Defence CommitteeWritten evidence from Symantec

Executive Summary

Cyber security is no longer just about antivirus and firewalls. The UK Cyber Security Strategy’s acknowledgement of cyber security as a tier one level threat is an indication that the potential impact of cyber related attacks on the national security and defence capability of the UK are recognised.

Discussions on acceptable norms of behaviour in cyberspace and development of specialised cyber defence units show how this topic has been elevated in the international arena.

Given the issues raised by the Committee for discussion it is important to recognise that there is a difference between cyber security and cyber defence.

It is important to understand the changing nature of the current online threat environment, to have the right information at the right time to identify and address key cyber threats and the importance of a multi-layered defence.

Cyber attacks directed against government and critical infrastructures are seen as either targeted/tailored (incidents such as Hydraq and Stuxnet) or massive such as denial of service attacks (as seen in Estonia).

A major security incident that can affect the strategic assets of a country, whether accidental or due to malicious outsiders or insiders, could impact that country’s ability to command and coordinate its military forces.

The more integrated and information–centric the infrastructures of the armed forces or a particular branch, the more the information security threats need to be taken into account.

Effective information and communication technologies can be a key force-multiplier in a combat situation. Therefore the security and control of information and communication technologies becomes a critical component of any national security strategy.

However, it is not enough to consider what the threat is from just the perspective of the military networks and systems, it is important also to understand the potential risks and vulnerabilities that can affect systems that are critical in supporting the armed forces.

Increased technological sophistication of a country’s armed forces has numerous advantages but may also create a new type of information security challenge that is not yet fully understood, studied or realised.

The UK Cyber Security Strategy provides a considered response to the continuously evolving threat of cyber attacks and lays the foundations for required action to reinforce the defensive borders around our connected experiences.

The MoD’s role outlined in the strategy and the importance placed on the need to explore ways to strengthen engagement with industry partners is seen as appropriate and relevant.

Coordination and partnership between public and private sector on cyber related issues is key to addressing cyber security challenges we face.

Given the stealth and asymmetric nature of cyber attacks one of the biggest challenges to be faced is determining the moment a cyber security incident becomes “military” in nature.

A discussion about a proportionate response to an incident also needs to try to determine what constitutes an “act of aggression”. Distinguishing between “acts of aggression” and acts of espionage or cybercrime is particularly complex as malware will combine capabilities that can be used for multiple purposes.

“He who defends everything defends nothing”. Systems will be attacked and inevitably penetrated. It is extremely important that there is some kind of hierarchy of priorities and understanding of the interdependencies so as to be able to focus defensive resources on what needs to be defended the most.

Cyber security threats are a global problem. Development of initiatives that can enable the sharing of technical expertise and guidance on addressing cyber security related incidents could strengthen or enhance national and international cooperation and colloboration.

Further joint activities bringing the MoD closer to the technology community could help to identify specific technical requirements, enable industry to demonstrate existing technological capabilities and increase understanding of research developments in this cutting edge and highly technical area.

Issues that may warrant further consideration by this Committee include the importance of recognising threats can be both external and internal, the threat is primarily asymmetric and the opportunity to address these challenges offered by new business models such as virtualisation and cloud computing.

Introduction

1. The recent publication of the UK Cyber Security Strategy and the acknowledgement by the UK government of cyber security as a Tier one level threat are indications that it is now an issue being taken extremely seriously due to the recognised potential impact of cyber related attacks on the national security and defence capability of the UK. The discussions around acceptable norms of behaviour in cyberspace and the development of specialised cyberdefence units in some countries indicate how the topic of cyber security has been elevated in the international arena. This is driven by a belief that networks and the internet have become another “dimension” of the battlefield like ground, sea, air and space. It is also driven by the increased reliance of our societies and critical infrastructure on computers and the internet. In addition there is an increased realisation that cyber-attacks, as a means to achieve an objective, have numerous advantages such as their asymmetric nature and the deniability that comes with them.

2. A key issue that Symantec believes warrants clarification upfront in this submission is the difference between cyber security and cyber defence. Often, in the media and in different discussions, the terms cyber security and cyber defence are used interchangeably. Other terms such as cyber war, cyber terrorism and cyber espionage are also often undefined or used in different contexts. It is important, for the purposes of this discussion, to distinguish the difference between these terms.

3. Cyber security is the activity of protecting one’s information systems (networks, computers, databases, data centres, etc) with the appropriate procedural and technological security measures. In that sense the notion of cyber security is generic and encompasses all protection activities. However, cyber defence seems to be a much more specialised activity linked to particular themes and organisations. The distinguishing factors in what should make security different from defence in the networked, cyber, environment should be the nature of the threat, the assets that need to be protected and the protection mechanisms applied.

4. The UK is not alone in recognising the threat from the cyber or networked environment that we face today. NATO, in its next generation defence policy, described a number of threats that require consideration by strategists and policy makers. Proliferation of Weapons of Mass Destruction (WMD), terrorism, climatic change and cyber-threats are some of the areas of focus for NATO.

5. Cyber security has been a discussion topic for several years, attracting attention from policy makers, industry and the media. Historically this attention was fuelled by concerns of a major malware outbreak that could take over IT systems across the planet in a few minutes, causing substantial damage and disruption. Code Red, Nimda, Sasser and Slammer are a few examples of the threats that highlighted how a widespread infection could travel around the world, sometimes in a matter of less than thirty minutes.

6. But times now have changed. While there are now rarely the major malware outbreaks of the type we saw at the beginning of this century, with the notable exceptions like the Downandup/Conficker malware, what is seen now is a rise in targeted attacks, including incidents such as Hydraq and Stuxnet. The Stuxnet attack is a good example of how malware is being used as part of targeted cyber attacks on critical systems and networks. This is a significant step on from the traditional forms of cyber crime, such as fraud or extortion. What makes Stuxnet special compared to other threats is the malware’s additional ability to steal information and also to cause physical harm by sabotaging the functionality of industrial facilities.

7. Just as the online threat environment continues to evolve, investment in cyber security seems to be increasing, as seen in the UK’s £650 million investment, and so does the focus of policy makers and government officials. In fact, more and more government departments are attempting to procure information technologies and to adopt a posture that links cyber security with national security.

8. The decisive driver for this link is two-prone. First, it is based on the realisation that information and communication technologies are a key component of the national critical infrastructure. As a result, a major cyber security incident could cause significant disruption to the national critical infrastructure and affect the strategic assets of a country thus threaten national security. This type of activity such as a denial of service attack can be devastating in a time of national crisis.

9. Second, this link is based on the principle that effective information and communication technologies are a key force-multiplier in any combat situation. In warfare, the ability to project force depends on the effective communication and coordination of those in the field. The objective is to project maximum power with the minimum possible force in the shortest possible time. This requirement has existed from the beginning of time but it is the technology that alters the means. In short information is power. Confidentiality, integrity and availability of communicating information are key operational requirements. If one looks at history, effective communication has often played decisive role in combat effectiveness and survival of units. Similarly, insecure information and communication technology can have devastating effects on its user and partners connected to them.

10. Consequently, security and control of information and communication technologies becomes a critical component of any national security strategy. A major security incident can affect the strategic assets of a country, whether this is accidental or due to malicious outsiders or insiders. Such an incident can affect that country’s ability to command and coordinate its military forces, or could result in it providing vital intelligence to the adversary about its capabilities, intentions and actions of friendly forces. Such a security incident would grant the adversary a decisive advantage over its opponent.

11. The following comments aim to provide input on the specific questions raised by the Committee

The nature and extent of the cyber-security threat to Ministry of Defence and Armed Forces systems, operations and capabilities

12. For the last seven years, Symantec has produced its Internet Security Threat Report, which provides an overview and analysis of worldwide internet threat activity and a review of known vulnerabilities and trends in areas such as phishing, botnets and spam. The report is based on the most comprehensive source of internet threat data which is gathered from Symantec’s Global Intelligence Network. This network is based on 240,000 sensors in over 200 countries that monitor attack activities through the deployment of Symantec’s products and services which actively protect businesses and consumers online. Information on the key finding of the latest Internet Security Threat Report,1 published in April 2010 can be found at the end of this submission.

13. The nature and the extent of the cyber-security threat to the defence sector is dependant to the use of information and communication technologies by a modern army and may vary considerably depending on the characteristics of each branch of service. The more integrated and information-centric the infrastructure of the armed forces or of a particular branch, the more the information security threat needs to be taken into account. In addition, in order to get a complete understanding of the risk, it is not enough to consider what the threat is from just the perspective of the military networks and systems that can be affected by a cyber-attack. It is also important to try to understand the potential risks and vulnerabilities that can affect systems that are critical in supporting the armed forces in carrying out their mission or hold vital intelligence about the objectives of that mission.

14. It is difficult to fully predict the different threat scenarios in the current interconnected and interdependent environment, especially if one adds the critical infrastructure elements. A lot depends on the objectives of the adversary, its own operational planning and escalation path, as well as the tools and mechanisms at its disposal. Such tools could include the ability to “access” the target to insert the attacking code either remotely or through human intelligence. Depending on the motivation of the attacker, the objectives could range from traditional signalling intelligence, in which case the targeted systems are likely to be communication and information systems, all the way to the creation of a deceptive picture in the command structure, where sensor systems and observation systems such as radars or satellites, or even Command and Control systems, may be targeted. Attacking systems controlling the logistical supply may also be an option in order to limit and strain the regular supply of a running operation. Perhaps the most worrisome scenario of all is a cyber-attack that could render dysfunctional main combat units such as airplanes or ships, or that could limit their operational capability or reliability. These examples are non-exclusive and do not necessarily suggest that there is a vulnerability in any of these areas for the UK armed forces, but rather how a determined adversary could try to use the technological sophistication of a country’s armed forces to attack it in different ways.

15. Moreover the increased utilisation of robotic devices such as drones, battlefield robots and UAVs over the battlefield has numerous advantages, but also creates a new type of information security challenge that is not yet fully understood, studied or realised. Historically the security threat has been linked with the confidentiality, integrity and availability of communications and the use of electronic counter measures against devices and sensors that any armed force (even less technologically advanced) needs to have in the operations theatre.

16. In the area of the use of robotic devices, there are obvious information security challenges linked to the security of communications and the functionality of sensors. However, there is also the additional challenge of maintaining effective control of the robotic device, which—if compromised—could fail in its mission or even be used against its owner. This is even more the case because the technology used in military and other critical infrastructure systems relies, to a degree, on technological components that are commonly used in civilian technologies and applications, including off-the-shelf software. This is very cost effective but opens up the military infrastructures to some of the same vulnerabilities and attack techniques as the civilian space. A number of incidents have recently been reported in the press, where there has been discussion of cases of cyber-attacks against UAVs and their supporting infrastructure.

17. An important aspect of today’s online threat landscape observed by Symantec is the elevated value of information as a target for attack. Attacks on information are more difficult to detect and can be used to generate revenue for those stealing the information, or may enable them to gain a valuable political, economical, technological or military advantage. Given the focus on information-driven attacks it is important that all organisations are aware of where their critical information assets reside and have in place information management policies and procedures to ensure information is protected appropriately based on an assessment of the level of risk.

18. Attacks directed against government and critical infrastructures have fallen usually within two different categories. They are either targeted/tailored or massive. They aim either to collect confidential information or to attack and disable the infrastructure, rendering it unusable and inaccessible to its users.

19. Massive attacks usually take the form of denial of service attacks against the infrastructure. Denial of service attacks are easily discovered because their effects can be observed. They result in computers and networks not working because their processing capacity is exhausted by fake requests.

20. Usually these attacks use remotely controlled compromised computers. These are often used without the knowledge of the computer owner, who has been consumed into a bot network. These “botnets” are created by infecting computers belonging to both individuals and organisations with malicious code that remotely controls them and directs them to issue communication requests to the target that has been selected by those operating the botnet. In addition botnets are available “for hire” around the Internet, making attribution of the attack even more problematic, while providing “firepower” for hire to launch it.

21. Probably the most well-known case of large-scale denial of service attack against a country was the case of Estonia, where large-scale denial of service attacks took place that lasted for several weeks, and which used numerous botnets, significantly impacting the government and the critical information infrastructure.

22. The scenario of cyber-attacks preceding military operations as a first strike does not look very remote. The adversary may want to make use of an advantage gained in cyberspace to collect intelligence and disable infrastructure before or during a physical attack. In this way, the adversary achieves the desired effect of incapacitating enemy communications as well as the ability to deliver public messages and propaganda in an effort to “win hearts and minds”. At the same time the adversary limits the amount of targets it needs to focus military efforts and the exposure of its armed forces to the defensive efforts of its opponent. It can also force the adversary to consume precious resources in bringing its communications back online. The denial of service attacks during the 2008 war in Georgia are a good example of how the ability to broadcast the Georgian side of the story was significantly restricted by a number of distributed denial of service attacks on the already limited Georgian infrastructure.

23. The execution of a targeted attack is done in a stealthy manner. The attacker aims to infiltrate the defences of the victim without detection, and then to collect information as well as elevate their privileges in the network to allow the attacker to move laterally through the network and establish a foothold, making it all the more difficult to remove if discovered. The purpose of a targeted attack can be either the collection of sensitive information or the alternation, suppression or destruction of sensitive information, or even that of the infrastructure on which the information resides. It could even go one step further and combine all these operational objectives. Depending upon the specific characteristics of the malware used, the term “advanced persistent threat” (or APT) is often used to describe some of these very advanced, highly stealthy and very difficult to remove types of malware.

24. The value of collecting intelligence about sensitive financial, technological, political or military information cannot be underestimated. A well-deployed attack can yield information that compromises communications and encryption ciphers. It can also give a clear insight on the motivation, plans, strengths and weaknesses of the victim. If, for example, the malware used has the ability to sabotage physical infrastructure (similar to Stuxnet) it can be used to inflict physical damage on an infrastructure that is supporting the military effort. In that case, the cyber-attack is used to project power and to demoralise the opponent if or when it becomes aware that critical systems are compromised. In addition in a crisis situation it calls into question the ability of a party that is successfully compromised to escalate the crisis to a next level: if there is no degree of certainty that the underlying infrastructure is able to support the effort, confidence is lost.

25. In 2010 Symantec also observed a number of key attack trends which included a rise in targeted attacks with incidents such as Hydraq and Stuxnet. The Stuxnet attack is a key example of how malware is being used to conduct traditional cyber crime, such as fraud or extortion, as well as to launch targeted cyber attacks on critical systems and networks such as, in the case of Stuxnet, those used by the energy sector.

26. The Stuxnet2 attack targeted energy companies and represented an example of a malware threat that can be designed to gain access to and reprogramme industrial control systems. Stuxnet was able to steal confidential Supervisory Control and Data Acquisition (SCADA) design and usage documents for industrial systems such as those used by the energy sector. The way the attack was carried out indicates that the people needed to develop and execute such an attack were not amateurs. The use of zero-day vulnerabilities, root kits, stolen digital certificates, and in-depth knowledge of SCADA software are all high-quality attack assets and this usage points to an estimated group of up to ten people being involved in developing this specific, targeted and technically sophisticated cyber attack. In the past, this type of cyber attack focusing on such a critical national infrastructure was seen by many as theoretically a possibility, however it is fair to say that most would have dismissed such an attack as simply a movie-plot scenario. The Stuxnet incident has shown that such targeted, organised threats do exist where external actors, perhaps motivated by organised crime, terrorism or even hostile nations, are designing, developing and deploying malware in an attempt to gain control of industrial processes and then place that control in the wrong hands. The utilisation of Stuxnet as an attack tool has given food for thought to policy makers, not only because of the resources and skills needed to mount such an attack but also because it constitutes a decisive shift in the thinking and practical use of cyber techniques, beyond the collection of intelligence and information, into actually conducting sabotage.

27. In October 2011 a targeted threat was discovered that shared a great deal of the code in common with Stuxnet malware. The Duqu3 threat was essentially a precursor to a future Stuxnet-like attack. Based on Symantec’s analysis Duqu’s purpose was to gather intelligence data and assets from entities, such as industrial control system manufacturers, which suggests that information was being sought to conduct a future attack against another third party such as a provider of a critical national infrastructure.

The implications of the 2011 UK Cyber Security Strategy for the Ministry of Defence; including:
the MoD’s role in cross-governmental cyber-security policy and practice, including the protection of critical national infrastructure;
the relationship of MoD’s actions and planning to the National Security Council, the Cabinet Office and GCHQ.

28. Symantec welcomed publication of the UK’s Cyber Security Strategy in November 2011 and the UK Government’s considered response to the continuously evolving threat of cyber attacks. The strategy document lays the foundations for cyber security to remain a key public policy issue for the UK government and for required action to reinforce the defensive borders around our connected experiences.

29. In particular Symantec welcomed the strategy’s acknowledgement of the scale of the problem facing the UK and the need for a National Cyber Security Programme that can coordinate existing and new activities across different government departments. The role given to the Ministry of Defence (MoD) in coordinating and integrating the civilian and military aspects of the capabilities involved in protecting national UK interests in cyberspace is seen as appropriate and relevant.

30. The allocation of the highest amount of the overall National Cyber Security Programme budget behind the Single Intelligence Account, to the MoD for mainstreaming cyber in defence, is a welcomed acknowledgment of the important role the MoD has to play in coordinating and bringing together cyber security focused activities across the armed forces. The acknowledgement in the strategy that this budget will be used to consider the need for investment in the network and equipment, to provide the UK’s armed forces with the capabilities to address cyber threats as and when necessary, is also welcomed. Given the coordination role given to the MoD by the strategy, the establishment of the Joint Forces Command and the Defence Cyber Operations Groups are seen as key vehicles for ensuring the increased development, integration and harmonisation of the UK’s defence cyber capabilities. The importance placed on the need to explore ways for the Ministry of Defence to strengthen engagement with industry partners is particularly welcomed as it ensures the emphasis placed on the important role of public-private partnership in addressing the cyber security challenges facing the UK is also recognised and acknowledged by the defence sector.

31. Coordination between the public and private sector on cyber related issues needs to occur at many different levels of the UK internet community, depending on the sector involved, the specific type of threat or the level of seriousness of the threat or risk. For example, internet service providers, security providers, law enforcement, security services and national critical infrastructure protection authorities may be the first port of call and clearly have a role to play in dealing with an incident. At the same time Symantec recognises that military organisations, such as the MoD, and NATO, will also become increasingly active in this area from the national security and national defence standpoint. This move is recognition of the fact that as soon as the threat becomes military in nature, there is a role for military involvement and appropriate response. However, industry will continue to play an important role in working alongside the defence sector, given that it is estimated that industry owns around 90% of the critical national infrastructure, and also taking into account the real time information, awareness and intelligence industry retains in relation to the current online threat environment.

32. Having the right information at the right time is, of course, key in identifying and addressing cyber threats. Symantec believes that information sharing is a fundamental component of a modern cyber security strategy and that the development of trusted information sharing networks and systems is a key element in the development of successful public and private cooperation. This is why the importance placed on the role of public-private partnership in addressing cyber security issues is so important and must continue to be a long term overarching public policy objective through the work of the National Cyber Security Programme and beyond to future strategies and initiatives in this area.

33. The focus in the strategy document on the need for the MoD and GCHQ to work closely together in light of the responsibilities of these organisations is understandable given their remits and is seen as appropriate. Given the way in which the National Cyber Security Programme of work is outlined, engagement and coordination of actions between the MoD, National Security Council, Cabinet Office and GCHQ is necessary to achieve the overall objectives of the strategy. Symantec sees the Cabinet Office’s Office of Cyber Security as playing a key coordinating role across all government activities in this area and already works well with key partners, such as the MoD and GCHQ, on aspects related to more operational responses needed to address cyber related issues.

34. In terms of determining a policy for the role of the MoD and the armed forces, there are a number of significant challenges that planners and policy makers would need to address. The development of doctrines, rules of engagement and the overall policy of how a military organisation needs to plan and act to handle cyber-attacks against its own infrastructure, as well as the nation, can be a daunting task. One of the biggest challenges in a crisis scenario, given the stealthy and asymmetric nature of cyber-attacks, would be to determine the moment a security incident becomes “military” in nature and justifies the involvement of the MoD.

35. Is an attack on a defence contractor, for example, enough to justify involvement of the military on the basis of the fact that the compromise is likely to impact sensitive information of military interest? What would be the “rules of engagement” that would trigger the involvement of the military?

36. Would the involvement of the military be linked to a particular political context, for example escalating tensions with a particular country and the possibility of military confrontation when cyber-attacks are attributed to that country?

37. Or, would military involvement be linked to defending a specific target of military interest, such as the control of a weapons system? Would this extend also to systems that are critical to the performance of military operations but do not belong to the core of the military functions, for example parts of the national telecommunication network?

38. Or would the military be involved in the case of a cyber-attack that would not target defence assets but would be of such catastrophic proportion and effect for the nation that could constitute the equivalent of an armed attack? An example here could be the use of cyber attack to sabotage a nuclear power plant.

39. These are very difficult questions to answer and policy makers may well need to leave open some of their options, because any of these possibilities, as well as others we cannot imagine, may lead to situations that justify the involvement and use of defence assets and ultimately of the MoD.

40. Equally, in a discussion about proportionate response to an incident, one would need to try to determine what constitutes an “act of aggression” that would justify military action and what would be a proportionate military action against that aggression versus, for example, acts of espionage or acts of cybercrime that in themselves do not justify in international law the use of armed force.

41. Distinguishing between “acts of aggression” and espionage online is particularly difficult and complex because, as explained previously, very often the use of the malware as attack tools will combine capabilities that can be used for multiple purposes. In addition, even if it is possible to determine the motives of the attacker, the attribution of the attack to a particular country, with any degree of certainty, is a significant challenge. The decision to attribute a certain attack is a highly politicised decision that is dependent on the quality of intelligence that can be made available during the time the decision needs to be taken. An additional difficulty could also be linking attacking individuals to the particular government that called for the attack. Obviously the attacker will take steps to cover its tracks. Even in a case of attacks against a backdrop of mounting political tensions between two countries, one cannot exclude the possibility that the attack is mounted by a third country for its own purposes.

42. In a scenario of political tensions, the use of cyber as an escalation tool is another interesting aspect of the debate. What kind of cyber-attack indicates an intention to escalate? Are the cyber attacks happening because the adversary is trying to collect as much intelligence as possible or is it a definitive escalation indication? Is the use of cyber an indication that the other side is preparing for a kinetic conflict and cyber, in this case, serves as a preparatory step? If convinced that the other side will follow the escalation path leading eventually to conflict, should cyber be used as a first strike?

43. It is not surprising that the discussion of proportionate response and ultimately deterrence is riddled with similar challenges. What constitutes proportionate response to a cyber-attack that is primarily intelligence driven? Is it happening in the context of mounting tensions or while relations are good? Would a cyber-sabotage incident have a catastrophic impact significant enough to justify a kinetic counter-attack? Similarly how can you effectively deter when many countries will chose not to publicly disclose their capabilities?

44. It is evident that there are no easy answers to any of these questions and that these are points that strategy planners and policy makers will be struggling with for a while as technology develops. Some of the answers will be provided by the development of doctrine and capabilities and of technology. In other cases the answers will be given by the practical implementation of those doctrines into the field and the lessons learned in practice.

How the Ministry of Defence and the Armed Forces are managing and planning responses to threats in the cyber domain; including:
skills, capacity and expertise within the MoD and the Armed Forces, including in research and development;
how MoD and National Cyber Security Programme resources are being used to address cyber-security.

45. From the perspective of the computer security industry, Symantec is supportive of the various activities and initiatives already in place and underway by the MoD and Armed Forces in these areas. For example the UK participation in cyber security related exercises, such as Cyber Storm with the US, are welcomed and supported by Symantec and should continue going forward so that the UK not only plays a leading role in international efforts in this arena, but also has the opportunity to plan and test its skills in dealing with cyber incidents.

46. Another example of activities in which Symantec has been involved are the UK part of the Coalition Warrior Interoperability Demonstration (CWID) in 2007 and 2008. This was one of the world’s largest demonstrations of new military technology, and included cyber related capabilities.

47. While the UK must address its national response and management of cyber security incidents, it must not be forgotten that cyber threats are a global problem. It is also important to consider greater or strengthened international co-operation and collaboration between countries in planning for and managing cyber incidents that may impact more than one country. This planning should involve not only the action needed before an incident occurs but also the cooperation and collaboration that may be needed during and after a cyber incident. It is therefore suggested that the development of initiatives that can enable the sharing of technical expertise and guidance on how to address cyber security related incidents could be a way to strengthen or enhance national and international cooperation. The establishment of NATO Cooperative Cyber Defense Centre of Excellence in Tallinn, Estonia is an example of a project that has developed to foster greater understanding and sharing of expertise on how to plan for and react to cyber related incidents. Although cooperation at a European or international level is important, this should not be a substitute for countries taking a national approach appropriate to their level of maturity, identified risk and therefore specific requirements.

48. Moreover, it is suggested that the UK MoD could work closer with industry in order to identify promising security technologies and research that could be used in the military domain. The MoD could identify areas of research in cyber technologies that could receive national funding from UK R&D efforts. These technologies could then be piloted and evaluated by the MoD in its efforts to develop new and additional capabilities. In addition the MoD might consider joint activities with industry that could help to identify specific technical requirements and enable industry to demonstrate existing technological capabilities and solutions that could address those technical needs.

49. Such actions would bring the MoD closer to the technological community and would allow it to get a better understanding of the research developments in this cutting edge and highly technical area. It would also allow for better development of tools to meet the specific needs of the MoD, ultimately creating a virtuous economic circle of linking research and technological development with actual operational needs.

Issues That Merit Further Discussion/Consideration

50. When discussing cyber security and cyber defence and the current threat environment, one needs to bear in mind some of the following key factors, which may warrant further consideration by this Committee.

The threat is obviously external

51. While this may be the case, it should also be remembered that the threat is also very much internal. The internal aspects could include well-intended insiders, who did not mean to cause harm and could simply have lost information, as well as malicious insiders who deliberately attempted to steal information or disable the infrastructure. Any information security strategy needs to be able to monitor against both internal and external threats. This is the case for any organisation, but even more the case for the MoD, which should assume that it is the target of both technical and human intelligence efforts.

The threat is primarily asymmetric

52. This means that very significant damage can be done to valuable information or infrastructure despite considerable security investments. This could be the result of the use of means and methods that are disproportionately less resource-intensive in comparison to those used by the defendant. This very asymmetric nature of the threat can potentially lead into some very challenging threat scenarios in the future, especially when operations in a battlefield are becoming more and more unmanned. These types of technologies are easily and readily purchased, they can be procured not only by heavily funded organisations but also by groups or individuals with malicious intentions or who want to make names for themselves. At this stage cyber attacks aim to steal confidential information or disable a system by disrupting it or making it unavailable In the future it is not inconceivable that we will see attempts to take over a system and to use it against its owners.

The world we live in is increasingly interconnected

53. Information and communication technologies impact every facet of our daily life. In fact, the malfunction of those technologies could have unexpected consequences for systems that we consider safe or that we reserve exclusively for usage for our own defence. There have been reported cases of weapon systems, such as fighter planes and warships, being impacted by cyber attacks (which at the time were not targeted). We therefore need to be mindful that such technology has the potential to be used also for real military operational implementation. Given the interconnected nature of the world today, a morale element also plays a part in military operations and at times of national crisis. The enemy certainly has the ability to attack tactical communications, but there is another avenue that they can take as well. Critical infrastructure networks could also be vulnerable to these types of attacks. This premise leads back to the perception of power projection, showing the enemy that their own strategic assets are at risk, anywhere, anytime, affecting their lifeline without even a gunshot being fired. In many ways the ancient saying of Sun Tzu that “the great general wins battles without having to fight” comes closer to being true.

Need to look ahead

54. When discussing protection from any kind of threats, especially technological ones, it is necessary to bear in mind that the world is changing and so is technology. The strive for security is very much a moving target. The discussion about cyber defence and critical infrastructure is addressing some aspects of the current threat landscape but technological paradigms, as well as threats, evolve together. Virtualisation and cloud computing promise the next wave of technological evolution in the way we manage desktops as well as data centres. It is yet unclear how the business model of cloud computing will evolve or what the consequences of wide-spread deployment “to the cloud” will be. There are a number of ideas about the creation of multiple clouds, some dedicated to particular entities such as the government. Existing technological solutions suggest that the ability to detect targeted attacks, such as for phishing or malware, would be a lot more effective in the cloud than on the desktop level.

55. Delivering security over the cloud offers increased effectiveness because it is possible to identify more easily attacks and suspicious behaviour when data from multiple sources is aggregated together. It also has significant scaling advantages, as large cloud providers can invest in sophisticated monitoring and dedicated security personnel that are shared across a customer base where any single customer may not be able justify the cost. The same argument can also apply to making it easier for a cloud provider to invest in multiple data centres and connectivity to provide a level of redundancy. Finally, if an issue is detected in a cloud environment that affects one single customer, this issue can be fixed once and the protection is shared across the entire customer base. If a new threat against a single customer is identified, the protection put in place to mitigate against that threat is shared across all customers, so that they are protected even if they are not (yet) exposed to the new threat. In addition the existence of a cloud layer provides for an additional layer of defence and therefore increases the strategic depth of the defender and the layers of security that the attacker needs to successfully penetrate in order to have an impact.

27 February 2012

1 Symantec Internet Security Threat Report April 2011 http://www.symantec.com/threatreport/

2 http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

3 http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

Prepared 8th January 2013