Defence CommitteeWritten evidence from McAfee

Executive Summary

McAfee welcomes this opportunity to respond to the Defence Select Committee’s inquiry into Defence and Cyber-security. As the world’s largest dedicated security company, McAfee is at the forefront in combatting the cyber-threat for a range of stakeholders including governments, public and the private sector, and individuals.

We welcomed the elevation of the cyber-crime threat to “Tier 1” status in the National Security Strategy (NSS) and the Strategic Defence and Security Review (SDSR). Protecting against cyber-attack requires action at many levels. Implementing technological solutions is vital but the skills, behaviour and attitudes of personnel are equally crucial.

McAfee also welcomes other initiatives by the Government in raising awareness of or combatting the cyber-security threat, such as the London Conference on Cyberspace, the Cabinet Office Cyber Security Strategy (CSS) and the creation of the Defence Cyber Operations Group (DCOG).

As a leading authority on cyber-security, McAfee believes that it is more important than ever before for the Ministry of Defence (MoD) and Government to undertake in-depth, regular reviews of the evolution of the cyber-threats the UK faces. The best-in-class tools we have developed and have at our disposal coupled to the unrivalled experience we have in this specialised area, we believe, can enable the Government to do this in the cyber-security space.

By undertaking regular risk assessments of the cyber threat the Government can have a more adaptive strategy to prepare against the dangers of cyber-attack, malware and other threats. However, in what are difficult financial times it is important for the Government to work in tandem with the private sector, and draw on the wide range of technical expertise and experience that they have to offer. McAfee, for example, undertakes regular studies of the ever-changing cyber-threats, such as our recent Night Dragon, Shady RAT and Operation Aurora reports.

This is a problem that can affect all parts of government, and so the response must be equally wide-reaching. Rather than simply continuing to use suppliers to fix and patch systems that fail or come under attack, a systems integrator for the whole of government could be adopted; the issue is just as important to the Department for Work and Pensions for example, as it is to the MoD. This would provide a more cost-effective solution that is proactive, rather than reactive to this ever growing threat.

Issue 1: The nature and threat of the cyber-security threat to the Ministry of Defence and Armed Forces, operations and capabilities

1.1 The cyber-threat is a complex one and one that is growing daily. As reported in our Threats Report for the Third Quarter of 2011, there were 70 million malware samples collected by McAfee and stored in our “malware zoo.” As recently as October of last year, Foreign Secretary William Hague confirmed that on average British Government and industry computer systems face over 600 cyber-attacks every day.

1.2 Following the elevation of the cyber-threat to “Tier One” status in the NSS, cyber-security has suddenly become a far larger part of the nation’s defence. McAfee welcomed the recognition of this through the commitment of additional resources and new organisations (eg DCOG) in this regard.

1.3 McAfee has frequently seen cyber techniques complement traditional methods of intelligence or espionage operations with many players accusing others, friends and foes alike. It is a very low-cost way of spying, always leaving room for plausible deniability, does not endanger human lives and at present is highly effective. What is yet to be seen on a larger scale is the use of cyber as part of the arsenal in an armed conflict. So far this has been witnessed only on a rather small scale with very limited sophistication of the attacks, for example, in the Georgia conflict.

1.4 However, the situation is now beginning to change. Many countries realise the crippling potential of cyber-attacks against critical infrastructure and how difficult it is to defend against them. Their potential opens up opportunities for attack by small countries or organizations, particularly if there are few targets to strike back against. The Stuxnet attack on Iran’s nuclear facilities was a game-changing event in many aspects; one of them was to make it absolutely clear that the threat is real and what impact such attacks could have.

1.5 Given the nature of its business and responsibilities, the Ministry of Defence (MoD) is one of the most attractive and high-profile targets for cyber-attacks. These types of attack can range from the basic; such as fake anti-virus, spam emails and malicious websites, to the complex and highly dangerous; such as advanced malware, remote access tools (RATs) and attacks on portable devices that handle sensitive material such as mobile phones and laptops.

1.6 There is also the increasing threat of cyber-espionage. While Government systems have been the traditional and obvious target for cyber-attacks, attention is now also focusing on the suppliers of the equipment our Armed Forces use. For example, it was recently reported that the Pentagon was assessing whether Chinese espionage (specifically Chinese hackers actually sitting in on what were supposed to have been secure, online program-progress conferences) was the reason behind the delays and cost increases of Lockheed Martin’s F-35 Joint Strike Fighter programme.

1.7 If Britain’s adversaries are gaining access to information on technology and equipment that is in service or intended to be procured for our Armed Forces, this could seriously compromise the capability and ultimately the safety. One way to insure against this type of threat is for Government to ensure that those companies who work with the Government on matters relating to the Armed Forces or national security comply with minimum security standards to protect sensitive data.

1.8 Operation Shady RAT was a recently completed investigation of targeted intrusions into more than 70 global companies, governments, and non-profit organizations during the last five years.1 It showed an historically unprecedented transfer of wealth — closely guarded national secrets (including those from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition configurations, design schematics, and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.

1.9 Another aspect of the cyber-espionage threat to industry and Government is the level of awareness and knowledge of the threat by individual employees and civil servants. Malicious websites or programmes encrypted onto fake free or promotional USB devices or CDs that are then loaded onto computers by the user, threats to mobile devices or using work equipment to log onto unsecure networks away from the office can all present vulnerabilities that can be exploited by cyber-attackers. Given this danger, it is vital that individual employees, both in Government and industry, are alerted to the dangers that now face them.

1.10 In this regard, McAfee welcomed the MoD’s “Think before you share” campaign, designed to encourage Service personnel and MoD civilians to carefully consider possible repercussions before posting information on social networking sites. Indeed it is similar to McAfee’s partnership with Facebook to provide users with free advice and tools on how to protect against cyber-threats that they may encounter on the social networking site and elsewhere. Initiatives such as this are a step in the right direction, however, such campaigns could and should be promoted further across Government and industry.

Issue 2: The implications of the 2011 UK Cyber Security Strategy for the Ministry of Defence, including;

The MoD’s role in cross-governmental cyber-security policy and practice, including the protection of critical national infrastructure

The relationship of MoD’s actions and planning to the National Security Council, the Cabinet Office and GCHQ

2.1 McAfee welcomed the publication of the UK Cyber Security Strategy as a method of setting out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.

2.2 The Strategy has major implications for the MoD because it is the most prominent Department in terms of both carrying out and defending from cyber-attacks. McAfee also welcomed government plans to share tactics and technology with businesses. Effective cooperation between Government and industry is a vital component of the Government’s cyber-security plans in terms of enabling Government to draw on the extensive knowledge and experience within the private sector, while imparting its own requirements and issues to enable the private sector to better use its resources.

2.3 With regard to Critical National Infrastructure (CNI) protection, the MoD has an important role to play. Many of its functions are reliant on the continued functioning of CNI and so it is vital that they are adequately protected. An added dimension to this is that the majority of CNI is owned by the private sector, so it is equally important that those companies that own CNI assets are aware of and protecting against the cyber-threat.

2.4 Threats to CNI networks have recently garnered a lot of attention, and there is a very good reason for that; it is one of the few areas in which a cyber-threat has the potential to threaten real loss of property and life. A survey of global cyber experts in the Security & Defence Agenda’s latest report; “Cyber-security: The vexed question of global rules” (which was sponsored by McAfee) showed that damage or disruption to CNI is seen as the greatest single threat posed by cyber-attacks.2 43% identified this as a national threat with wide economic consequences, while 45% view cyber-security as important as border security.

2.5 Starting in November 2009, coordinated covert and targeted cyber-attacks have been conducted against a specific aspect of CNI—global oil, energy, and petrochemical companies. These attacks have involved social engineering, spear-phishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of RATs in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations. McAfee conducted a detailed study of the attacks on this particular sector, which we named “Night Dragon”.3

2.6 Well-coordinated, targeted attacks such as Night Dragon, orchestrated by a growing group of malicious attackers committed to their targets, are rapidly on the rise. These targets have now moved beyond the defence industrial base, Government and military computers to include global corporate and commercial targets. While Night Dragon attacks focused specifically on the energy sector, the tools and techniques of this kind of attack can be highly successful when targeting any industry. Our experience has shown that many other industries are currently vulnerable and are under continuous and persistent cyber-espionage attacks of this type, particularly the defence industry. More and more, these attacks focus not on using and abusing machines within the organisations being compromised, but rather on the theft of specific data and intellectual property.

2.7 The relationship between the MoD, National Security Council, Cabinet Office and GCHQ is a complex one, but one that must be managed correctly and work effectively with regards to the continually evolving nature of the cyber threat. The MoD must coordinate its actions and planning with these and other Departments to ensure that there is a comprehensive cross-governmental approach, rather than numerous strategies from each body or department that could result in confusion, confliction and duplication which will in turn lead to rising costs.

2.8 A single, uniformed approach from Government in relation to cyber-security is the most desired outcome, and the outcome that will deliver value for money, comprehensive protection and provide clear guidance for industry and opportunities for cooperation and sharing of knowledge and expertise. Given that the Cabinet Office published the CSS, this could be the Department that is given overall ownership and leadership on such a uniformed approach to provide direction to the rest of Government.

2.9 The CSS is a welcome step in this direction and provides a uniform strategy for cyber-security. However, while it is an effective document in terms of identifying the needs and shortcomings of the Government, it needs to be accompanied by a more detailed implementation plan and set of measurable targets.

2.10 In addition and with regard to the above-made points on CNI, because much of the UK’s CNI is owned and operated by the private sector but yet is vital to the operation of Government and every-day services, it is therefore important that there are minimum security standards imposed on those companies that own CNI assets. A minimum standards register could be compiled by the Government and either made a pre-condition to be met by a private sector company before a purchase of a CNI asset, or applied retrospectively. Government could also consult private sector technology security companies such as McAfee on the appropriate standards that should be met. The SDA report provides evidence for such a need. Of those surveyed for the report over two thirds (67%) saw the need for more government regulation in the private sector.

2.11 In order to build up trust in the private company-to-private company and private company-to-Government relationships, pilot programmes could be conducted as has taken place in other countries. For example, as a result of growing fraud the US financial services set up the Financial Services Information Sharing and Analysis Centre to share information on attack techniques and cyber-threats to the banking systems. On a smaller scale, the 238 member Belgian Financial Sector Federation does similar work using freelance experts.

2.12 Indeed, the SDA report shows a desire for such action. While the majority saw such exercises as important, only one fifth surveyed in the private sector had actually taken part in such an exercise.

Issue 3: How the Ministry of Defence and the Armed Forces are managing and planning responses to threats in the cyber domain, including;

Skills, capacity and expertise within the MoD and the Armed Forces, including in research and development;

How the MoD and National Cyber Security Programme resources are being used to address cyber-security.

3.1 The MoD and Armed Forces are taking active steps, both independently and in coordination with the rest of Government, to manage and plan for the cyber-threat. The £650 million in funding announced in the SDSR, formation of DCOG, the CSS, consideration of cyber issues in the recent White Paper and the appointment of a SRO in Government for the security industry are all part of a welcome response to this threat, providing both recognition of the challenges we face and the shortcomings in our capabilities that need to be addressed.

3.2 There is measurable and demonstrable evidence that this effort is achieving success. The SDA report, which featured a country-by-country stress test of resilience to cyber-attack, gave the UK a score of four out of a possible five. This places the UK level with countries including the US, Germany, France Spain and Denmark, and only just behind Israel, Sweden and Finland who scored 4.5 out of five. No country obtained five out of five.

3.3 However, as mentioned above there needs to be a clear plan of action as to how the aims and vulnerabilities identified in the various strategies and reports that Government has produced are to be addressed. This can be achieved by working in partnership with private sector security companies who can assist in identifying the best method to achieve the aims of Government policy.

3.4 Indeed, such efforts have already occurred, such as the Science & Technology Committee’s seeking of a demonstration on cyber-crime from McAfee and Symantec. But this is only a small example of a Committee, which can only recommend not form Government policy, acting under its own initiative to further develop and expand its knowledge. Similar and indeed larger endeavours need to be undertaken by Government in order for it to benefit from the wealth of knowledge and experience that the private sector possesses.

3.5 The survey in the SDA report confirms this need. It found that in both the private and public sectors, 56% highlighted a coming skills shortage as a future concern. The MoD’s recent White Paper: “National Security Through Technology” also highlighted the need for industry and Government to cooperate more closely and to find “new ways to work together, establishing agile partnerships that can meet the changing cyber challenge.”

3.6 One example of an effective Government-private sector partnership in the cyber domain is McAfee’s work with the US Department of Defense (DoD) on its Host-Based Security System (HBSS) programme. Through the HBSS programme, the DoD is deploying McAfee’s Host Intrusion Prevention and ePolicy Orchestrator software packages to centrally manage the security of more than 5 million servers, desktops and laptops (hosts).

3.7 Such a situation does not entail a reliance on only one private sector supplier, however. McAfee worked in partnership with Northrup Grumman to install HBSS software on the US Air Force’s Non-Classified Internet Protocol Router Network, with 500,000 hosts installed with the protection over a six month period. McAfee also has 75 third-party companies whose products can be managed through this platform. HBSS also provided the DoD with a siloed approach to cyber-security; while one company was responsible for the overall integration of the programme, individual needs were siloed and managed by different contractors, thereby avoiding reliance on a single contractor.

3.8 The HBSS system provides system administrators with a significant improvement in situational awareness, allowing them to better respond to cyber-attacks, and also enables the DoD’s Defence Information Systems Agency to collect and correlate alarms as cyber-attacks occur.

3.9 McAfee’s relationship with the DoD is leading to improvements in our commercial offerings. For example, the ePolicy Orchestrator now features a three-tiered architecture that was required by the military, enabling security policies to work from the top down, while situational awareness moves from bottom up. At the same time, work with established Government departments, in this case the DoD in the US, provides McAfee with an excellent reference for future work with potential private sector clients. (More information on HBSS can be found in Annex 1.)

3.10 Overall, McAfee feels that the MoD and wider Government have made great strides since the National Security Strategy in identifying the needs of the UK to respond to the cyber-threat and in providing strategies as to how this threat can be met. However, more needs to be done in terms of the implementation of these strategies, and in these difficult economic times the Government cannot afford not to cooperate with technology security companies such as McAfee and draw on their extensive experience and knowledge to meet the ever-evolving nature of the cyber-threat.

21 February 2012

Annex 1

MCAFEE PARTNERS WITH US DEPARTMENT OF DEFENSE TO DELIVER ON KEY IT SECURITY REQUIREMENTS

McAfee launched an open architecture technology programme, largely in response to the needs of one of its largest customers, the U.S. Department of Defense (DOD).

McAfee technology underlies the largest IT security deployment within the DOD, the Host Base Security System (HBSS), which provides multi-layered threat protection for between 5 to 7 million host platforms worldwide. HBSS was launched after the DOD decided that host computer defence was critical to the protection of the Global Information Grid, and the system is mandated for installation on all unclassified and classified systems in the department.

McAfee® Host Intrusion Prevention solutions are the underlying technology of HBSS, providing monitoring, detection, and counters to known cyber-threats to the DOD’s enterprise architecture and delivering integrated security capabilities such as anti-virus, anti-spyware, whitelisting, host intrusion prevention, remediation, and security policy auditing.

Recently, McAfee partnered with Northrop Grumman to deploy HBSS for the Secret Internet Protocol Router Network (SIPRNet) within the US Air Force. SIPRNet is the communications backbone of the DOD that facilitates the exchange of classified tactical and operational information at the secret classification level for both the Air Force and other branches of the US Armed Services. McAfee has also partnered with Northrop Grumman in the UK to deliver the company’s cyber-test range, which was opened by Defence Minister Gerald Howarth in October 2010.

In deploying HBSS, the DOD wanted an open framework that would enable the department to plug in any number of solutions from different vendors. Largely in response to this need, McAfee initiated a technology partnering programme called the McAfee Security Innovation Alliance. The purpose of the McAfee Security Innovation Alliance programme is to accelerate the development of interoperable security products and simplify the integration of those products within complex customer environments.

McAfee security risk management solutions are at the heart of the McAfee Security Innovation Alliance programme, allowing organisations of all sizes to benefit from the most innovative security technologies. They now can simply snap into the McAfee management platform, McAfee ePolicy Orchestrator® (McAfee ePO™) software. Today, more than 100 technology partners across Europe, North America, the Middle East, and Australia have joined the alliance.

We believe that the McAfee Security Innovation Alliance programme provides an important value proposition for government and commercial customers who do not want to be locked into a single vendor.

1 Revealed: Operation Shady Rat, http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf

2 Cyber-security: The vexed question of global rules, http://www.securitydefenceagenda.org/Portals/14/Documents/Publications/SDA_Cyber_report_FINAL.pdf

3 Global Energy Cyberattacks: “Night Dragon”, http://www.mcafee.com/ca/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf

Prepared 8th January 2013