Defence CommitteeFurther written evidence from the Ministry of Defence

THE GLOBAL OPERATIONS SECURITY CONTROL CENTRE (GOSCC)

Background

1. The Defence Equipment and Support Organisation through its Information Systems and Services (ISS) Operating Centre is engaged in the provision of managed, integrated, highly reliable and protected information and communications services (ICS) to Defence. ICS is an essential enabler to the MOD in its role as a Department of State and in conducting operations successfully. The GOSCC is the focus for the operation and defence of the MOD’s ICS—referred to as the “Operate and Defend” mission.

The GOSCC

2. The GOSCC which has been in existence for over 10 years now occupies a new purpose built facility (opened in Nov 10), near Bath, at MOD Corsham. The GOSCC allows us to exercise service management over the capabilities provided by a range of ISS programmes, each of which was individually designed to deliver best value for money for Defence, by the outsourcing of various elements of ICS delivery: in each case, the major contracts that the programmes generated delegate elements of responsibility for the provision of secure and assured services to commercial delivery partners, encouraging the delivery partners to establish their commercial Network Operating Centre (NOC) or Security Operating Centre (SOC), physically within the confines of the GOSCC. Thus, today, the GOSCC comprises of a juxtaposition of a number of bespoke contracted operating centres within an overarching MOD led ICS service management regime. In practice, the complexity of modern ICS and the interrelationship between the different elements that need to work together to provide a true “end-to-end” service, means that MOD staff within the GOSCC act as de facto Service Integrators of the “MOD networks” (the term used to refer to the interconnected MOD ICS).

3. From the GOSCC, global operations utilising more than 500,000 configurable IT assets are monitored and managed in real-time, this includes fixed locations worldwide as well as the dynamically re-configured and mobile asset in operational theatres. The GOSCC is manned by military, civil service and cleared contracted personnel who provide 24/7/365(6) watch-keeping responsibility to “Operate and Defend” the MOD networks.

The “Operate and Defend” Mission

4. Given the current and increasing threat to the MOD networks and the information stored within them, it is essential that the networks are adequately defended. However, it is also important to ensure that information can flow quickly and freely around the networks in order to optimise the ability of MOD personnel to conduct operations and business successfully. Therefore, there is a tension between the “Operate and Defend” requirements because, in general, networks that are optimised to support business needs are potentially more vulnerable to cyber attack. For example, users would benefit significantly if they were able to exploit directly the internet as a communications bearer, but there are very real security issues that restrict such an approach. Consequently, those who “Operate” the network and those who “Defend” the network need to strike an appropriate balance between enabling users to conduct their business to best effect whilst minimising the chances of sustaining successful, and potentially serious attacks on the networks and the information they hold which would in turn have significant consequences for the business. This balance has to be achieved in the design and upgrade of both networks and defensive capabilities, as well as in their operation in real time. The optimal balance changes with the developing threat (which can happen quickly) and thus success in this endeavour is highly dependent upon a thorough knowledge of the topology of the networks and a very good understanding of business needs.

5. The co-location of contracted NOC and SOC functions, and the consequent availability of network management data has led to the establishment of the Joint Cyber Unit (JCU) Corsham, resident within as a fundamental part of the GOSCC operations, to monitor and defend the MOD networks from attack. Thus the “Operate and Defend” mission of the MOD networks has been brought together, within the GOSCC, under the command of the ISS Head of Service Operations (Hd Svc Ops).

GOSCC Daily Business

6. The GOSCC undertakes the following activities:

(a)Coordination with other defensive cyber operations. Potential attacks against the MOD networks can originate from external or internal sources. A “Defence in Depth” approach is in place to impede the majority of external threats. However, the fast-paced nature of adversary activity in Cyberspace means it is impossible to monitor against all likely threats in all scenarios. Therefore, JCU(Corsham) co-ordinates its activities as an intelligence led process, with key liaison and engagement with trusted partners, agencies and corporate bodies.

(b)Real time monitoring and active defence of the MOD networks. A “Defend” watch-keeping team maintains continual watch against known cyber threats and are authorised to take defensive action, in real-time, against these threats. Escalation procedures are in place and when the consequences of delay outweigh the operational or business impact, immediate actions are taken.

(c)Understand what is legitimate MOD network activity and what is an attack. It is not possible to defend a network adequately unless the defender understands the network topology and “Operate” activity. Whilst modern tools can give both the operator and the defender a good understanding of the topology, the defender can easily misread normal and routine operator/network activity (such as planned outages, software upgrades, major data replication activity, outages due to hardware and software failures) as potential attacks on the network. Consequently an “Operate” team maintains a 24/7 management overview of network activity to ensure optimum availability of services to the customers/users of the MOD networks.

(d)Impact on MOD operations by protecting MOD networks—disrupting contractor performance. It is sometimes necessary to direct the contractors who provide many of Defence’s network services to carry out unplanned work that could degrade network performance (eg the application of vital security patches during peak usage times). Such action will often impact on the contractor’s key performance indicators, resulting in financial penalties. Since the contractors work in support of Hd Svc Ops, disputes that arise over these issues can be resolved quickly and amiably.

Best Practice

7. The current “Operate and Defend” mission has been in use within ISS for several years and works very well. The US and NATO both centralise Operate and Defend at the lowest possible level and commercial organisations are moving in this direction. Considerable international interest has been shown in the way the UK delivers the “Operate and Defend” mission as other countries/organisations develop their own “National GOSCC” capabilities.

June 2012

Further written evidence from the Ministry of Defence

The Global Operations Security Control Centre (GOSCC)

Background

1. The Defence Equipment and Support Organisation through its Information Systems and Services (ISS) Operating Centre is engaged in the provision of managed, integrated, highly reliable and protected information and communications services (ICS) to Defence. ICS is an essential enabler to the MOD in its role as a Department of State and in conducting operations successfully. The GOSCC is the focus for the operation and defence of the MOD’s ICS – referred to as the ‘Operate and Defend’ mission.

The GOSCC

2. The GOSCC which has been in existence for over 10 years now occupies a new purpose built facility (opened in Nov 10), near Bath, at MOD Corsham. The GOSCC allows us to exercise service management over the capabilities provided by a range of ISS programmes, each of which was individually designed to deliver best value for money for Defence, by the outsourcing of various elements of ICS delivery: in each case, the major contracts that the programmes generated delegate elements of responsibility for the provision of secure and assured services to commercial delivery partners, encouraging the delivery partners to establish their commercial Network Operating Centre (NOC) or Security Operating Centre (SOC), physically within the confines of the GOSCC. Thus, today, the GOSCC comprises of a juxtaposition of a number of bespoke contracted operating centres within an overarching MOD led ICS service management regime. In practice, the complexity of modern ICS and the interrelationship between the different elements that need to work together to provide a true ‘end-to-end’ service, means that MOD staff within the GOSCC act as de facto Service Integrators of the ‘MOD networks’ (the term used to refer to the interconnected MOD ICS).

3. From the GOSCC, global operations utilising more than 500,000 configurable IT assets are monitored and managed in real-time, this includes fixed locations worldwide as well as the dynamically re-configured and mobile asset in operational theatres. The GOSCC is manned by military, civil service and cleared contracted personnel who provide 24/7/365(6) watch-keeping responsibility to ‘Operate and Defend’ the MOD networks.

The ‘Operate and Defend’ Mission

4. Given the current and increasing threat to the MOD networks and the information stored within them, it is essential that the networks are adequately defended. However, it is also important to ensure that information can flow quickly and freely around the networks in order to optimise the ability of MOD personnel to conduct operations and business successfully. Therefore, there is a tension between the ‘Operate and Defend’ requirements because, in general, networks that are optimised to support business needs are potentially more vulnerable to cyber attack. For example, users would benefit significantly if they were able to exploit directly the internet as a communications bearer, but there are very real security issues that restrict such an approach. Consequently, those who ‘Operate’ the network and those who ‘Defend’ the network need to strike an appropriate balance between enabling users to conduct their business to best effect whilst minimising the chances of sustaining successful, and potentially serious attacks on the networks and the information they hold which would in turn have significant consequences for the business. This balance has to be achieved in the design and upgrade of both networks and defensive capabilities, as well as in their operation in real time. The optimal balance changes with the developing threat (which can happen quickly) and thus success in this endeavour is highly dependent upon a thorough knowledge of the topology of the networks and a very good understanding of business needs.

5. The co-location of contracted NOC and SOC functions, and the consequent availability of network management data has led to the establishment of the Joint Cyber Unit (JCU) Corsham, resident within as a fundamental part of the GOSCC operations, to monitor and defend the MOD networks from attack. Thus the ‘Operate and Defend’ mission of the MOD networks has been brought together, within the GOSCC, under the command of the ISS Head of Service Operations (Hd Svc Ops).

GOSCC Daily Business

6. The GOSCC undertakes the following activities:

a. Coordination with other defensive cyber operations. Potential attacks against the MOD networks can originate from external or internal sources. A ‘Defence in Depth’ approach is in place to impede the majority of external threats. However, the fast-paced nature of adversary activity in Cyberspace means it is impossible to monitor against all likely threats in all scenarios. Therefore, JCU(Corsham) co-ordinates its activities as an intelligence led process, with key liaison and engagement with trusted partners, agencies and corporate bodies.

b. Real time monitoring and active defence of the MOD networks. A ‘Defend’ watch-keeping team maintains continual watch against known cyber threats and are authorised to take defensive action, in real-time, against these threats. Escalation procedures are in place and when the consequences of delay outweigh the operational or business impact, immediate actions are taken.

c. Understand what is legitimate MOD network activity and what is an attack. It is not possible to defend a network adequately unless the defender understands the network topology and ‘Operate’ activity. Whilst modern tools can give both the operator and the defender a good understanding of the topology, the defender can easily misread normal and routine operator/network activity (such as planned outages, software upgrades, major data replication activity, outages due to hardware and software failures) as potential attacks on the network. Consequently an ‘Operate’ team maintains a 24/7 management overview of network activity to ensure optimum availability of services to the customers/users of the MOD networks.

d. Impact on MOD operations by protecting MOD networks - disrupting contractor performance. It is sometimes necessary to direct the contractors who provide many of Defence’s network services to carry out unplanned work that could degrade network performance (e.g. the application of vital security patches during peak usage times). Such action will often impact on the contractor’s key performance indicators, resulting in financial penalties. Since the contractors work in support of Hd Svc Ops, disputes that arise over these issues can be resolved quickly and amiably.

Best Practice

7. The current ‘Operate and Defend’ mission has been in use within ISS for several years and works very well. The US and NATO both centralise Operate and Defend at the lowest possible level and commercial organisations are moving in this direction. Considerable international interest has been shown in the way the UK delivers the ‘Operate and Defend’ mission as other countries/organisations develop their own “National GOSCC” capabilities.

June 2012

Prepared 12th March 2013