Defence CommitteeWritten evidence from Raytheon UK

Introduction

Raytheon UK would like to highlight the following areas for the Defence Select Committee inquiry into Cyber Security as it relates to the Ministry of Defence (MoD) and the Armed Forces.

Education

Skills and Cyber Subject Matter Experts

1. Raytheon UK would like to highlight the importance of education and information assurance awareness for cyber security. At every level the cyber threat can be mitigated by general awareness and safety conduct guides for IT users. Such awareness may not have been traditionally studied as part of the national curriculum. Where appropriate the inclusion of specialised cyber security modules within the traditional military educational establishments could support individuals interested in this field to nurture and expand their skills, particularly those tasked with computer network defence; attack and exploitation; and information assurance. Raytheon UK would highly recommend that this is done in partnership with industry and academia to ensure these modules can be adapted in a very fluid cyber threat environment.

Cyber awareness within the MoD

2. All employees should have a general awareness of how to protect and deal with a cyber threat and this training should be mandatory. Training solutions should be considered at all levels from the executive through to the practitioner level and rolled out within the MoD. Individuals and organisations need to be prepared with the knowledge and confidence to excel at computer network defence; attack and exploitation; and information assurance. By using virtual classrooms, Computer Based Training (CBT) and traditional classroom based activities, MoD personnel can be kept informed of how to detect, identify and respond to the many types of cyber threats as quickly as possible whatever location they may preside at. This must be a key cog in the MoD’s Cyber Incident Response strategy.

Sensitivity of Information & Sharing

Cross sector collaboration with MoD

3. The role of the MoD in cyber security policy and implementation needs further clarification. We welcome the emphasis that the Defence White Paper has given to cyber security and the creation of the Defence Cyber Operations Group (DCOG) launched in April 2012, but industry needs further details on who will lead cyber security within the MoD and how cyber measures will be implemented through the newly formed strands and how the MoD will interact with other government departments such as OCSIA and GCHQ. Cyber security is one area that requires cross government and cross sectoral interaction to make the best use of resources and investment.

4. Raytheon UK are already collaborating with industry through the Intellect and ADS Virtual Task Force on Information Sharing. We would like to see how the MoD intends to ensure sensitive information is shared with industry to ensure it’s supply chain is secured.

Research & Development

5. In order to help industry to develop the right solutions Raytheon UK would welcome a roadmap of cyber requirement and intended investments to be made by DSTL and MoD over the next 5 years. This can only be done in collaboration with industry and academia. R&D needs to be maximised with as many stakeholders as possible, to ensure security is in the design of systems going forward and cyber attacks are an acknowledged “almost expected” risk.

Future Collaborations

6. UN, NATO and the EU, through the European Organisation of Security, are looking at setting standards on cyber security and ways in which a country will deal with an attack. The UK needs to be clear on how it is co-operating with these institutions and how it intends to flow down the decisions to industry in a timely manner, again securing its supply chain.

7. Promoting greater levels of international cooperation and shared understanding on cyber crime needs to continue on the international platform. The Foreign and Commonwealth Office led conference on Cyberspace in 2011 should see involvement from the Ministry of Defence also. An understanding on how the new EU Directive on information systems and the implications of security provisions from the EU Data Protection Directive will impact suppliers and their system designs should be considered as early on as possible.

27 February 2012

Prepared 8th January 2013