Defence CommitteeWritten evidence from Research Councils UK

Background

1. Research Councils UK is a strategic partnership set up to champion research supported by the seven UK Research Councils. RCUK was established in 2002 to enable the Councils to work together more effectively to enhance the overall impact and effectiveness of their research, training and innovation activities, contributing to the delivery of the Government’s objectives for science and innovation. Further details are available at www.rcuk.ac.uk.

2. This evidence is submitted by RCUK and represents its independent views. It does not include, or necessarily reflect the views of the Knowledge and Innovation Group in the Department for Business, Innovation and Skills (BIS). The submission is made on behalf of the following Councils:

Arts and Humanities Research Council (AHRC).

Biotechnology and Biological Sciences Research Council (BBSRC).

Engineering and Physical Sciences Research Council (EPSRC).

Economic and Social Research Council (ESRC).

Medical Research Council (MRC).

Natural Environment Research Council (NERC).

Science and Technology Facilities Council (STFC).

3. The Engineering and Physical Sciences Research Council (EPSRC) invests in cyber security research and training through the Global Uncertainties programme of the research councils.

4. EPSRC is the main UK Government agency for funding research and training in engineering and the physical sciences, investing more than £850 million a year in a broad range of subjects, including in cyber security. EPSRC invests in internationally excellent UK science and engineering research in funding primarily in universities, and draws on independent advice to help inform research strategy and make investment decisions. EPSRC also supports the financing of postgraduate training to ensure the ongoing supply of skills for academia and business. BIS is the main supporting Department.

5. Improving the level of interactions between business and the research base in the UK universities is a priority for EPSRC. The EPSRC vision is for the UK to be as renowned for knowledge transfer and innovation as it is for research discovery. EPSRC is working with universities, businesses, charities, and government departments on joint initiatives and activities, to understand their needs and challenges and use this information to inform strategic priorities and investment plans. EPSRC funds a range of research projects that are relevant to the real world research needs of many organisations. To help ensure that the research EPSRC sponsors have impact beyond academia we strongly encourage collaborative working with users in both the public and private sectors. As a result about 40% of EPSRC’s portfolio of research projects typically features user engagement of some kind. EPSRC has a strategic relationship with the Technology Strategy Board and supports a number of joint initiatives with that organisation.

6. The Aerospace, Defence and Marine sectors are a priority for EPSRC collaboration due to their R&D intensity and importance to the UK economy. The current EPSRC portfolio relevant to these sectors has a total value of around £300 million in 300 research projects. The majority of the defence related grants support projects focused in materials or electronics with a smaller number of computational projects. There are also a number of security related projects including research related to terrorism, cyber security, CBRN (Chemical, Biological, Radiological and Nuclear), crime and ideologies. There are around 300 collaborators involved in this portfolio.

7. EPSRC has entered into Strategic Partnerships with a number of organisations in the Aerospace, Defence and Marine sectors. Examples include:

Airbus/EADS—focused on reducing in flight drag via the creation of an active aircraft system.

BAE Systems—focused on autonomous and intelligent systems; design, manufacture and maintenance of Unmanned Aerial Vehicles (UAVs); systems engineering; modelling, design and the building of integrated decentralised data systems; and technological, operational and strategic issues for next-generation industrial service organisations.

GE Aviation—focused on electrical power and actuation technology, smart composites and metallurgy to enable the delivery of future electronics systems to aircraft and also pave the way towards adaptive wing technologies through the use of new materials.

MoD/Dstl—focused on data intensive systems; signal processing; enhancing the damage tolerance of materials; and the battery-free soldier.

Rolls-Royce—focused on structural metallurgy.

8. EPSRC is actively engaging with the Aerospace Technology Strategy Group (ATSG) and the Aerospace and Defence Knowledge Transfer Network (KTN),and is developing a strategic relationship with AWE.

9. EPSRC has made cyber security a strategic research priority. It is supported as a core theme in the multidisciplinary Global Uncertainties programme supported by all the research councils.

Why is research into cyber security important?

10. Better cyber security research is a fundamental requirement for the effective and reliable information infrastructure on which the UK’s future prosperity relies and for tackling future threats to our security. The dependence of societies on the internet and other network-based services is increasing, not only through personal and corporate use of these services but through the development of the internet of things which are a vital part of the “smart” society, and through energy efficiency developments, improved mobility, adaptability to changing circumstances and events and economic growth. Research and development in the security aspects of these services and associated technologies are vital for the quality and dependability of service from them. Research and training funded by EPSRC is an important underpinning component of better cyber security, and is helping to ensure a critically important UK capability in this area. Researchers funded by EPSRC are already contributing to better cyber security in the UK.

11. The work EPSRC support is carried out in UK universities. Much of the research activity is driven by the curiosity of academic researchers. EPSRC has been supporting research and skill development underpinning cyber security for many years. Much of this research has been carried out in collaboration between the research councils and in partnerships with key agencies including GCHQ, CPNI and Dstl. The UK has world-class research in cyber security, building on internationally renowned ICT and mathematical science capabilities in the universities. There is expertise in computing, mathematics and the sociological and psychological disciplines that shed light on governance issues and on human behaviour and enable the building of better, more resilient systems which are better designed and easier to use. Good cyber security requires long-term underpinning research and skill supply that can keep pace with a fast changing environment and with future horizons.

What cyber security research does EPSRC fund?

12. Research relevant to cyber security issues is funded primarily by the EPSRC’s Information and Communication Technologies theme. The EPSRC investment folio tends to address issues that are technological. It includes everything from fundamental work on quantum computation, cryptology and quantum key distribution through to more human-centred, work which, for example, tries to understand the practice of software engineers or develop methods to detect deceptive behaviour online. There are no technological areas relevant to cyber security in which EPSRC does not fund research, though the level of support varies. EPSRC manages its investment in cyber security as a core priority in the Research Councils UK1 Global Uncertainties2 programme.

13. The Global Uncertainties programme brings together the activities of all seven UK Research Councils to examine the causes of insecurity and how security risks and threats best can be predicted, prevented and mitigated. The programme is managed by the Economic and Social Sciences Research Council on behalf of Research Councils UK (RCUK). Commencing in 2008, it will run until 2018. The total funding of research and related work accredited to the Programme amounts to more than £220 million. It aims to integrate current research investments as well as support new multi-disciplinary research in security. The six core areas are Cyber security; Ideologies and beliefs; Terrorism; Transnational organised crime; Threats to infrastructures; and CBRN.

14. The programme helps governments, businesses, societies and individuals to better predict, detect, prevent and mitigate threats to security. The programme enables more effective co-ordination across RCUK and other stakeholders to maximise the impact of the activities that are funded through:

Facilitating and supporting high-quality, interdisciplinary research that is problem-based.

Co-design, co-production and co-delivery of research and linking research base expertise with end users.

Co-operation in future strategy development with users so that activities are aligned with shared goals.

Shared horizon-scanning activities to identify and respond to emerging challenges and priorities.

15. Engaging with the public and other users to ensure research is addressing relevant questions and issues. The Programme receives external advice on its strategic priorities and direction from its Strategy Advisory Group which has representatives drawn from academia, government, business and the third sector and is chaired by Sir Richard Mottram, GCB, formerly Permanent secretary at the MoD.

16. A list of cyber security-relevant research and researchers funded by the seven Research Councils is maintained and monitored; in practice the vast majority of funding in the area comes from EPSRC.

How much cyber security research does EPSRC fund?

17. Despite some problems relating to the definition and scope of cyber security it is estimated that each year EPSRC spends about £15–20 million supporting the national capability in research and doctoral level training.

18. The estimate for the overall UK annual spend on academic cyber security research is around £40–45 million. About 100 PhD students are estimated to graduate each year, making a significant contribution to enhancing the UK’s capability in better cyber security.

What is EPSRC doing to support the UK national cyber security effort?

19. EPSRC’s funding is provided on the basis of the quality of the research proposed and its strategic need. EPSRC has published a discussion paper to raise the visibility of increasing research in cyber security,3 a Cyber Security strategy4 and a position pamphlet.5 The position pamphlet is intended for a wide audience and contains some useful statistics and case studies drawn from examples of EPSRC investments in UK universities.

20. During the next 15 months, the EPSRC has plans to strengthen the university research community in cyber security, in terms of the links between researchers and suppliers/users, improving the networking between researchers, and investing in innovative new research. EPSRC has entered into a strategic relationship with GCHQ which is helping to focus activities and increase partnerships and coordination of research effort. GCHQ is wishing to engage much more with the science base than previously. This is part of a recent strategy to embrace open innovation. It wishes to create a number of strategic partnerships with universities in cyber security research, but recognises that such partnerships have to be selective to make it effective.

21. GCHQ and EPSRC are jointly pioneering an experiment to create Academic Centres of Research Excellence (ACE) in Cyber Security based on their current level of research activity and reputation. It is hoped that by recognising such centres of research excellence in cyber security the university science base will become less fragmented and collaborations with problem owners will increase. The intention is that the Centres will be widely recognised as having an international research reputation in cyber security and a critical mass of effort devoted to cyber security research. EPSRC and GQHQ wish to regard these Centres as being national centres of excellence in cyber security research in the hope that they will stimulate other organisations engaging with the science base in cyber security. GCHQ plans to put resources in place to establish a relationship with each centre and plans to promote the Centres among its supplier companies and others. This initiative is referred to in the 2011 National Cyber Security Strategy6. EPSRC intends to offer a small grant to each of the recognised ACEs to support their activities as a centre, and help them to engage with business and other users to share problems and expertise. The outcomes are expected to be made public in April 2012.

22. EPSRC also plans to create two Research Institutes in universities of about £3 million each jointly with GCHQ which will influence their scope based on future challenges in cyber security. The first will focus on the science of cyber security and a decision on its location is expected to be made in summer 2012. The content of the second is currently being determined. These are also referred to in the 2011 cyber security strategy.

23. EPSRC also has a strategic partnership with Dstl and it is planned to invest jointly about £2.5 million in 2012 into research in Data Intensive Systems.

24. EPSRC is continuing to facilitate engagement of academic researchers with businesses and other users to maximise the impact of their research through organising research showcases events at which the researchers whom EPSRC funds presents the outcomes of their research to those interested from industry, policy makers and others. The first showcase event was held in November 2011 and attended by over 100 people. Such opportunities to engage with those same businesses and users help to refine the EPSRC approach.

25. EPSRC is liaising with the Cabinet Office’s Office of Cyber Security and Information Assurance (OSCIA), GCHQ, Dstl, the Home Office and BIS. The Chief Scientific Adviser (CSA) to the MoD is a member of the EPSRC Council and EPSRC has close relations with the previous and future CSA of BIS.

Where is cyber security research being carried out?

26. Cyber security research expertise is found, to varying degrees, in around 50 UK universities. Relatively few, however, have large programmes of effort specifically in cyber security. EPSRC invests in significant activity in about a dozen universities. A better picture of the landscape will emerge later in 2012 when the outcome of the initiative to identify academic centres of excellence is known.

What might EPSRC do next?

27. The relatively small amount of resource we have will be used to build on our current portfolio and address strategic gaps, in partnership with other Research Councils through the Global Uncertainties programme and with user stakeholders.

24 February 2012

1 www.rcuk.ac.uk

2 www.globaluncertainties.org.uk

3 http://www.globaluncertainties.org.uk/Image/Cyber%20green%20paper_tcm11-15897.pdf#false

4 http://www.epsrc.ac.uk/ourportfolio/themes/globaluncertainties/strategy/Pages/default.aspx

5 http://www.epsrc.ac.uk/SiteCollectionDocuments/Publications/corporate/CyberSecurityHLP.pdf

6 http://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategy

Prepared 8th January 2013