Defence CommitteeFurther written evidence from the Ministry of Defence

IssueQuestion One

1. How does the difficulty of definitively attributing actions in cyberspace affect the value of cyber defence as a deterrent?

Key Points

2. HCDC Chair is invited to note that:

(a)In general, deterrents are improved as lessons are learnt from breaches of those deterrents—this is the case within cyberspace;

(b)definitive attribution is not always a requirement to establish an effective deterrent;

(c)whilst conventional deterrents can mitigate the risk of attack, they do not always prevent an attack;

(d)Cyber deterrents are effective even if definitive attribution is not achievable; and

(e)as a greater understanding of others’ Cyber capabilities is gained, the psychology and logic of Cyber deterrence can also be evolved.

Detail

Overview

3. The MOD defends its Cyber networks to maintain Information Superiority by operating freely within cyberspace. Existing Cyber defence techniques provide both a deterrent to potential adversaries as well as a defence against determined hacktivist or state-sponsored actors. The ability to detect an attack is key to ensuring that the Department’s cyberspace remains secure and complementing this with the tools, techniques and procedures to neutralise any cyber incident ensures that Cyber defence, within the MOD, remains an effective deterrent.

4. The ability to definitively attribute an attack would be an advantage; however, what is more important, with regard to defending the Department’s cyberspace, is having the capabilities to identify the “command and control” server of an attack along with the country, or region, which is hosting that server. This knowledge enables the decision-makers to facilitate processes, both technical and diplomatic, to deactivate the threat. Definitive attribution is therefore not a requirement for cyber defence to be an effective deterrent; this position is supported in the following paragraphs.

Cyber deterrents and definitive attribution

5. Due to the ability of perpetrators to operate with a large degree of anonymity within cyberspace, the process for definitively attributing responsibility for Cyber attacks is recognised to be both challenging and time consuming. Authoritative attribution of Cyber attacks to an individual, or group, would need to be achieved though an analysis of intelligence acquired from a number of sources. These sources would range from highly complex Cyber forensics tools to non-technical traditional intelligence gathering methods. However, this situation is not unique to the ubiquitous electronic information environment bounded by the term “cyberspace” as similarities can be drawn from historic events where definitive attribution was not a necessary requirement for decision-makers to associate culpability and decide on a proportionate response. Furthermore, the requirement for definitive attribution of an act of aggression, or Cyber Attack, is not always necessary, as knowledge of “where” rather than “who” an attack has emanated from is sufficient to instigate defensive deterrent measures.

Conventional deterrents

6. Deterrents against conventional/traditional acts of aggression, including a nuclear capability, are effective for a number of tried and tested reasons. These include an ability to definitively identify an aggressor and a legal platform, and willingness, to instigate defensive measures. However, there are many examples where acts of aggression have not been definitively attributable to a specific perpetrator although the responsibility for the act has been publically linked to a country, or group of individuals operating on behalf of a country. In these situations, the usefulness of conventional deterrents has not been questioned but instead they have been reviewed for effectiveness. Deterrents are bolstered to ensure that existing defensive processes are able to further mitigate the chances of future successful attacks. In general, deterrents are improved as lessons are learnt from breaches of those deterrents—this is the case within cyberspace.

Conventional deterrents—Definitive attribution

7. The mistaken NATO bombing of the Chinese Embassy in Belgrade in 1999 instigated a series of attacks against US interests in various countries. Following the bombing, Chinese civilians, some in organised groups, attacked the American embassy in Beijing, and in other locations. The deterrent response by the USA was to engage with those assumed to be attributable (ie, the Chinese government) for a diplomatic solution and not to target the specific perpetrators (ie, those who were definitively attributable). On this occasion the diplomatic approach successfully deterred further attacks and the status quo was regained. This highlights that the important factor was knowing “where” the attacks were believed to be instigated from and not “who” was responsible for the specific acts of aggression. Definitive attribution is not always a requirement to establish an effective deterrent.

Conventional deterrents—Terror attacks

8. The 1988 Lockerbie bombing, which killed 270 people and instigated a significant international incident, was immediately attributed to Libya. The definitive evidence to identify exactly who was responsible was not available until many years later and it took until 2003 for Libya to accept responsibility for the bombing. Despite the lack of definitive attribution many sanctions were imposed on Libya as a direct result of this bombing. The main deterrents against the bombing of aircraft, ie, airport security and the threat of criminal prosecution, were significantly strengthened and internationally communicated. Despite these improved deterrents and warnings of repercussions to protect civilian air travel, the perpetrators of the 9/11 attacks on the USA were not put off or prevented. Following 9/11, the next stage of deterrents was instigated which included a significant renewal and reinforcement of airport security processes and direct action against the organisation, and not the individual, to which the attacks had been attributed. Whilst conventional deterrents can mitigate the risk of attack, they do not always prevent an attack.

Cyber deterrents—Case study

9. From mid-December 2009 to early January 2010, the Aurora virus attacked a number of US commercial companies, one of which was Google. Whilst Aurora has not been definitely attributed, a number of organisations, including Google, publicly stated that Aurora was a Chinese state sponsored attack. In response to the attack, Google neutralised the threat through Cyber defence techniques and then threatened to remove its presence and services from China as a deterrent. No definitive attribution was ever established. In February 2010 the Chinese government identified and shut down a large hacker training site located within China, arresting a number of individuals. Whilst cause and effect has not been definitively attributed to either the Chinese government or Google’s deterrent actions, this does demonstrate that Cyber deterrents are effective even if definitive attribution is not achievable.

Cyber deterrents—The future

10. The proliferation of inter-connected information networks, and MOD’s reliance on them, will command an evolution of the deterrent techniques adopted, and the defensive measure employed, within the Cyber domain. As a greater understanding of others’ Cyber capabilities is gained, the psychology and logic of Cyber deterrence can also be evolved. The ability to definitively attribute a Cyber attack does not need to be achieved for Cyber to be an effective deterrent. Attributing a Cyber attack to the country, or state, from which it emanated would provide the diplomatic leverage necessary to maintain, and enhance, the effectiveness of Cyber as a deterrent. The Cyber domain is now considered alongside the land, maritime and air domains and countries, or states, will potentially be responsible for protecting their Cyber boundaries in the same way they police their land, maritime and air domains.

Summary

11. The difficulty of definitively attributing acts of aggression against the UK’s interests is not new. The examples given show that for deterrents to be effective, definitive attribution is not always necessary. The examples also demonstrate that for deterrents to remain effective they must evolve to meet the new and innovative techniques of potential aggressors. As such the MOD are adopting a series of cyber defence measures which taken together aim to raise the cost of attacks, and to create an environment which is not permissive for the attackers—this can range from law enforcement action (Budapest convention), through development of international norms, to improved security and intelligence.

IssueQuestion Two

1. The Minister referred to a programme of strategic studies being carried out by the Defence Academy “to look at the implications of developments in cyberspace in terms of the environment in which our future security challenges will be managed.” We would be grateful for more information about this programme of studies and how it is expected to inform planning for the next Strategic Defence and Security Review?

Key Points

2. The HCDC Chair is invited to note that:

(a)the Seaford House Cyber Inquiry, led by the Royal College of Defence Studies (RCDS), was initiated in December 2011;

(b)the first report on the Cyber Environment will be published in July 2012; and

(c)the final report will be issued in February 2013 and provide an evidence base to facilitate SDSR 2015 strategic thinking for Cyber.

Detail

3. In December 2011, the Defence Academy—RCDS (Seaford House)—initiated an Inquiry to set a broader strategic context for Cyber. By using multiple sources and methods to generate a fresh perception, and to surface critical insights, which may potentially reframe the basis of current thinking into Cyber. The Seaford House Cyber Inquiry is led by Ms Sue Ambler Edwards (RCDS—Head of Strategic Planning) with Mr Hardin Tibbs in support. Work began in February 2012 and will generate an unclassified report for Government and public application in February 2013. Findings which are not appropriate for public consumption will be filtered through the MOD.

4. The Inquiry will report quarterly to the Review Board which consists of senior “Cyber” leaders from within the MOD, Cabinet Office and Foreign and Commonwealth Office. Monthly meetings are conducted with a stakeholder Reference Group drawn from the MOD, Other Government Departments (OGDs), Industry, Academia and the Science community. The Inquiry will generate an outline report on the Cyber Environment in July 2012 before moving on to examining the implications for MOD and OGDs in preparation for the final report in February 2013.

5. The Inquiry will conduct an in-depth exploration and analysis of emergent social, technological and economic factors that will define the Cyber arena over the next three to eight years (2015 to 2020). Global stability and security implications for the UK Government and MoD will be assessed as an input to SDSR 2015. The Inquiry is a qualitative sense-making exercise using a hybrid of “soft-systems” and “futures thinking” approaches. It draws on participation by a wide range of stakeholders, to capture and reflect multiple perspectives and worldviews, and will incorporate current social and complexity science findings about the impact of information and networks on communities, identity and power. Subject Matter Experts (SME) will be consulted, tasked with research elements, and involved in concept development workshops. The Inquiry is a cross-disciplinary, integrative, strategic study.

6. The Inquiry will check for overlooked asymmetric threats, generate an awareness of flashpoints and identify sources of Cyber options that are available to MOD and OGDs. It will give greater confidence for the Department and OGDs in setting strategic direction for Cyber. Importantly, within MOD it will provide an evidence base that will be incorporated into Cyber Doctrine and Strategic Balance of Investment decisions which will input into SDSR 2015.

July 2012

Prepared 12th March 2013