat in a coordinated manner.

27. A pre-requisite of such collaboration is giving industry and other specific organisations the freedom to share intelligence anonymously.

Industry’s relationships with Government, MoD and the Armed Forces

28. EADS is supportive of full sharing and openness by industry of R&D and other critical technical developments, as well as the development of common standards, to permit the seamless integration of multivendor security products and services.

29. EADS would also actively encourage MoD and wider Government to enhance and improve its level of engagement with industry. While there is a good level of engagement at the technical and programme level, there is room for improvement in terms of utilising industry’s expertise to inform the development of long term strategic and operational policy.

30. There is therefore a requirement for a central agency to draw together the UK’s entire cyber defences, comprising MoD, other government departments, and Critical National Infrastructure providers in order to provide clarity on the most appropriate national reaction, response and governance to cyber-security issues. At present it is not clear who owns the coordinated response to a national cyber security incident. Greater information sharing and technical interoperability is key to enabling a truly cross governmental and coordinated approach to major cyber-attack.

31. Initiatives that improve awareness and share information must be applauded, but ultimately acting upon such information in a coordinated and structured way is essential. EADS’ recommendation is to initiate a series of scenario-based cyber exercises, both simulated and real time, involving a multi-agency response, to test and improve these capabilities.

32. Government should nominate a department or agency to take the lead, including an advisory role, in these types of exercises to ensure their experience is shared across the key agencies.

33. EADS recommends the MoD’s Global Operations & Security Centre (GOSSC) should act as the central hub for the UK’s response to a cyber-attack, and further recommends it be re-named the Governmental Operations & Security Centre, with top level Governmental Command and Control teams working alongside MoD in this environment.

34. EADS also recommends the Cyber Emergency Response team is extended beyond MoD, the National Security Council, Cabinet Office and GCHQ to include industrial partners because the private sector often possesses expertise mitigating the latest threats.

Maximising the impact of available resources

35. Cyber-security is the fastest growing threat to the UK and there is now a requirement for greater investment by Government and MoD to address this. The UK can no longer afford to just paper over the cracks—more money needs to be allocated to solve the problem.

36. It has often been said that the price of security is constant vigilance. In our contemporary world that is only half the task. Today, that price must also include constant innovation; pro-active, strategically-guided, but free-thinking, innovation.

37. Today the MoD is primarily focused on the protection of fixed assets and the traditional battlefield via advanced network security. The more subtle threats like APT and social engineering techniques that are used to compromise system security are increasingly becoming more prolific. Traditional boundary defence will not work to detect and mitigate these threats, because vulnerabilities inside the boundary are not sufficiently managed.

38. National infrastructure owned by the private sector has the same responsibilities as those owned nationally and must stand up to the cyber threat. Addressing the cyber-security threat to the UK must bring together the public and private sectors, as well as academia. Fundamentally, success will depend upon the development of skills and knowledge across all industries, government and academia.

39. The work done by UCL’s Institute for Resilience Studies provides strong doctrine recommendations regarding the security of Critical National Infrastructure which EADS would like to bring to the Committee’s attention.

http://www.ucl.ac.uk/isrs/publications/CyberDoctrine

40. In this document, the cyber environment is described as “clouds of fog and friction”, at the centre of which is the citizen, dependent upon critical infrastructures and network services from public, private and voluntary sectors. Currently there appears to be a distinct lack of integration, and chain of command and actions seems to have moved to individual agencies.

41. Strong relationships have been developed via the launch of Office of Cyber Security & Information Assurance (OCSIA) which appears to be shaping the environment. However, the interface between OCSIA and industry has yet to emerge. Industry’s focus must be on the provision of Cyber Consultancy to support the shaping of UK Cyber strategy and protection mechanisms.

42. The risk to critical national infrastructure is probably not a legislative issue as the adversaries launching cyber-attacks pay no heed to legislation. Where legislation is needed is to support the protection of Intellectual Property rights, since IP theft has been identified as the biggest cybercriminal impact on the UK economy. (Estimated by the Cabinet Office1 to cost £9.2 billion per annum to the UK economy). Legislation needs to force organisations to declare the occurrence and impact when IP is stolen or lost. This is an important protection for shareholders.

43. Working from the old adage that attack is the best form of defence, it is clear that in developing our defensive capabilities we now have a much clearer understating of how potential aggressors may attack. We need to form a view on how our defensive capabilities could be turned to our advantage, to challenge those who mean harm to UK Defence and infrastructure. This proactive stance must involve using knowledge of attack vectors (gained by both government and industry) to bolster the UK’s defensive capability.

44. The Government’s ability to respond rapidly to cyber-attacks is a critical success factor. The Government’s existing procurement processes can result in a bottleneck and hold up the roll out of dynamic cyber responses, so there is a requirement to accelerate the process as the threat to systems is exacerbated by delays in the procurement process.

45. In specialised areas we would recommend building on the successes of the Skynet programme, in which a PFI model is used to develop and manage the core infrastructure, thereby allowing industry to be more adaptable with flexible arrangements for procurement and MoD to benefit from a cost effective service delivery model which consumes only the services required at the time they are needed.

46. MoD and Government should adopt a service based approach to facilitate a rapid response to cyber-attacks. This approach would bring cost efficiencies, as less capital investment would be required by the customer. In addition to reducing the total cost of ownership to the MoD, a service based approach will increase flexibility and allow MoD to modify its requirements according to the changing cyber threat level and so adapt to peaks and troughs in demand.

47. There needs to be a clear recognition of Cyber as a profession, with continued development of skills throughout an individual’s career, supported by exchanges between industry and government.

48. Increasingly industry is establishing advanced cyber training academies. Examples include the Cassidian Cyber Security Training Centre, which focuses on developing world leading cyber skills through intense practical training and development courses, or the Space School sponsored Astrium Security Academy which develops both security awareness and secure system design skills throughout the organisation.

49. Government should exploit industry’s advanced skill set, which comes with significant international resource and knowledge, to support their cyber protection requirements.

16 February 2011

1 The cost of cyber crime; Cabinet Office; February 2011; http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime

Prepared 8th January 2013