Defence Committee - Minutes of EvidenceHC 106

Back to Report

Oral Evidence

Taken before the Defence Committee

on Wednesday 16 May 2012

Members present:

Mr James Arbuthnot (Chair)

Mr Julian Brazier

Thomas Docherty

John Glen

Mr Dai Havard

Mrs Madeleine Moon

Penny Mordaunt

Sandra Osborne

Ms Gisela Stuart


Examination of Witnesses

Witnesses: Nick Harvey MP, Minister for the Armed Forces, Air Commodore Tim Bishop, Head of Global Operations Security Control Centre, and John Taylor, Chief Information Officer, Ministry of Defence, gave evidence.

Q72 Chair: Minister, I am checking to see whether we are allowed to begin even though it is 2.29. I think that we will just throw caution to the winds and begin.

Welcome to the first inquiry into defence and cyber-security, which is part of the series of emerging threat inquiries that we are doing. We have already received some very helpful evidence from the Ministry of Defence and from industry. Would you be kind enough to introduce your team?

Nick Harvey: Thank you very much, Chairman. On my left I have Air Commodore Tim Bishop, who is Head of the MoD’s Global Operations Security Control Centre, and on my right is John Taylor, who is the Ministry’s Chief Information Officer.

Q73 Chair: Thank you. We will be taking evidence, in due course, from Francis Maude, the Cabinet Office Minister. Talking of which, how does the Ministry of Defence communicate with the Cabinet Office, the National Security Council and other Government Departments about cyber-security?

Nick Harvey: Thank you. I am aware also that you have seen Major General Jonathan Shaw and Air Vice-Marshal Jonathan Rigby in private session. You will understand that there are limitations on some of the things that you might want to explore with me in a public session, but if we run into any difficulty-

Chair: Alert us to it, please.

Nick Harvey: The co-ordination across Government is, as you say, through the Cabinet Office and the small full-time unit they have looking across Government at cyber-security issues. I am also on the ad hoc ministerial group that brings together different Government Departments for discussions across the cyber agenda. John Taylor is on an officials group. John, do you want to explain your role across Government?

John Taylor: In my role as CIO in the MoD, I also have a number of cross-cutting roles pan-Government. One of those roles is developing a cyber and information risk management regime, which is being developed on a pan-Government basis. I have set up a working group-essentially-to take that forward, which has interdepartmental representation. I am also doing work in the context of the Government’s ICT Strategy on the Public Services Network, which is also concerned with cyber-defence. In that role, we are taking forward, on a pan-Government basis, a work strand which looks at what cyber facilities we build into that Public Services Network effort. In that context, we are working very closely, not only with the Cabinet Office, but with the likes of the DWP, HMRC and the Home Office. That is all brought together under what is known as "the Chief Information Officer Delivery Board", which is chaired by the Government CIO, so we get good interdepartmental working in that forum as well.

Nick Harvey: On a regular basis, we are essentially in a reporting relationship with the Cabinet Office on the Defence Cyber Programme, and we report to them monthly on the progress of that.

Q74 Chair: Would you not describe the Cabinet Office as a co-ordinating Department rather than an executive Department? The thing that concerns me is that it is quite hard to see from this diffuse and slightly vague organisation that I am hearing about who is actually in charge of doing something.

Nick Harvey: I think that an analogy might be drawn with the COBR principle. When there is some sort of an incident anywhere within Government, the Cabinet Office has this COBR capability that kicks in. In and of itself, it does not have a great organisational empire at its disposal, but it has a co-ordinating role among other Government Departments, which have the mechanical functions. In a sense, I think, in the cyber sphere, the small unit in the Cabinet Office operates somewhat similarly. The principal levers at their disposal actually reside in GCHQ. That is where the serious firepower would come from to deal with things in a practical sense. The small group in the Cabinet Office has, as you rightly say, a co-ordinating function and a policy function, but is not running, hands-on, a big Department or capability.

Q75 Chair: GCHQ is the responsibility of the Foreign Office?

Nick Harvey: GCHQ is principally the responsibility of the Foreign Office, but it has a cross-governmental role in this area.

Q76 Chair: So should we have a Foreign Office Minister in front of us?

Nick Harvey: You certainly could do, if you wanted to know more about that.

Q77 Chair: Is information sharing across Government enough for what the MoD needs? Are there occasions when the MoD does not get what it needs from other Government Departments?

Nick Harvey: As well as the mechanism that I have described going through the Cabinet Office or indeed through GCHQ, we have some bilateral contacts with other Government Departments. Where relevant, we would flag up to them any concerns we had or anything we had discovered that was going on that we thought other Government Departments needed to know about. The point I am making is that there is joint Whitehall architecture but there are also direct Department-to-Department links as and when necessary.

Q78 Chair: But you cannot call to mind any particular instance in which there has been a failure to share information. Is that right?

John Taylor: I think that is generally true. In any process where information is being exchanged, glitches occur from time to time. That sometimes happens because quite a lot of the material that informs our response in cyberspace is highly classified. We are taking steps to build on the work we have done over the past couple of years in particular with GCHQ to improve those information flows. I think we are already seeing considerable benefit for that in our day-by-day, 24/7 cyber-defence operations. The Air Commodore might wish to comment on that in general terms.

We are still building that information-exchange capability, but it is moving forward quickly; it is getting better quickly. Certainly, I am not conscious of any major incident that has caused the MoD any particular problem in this space.

Air Commodore Bishop: Building on what John said, at the tactical level, the information exchange and sharing of information is very good. We also share, for want of a better word, our tradecraft: tactics, techniques and procedures, and the way we would address issues when they arise. We also share staff. We have some staff embedded at GCHQ, for instance, ensuring those ties are tight. They also exchange staff with me. We also do that with the cyber-security operating centre, which is the bit that sits above at the top level and directs what happens across other Government Departments, should we have instances down at the tactical level. At my level, it works very well. No instances spring to mind of when not having information has caused me and the MoD an issue.

Q79 Chair: In 2011, the Cyber-Security Strategy was produced. How are the different Government Departments getting on with achieving the goals of that Strategy? In relation to that bit for which the MoD is responsible, how are you doing?

Nick Harvey: In a sense, I and the Ministry, and perhaps to some extent John Taylor does, but the MoD is essentially responsible for our own piece of it. You might want to explore with Francis Maude, when you see him, his analysis of the other parts of Government, but we are responsible for delivering the Defence Cyber-Programme, which in the first instance is principally about protecting our own Defence networks against any cyber-attack or penetration. We also have responsibility for evolving the UK Government’s capability if they thought it necessary to take any proactive, disruptive steps to deter anybody from attacking us.

So I believe that we are putting together our capabilities well. We are trying to ingrain in and throughout Defence a higher degree of awareness of the cyber-threat and to work into everybody’s thinking the challenges and opportunities of the cyber domain, but this will clearly take time. So far, so good, but it is a programme that will take us through to 2015. In a fast-changing arena, we have to be as agile and as fleet of foot as we can.

Q80 Sandra Osborne: I would like to ask you about demarcating the role of the military. What principles have been developed for determining whether the response to a particular cyber-security incident will involve the Armed Forces?

Nick Harvey: In the event of some sort of cyber-attack against the Government, the co-ordinating role for a response will be exercised by the Cabinet Office. I previously drew the analogy with the COBR operating principles. Depending on the precise nature of the attack and which parts of Government networks were subject to the attack, a lead Government Department would be appointed. Other Government Departments would render any assistance that they could. Our principal responsibility is for Defence’s own networks. We would be the lead Department in that event, but if there were an attack on another part of Government and we had any relevant expertise that we could contribute to their dealing with it, we would do that. Depending on the scale and severity of the attack, it might well be that Cobra would meet and bring together Ministers and/or officials from the relevant Departments to co-ordinate the Government’s response. The principal standing responsibility is for our own networks.

Q81 Sandra Osborne: Can you say a bit about how the understanding of the military role has evolved? How does it compare with that of our allied nations?

Nick Harvey: I have talked to a number of allied nations, and the way cyber-defence is organised differs quite a bit from country to country. Some of our allied nations base most of their cyber-defence within their Ministries of Defence, but because GCHQ is genuinely a world-class capability, the British Government put the central function in GCHQ’s hands. We work extremely closely with GCHQ. We have people permanently on site with them, but they are performing the central role that in some of our allied countries would be exercised somewhere within the defence arena.

Air Commodore Bishop: We would provide support in the way that we provide military aid to civil powers if we are asked. We have a lot of experience that we can bring to the table to provide help, and we have capabilities such as forensic capability, technical-support capability and computer emergency response team capability that can be used across a range of scenarios to allow us to deal with or recover from incidents. We are there if we are asked to help, but we are not necessarily leading the way there. We are defending our own networks, which, in itself, is a fairly large task.

Q82 Sandra Osborne: As you say, you closely collaborate with GCHQ as a national centre of expertise in the field. What implications does this relationship have for command and control arrangements, accountability and defining rules of engagement in cyber-operations?

Nick Harvey: We have our own command and control arrangements within Defence which cover our aspects of this, but the command and control arrangements across Government are as described through GCHQ and, specifically, the Cabinet Office. I don’t think we have experienced any problem with this. We don’t feel any lack of ability to control those things which we need to control, nor do we feel that we have responsibility for things over which we don’t have control. So my sense is that our current arrangements are working pretty well. That said, this is a fast-evolving area. We will constantly be looking at what we are doing and seeing whether there are ways that we ought to improve it. But at this time, I am comfortable with the arrangements that we have got.

John Taylor: Perhaps I could add to that, Minister. In terms of our own network defence, some two years ago we put in place a number of what we call network authorities: people who have assigned responsibility in the network space. Currently we have three. One is our network capability authority, which looks at future systems to make sure that they are, if you like, cyber-proofed. We have a network technical authority, which looks at systems that are going to come and use our networks to make sure that they are not going to cause any new vulnerabilities, and we have the network operating authority, which is the role that Air Commodore Bishop fulfils. We have set that up as an enduring operation within the Department that is working 24/7, 365 days a year under the express direction of the Chief of the Defence Staff.

Air Commodore Bishop: From my perspective, in terms of running the operational piece, if I provide my resource to support GCHQ or someone else, they are in a support role in support of the mission of whoever it is. If they provide resource to me, they are in a support role in support of my mission. So my C2 is very clear. If I transfer any of the resource from the MoD to help, the C2 is through the Department that is gaining the resource for however long they need, not going in and running it from a C2 perspective. It is a support arrangement change.

Q83 Sandra Osborne: How much of your role in relation to cyber-security efforts is focused on the Olympics?

Nick Harvey: We are playing a support role here to the Olympics organisers, and we have seconded some staff to them to ensure that they have enough resource to deal with the assessed threats, but we don’t have corporately a lead responsibility for that. However, we play our part as part of the cross-Government effort.

Air Commodore Bishop: To expand on that, we have had a number of people working with the Olympics cyber co-ordination team for about 12 months now, developing the standard operation procedures they will follow, their tactics and techniques-

Mr Brazier: Could you speak up a little?

Air Commodore Bishop: We have been working with the Olympics cyber support co-ordination team for the last 12 months, helping them develop their operating procedures, tactics and techniques to address any instances that may come along during the Olympics period. I have people who during the games period will be embedded into that team. They will have a reach-back to the Joint Cyber Unit down at Corsham, where the whole unit can lend support as and when required. But we are very much in a supporting role using the experience that we have to help the Olympics co-ordination team be as well prepared as they can be.

Q84 Mr Brazier: Can I ask what questions the MoD is seeking answers to in the review that is going on at the moment by the Directorate of Operational Capability?

John Taylor: I can comment in the sense that this is very much work in progress. It came about primarily as a result of some of the transformational changes that Defence has already embarked on, most notably in this context, the formation of the Joint Forces Command, which is a new arm made up from our three single Services but very much focused on what we call joint enablers for war fighting operations. With that development, which came out of the work that Lord Levene completed last year, the Vice-Chief was very keen to look at how the responsibilities of the Joint Forces Command in cyberspace were going to be positioned within the constructs that we had previously.

It is clearly important, particularly in relation to the last question on command and control, that we are absolutely clear where the responsibility and the accountability lie. So having such a big organisational change, we felt that the principal question was to look at command and control governance in this space. Because of the operational nature of what the Joint Forces Command will be doing, we felt that the Directorate of Operational Capability was best placed to look at this.

Q85 Mr Brazier: Why is global operations security still separate from Joint Forces Command-or isn’t it? Have I got that wrong?

Nick Harvey: Joint Forces Command and CJO are responsible for military operations, but the protection of our networks is still-I think rightly-vested in the same teams who actually plan and manage our networks, which, in a sense, comes under the Chief of Defence Matériel. Tim is accountable to the Chief of Defence Matériel for the defence of our networks. We are very keen to sustain the principle that those who plan and provide for our future networks are the same people who defend them in terms of their security. We think that there might be dangers if different teams were responsible for that. That is why it is not part of the Joint Forces Command.

Q86 Mr Brazier: Is there not a danger that it all becomes rather defensive? One of the key things that emerged in recent writings is the importance of this being seen as another battle space, not just as a matter of security.

Nick Harvey: I entirely agree with that, which is why we are trying to ingrain this deeply into defence thinking right across the piece. That is why Joint Forces Command is responsible for this, and it is certainly the objective of the Defence Cyber-Security Programme that we will bring this into the mainstream of everything that Defence does. I agree with you; I think it is another domain in which all our activities take place. I do not think that there is a danger that we will view this only in a very narrow, defensive sense. I think you are just alighting on one bit of the organisational architecture that happens to be responsible for that element of it. It is intended to be something that everybody, right across Defence, embraces and makes part of their daily business.

Q87 Mr Brazier: Just to narrow it down a bit, Air Commodore Bishop referred earlier to Corsham. Can we hear a little bit about recruitment practices there to seek out and hire people, and what sort of people you are looking for?

Air Commodore Bishop: Absolutely. There is a mix now. We need some people with experience-normally older people, probably like me-and we need some younger people who have got the dexterity with the modern technology and who understand it because they have been brought up on it. The unit is constructed with a range of military and civil service personnel. They are split at the moment so it is about 40% civil service and 60% military, with a military element that can go forward into threat-theatres of operation-if we have to, where currently we would not send civil servants. We have got a range of services in the military part. We are looking at people with intelligence backgrounds, we are looking at people with technical backgrounds and we are looking at people with police backgrounds, because there was always a forensic and potential police issue around some of the stuff that we do.

Q88 Mr Brazier: May I ask you specifically about the very, very high-quality TA signals unit that you have, who are all part-time and have a very exciting range of civilian jobs, including in several of the areas you just mentioned? Their strength has always been that they have had a part-time commander with a real civilian job. There is a rumour going around that they may be broken up and put in as part-timers in the back of full-time units. Is there any truth in that rumour?

Air Commodore Bishop: It is not a rumour that I have heard. I could not comment further, because I genuinely have not heard that that is the case. However, the reservists of course have a large part to play, not only in defending but in operating the network. We defend the network so that we can operate at a time and place of our choosing; making sure that the network is there when we need it is what the job is all about-the defensive side is to make sure that that can happen. So "operate and defend" is where the reservist units with the skills that are there come in-they have a part to play in both. We need to make sure in going forward that we do not look at one in isolation from the other; we need to mix them.

Q89 Mr Brazier: Forgive me, but I put it to you that the key to keeping really good quality people who earn their living in a different way is for them to have a command structure that is led by people who earn their living in a different way. Otherwise, what happens is that gradually the structure actually sheds the part-time element, because key decisions get made between Monday and Friday, from which they have been excluded or whatever.

Air Commodore Bishop: We run a 24/7 operation, 365 days a year, so it is not a Monday-to-Friday, nine-to-five event here. There is a part to play for expertise that comes in on a part-time basis in support, along with a full-time capability that is providing that 24/7 cover. There is a balance to be struck. I think that the two can go hand in hand-one does not necessarily exclude the other.

Q90 Mr Brazier: Of course they go hand in hand, but my final point is that you have to have a command structure that recognises it. Perhaps it is odious to make comparisons between Services, but the most successful of the three Services in keeping high-quality air crew on the reserve list is the Navy, precisely because the head of the naval air reserve is always a guy with a real civilian job, so he makes sure that the Navy, when it is planning aviation things, takes account of the fact that you want to use people who earn their living in different ways. That is just a thought for when you come to design what is clearly a new and exciting expanded structure.

Nick Harvey: We certainly recognise and are very interested in developing the potential for reservists to contribute in this area, because if they are working in other relevant fields, they will be developing a very interesting range of skills that we might not be able to develop in our own organisation. Therefore, the potential for them to add value to what we do is absolutely understood, and we are very keen to develop that further.

John Taylor: May I add a comment from a capability development point of view? I think that we have recognised within Defence-very much so-that the skills in this area are premium ones. Certainly, in my own area-I run all our security accreditation work, in which these reservists play a big part-we are seeing new opportunities coming along in the cyber arena for these individuals, so we are very much taking a holistic approach to their training and development, whether they are reservists, full-time military or civilian, to get the blend of premium skills that we need to do our best in this space.

Q91 John Glen: If people do not want to be a full-time reservist and they are not in the military or the civil service, but they have the skills that you need, do you not find your structure and the absolute constraints around those three pots of skills quite difficult, because on the outside people obviously earn a lot more money doing the sorts of things that you need? Do you think, going forward, that this could be a real constraint for you in having the depth and quality of skills? Slightly secondary to that, in terms of the culture within the Services and this being seen as not quite the same as a typical military career trajectory might have been, are you having difficulties getting the people who were recruited on a different basis to adopt such career paths?

John Taylor: In terms of the overall career paths, our view for the short term is that it is a sufficiently new and exciting space and, although there are large differentials between what individuals can get outside compared with what we can afford to pay, whether they are civil servants or military, we are benefiting from the attractiveness of the role, and that is a plus in the short term.

My own view is that we have to look more to the medium and longer term because as the whole agenda starts to expand, particularly when the economy picks up and demand out there starts to increase, we will be more challenged. That is why in terms of the approach to how we man the overall capability, we are almost being quite agnostic about the source of the individuals if they have the skills and the training needed to fulfil the role. For example, I have military staff who work in my systems accreditation area. At the moment, they see potential opportunities when they finish their military career of coming back in and capitalising on the training and investment we have put into them. We obviously are trying to encourage that as much as possible.

Air Commodore Bishop: I can add to that from the Joint Cyber Unit at Corsham in that we have people-almost on a waiting list-wanting to take over from those who are there. It is not long before they are coming to the end of a tour when the phone starts to ring and say, "When is a job available? Who do I need to speak to, to come and get it?" They want to come because of the variety of the work. One of the things that we have been very keen with them is that they know what they have to do. They are authorised to do it. We would term it as mission command, and they are allowed to do their job within their authority. We also offer them a lot of variety: it can be the 24/7 operations desk; it can be forensics; it can be computer emergency responses; it can be the technical security teams that they can move around and do. We also invest very heavily in their personal training. For instance, last year we spent £400,000 on personally training members of the Joint Cyber Unit.

Q92 John Glen: To what extent do you think that that could be a pathway to a lucrative career outside and that, in fact, you will do a brilliant job in the short term to satisfy that demand, but actually in the medium to long term you will have a bigger problem because the people will go off? I am not suggesting that it is something you can easily solve. I am trying to draw out whether it is something that needs to be examined for the medium and long term.

Air Commodore Bishop: Absolutely right. It would be naïve if we thought that, having got some of the best training in the world and then somebody offers a big fat pay cheque, people would not decide to go. We do lose some, but we don’t lose very many. A lot of them stay because they do enjoy what they do, and they do have the authority to do the job they have been put in there to do. They are trusted. I have to trust them, especially the youngsters because they are the ones who will see-

Q93 John Glen: Early responsibility.

Air Commodore Bishop: Absolutely. They also feel proud of being part of something that is allowing defence to work. If we can make sure that we protect the networks so we can operate when we want to, they actually have a core part to play and do. They are tied to the output of what they do, which is good to see. But we do lose some.

Nick Harvey: It is possibly worth adding that contractors are very important to our whole effort. Another part of the work mix at Corsham is representatives on site in a centre from the major contractors who supply us and with whom we are dealing. That is just another element.

Q94 Ms Stuart: Cyber security is a priority. When we heard evidence from David Omand, he said that the cyber security domain was put up as one of the top four national security priorities. Can you tell me where it sits in terms of priorities within the MoD, and how can I tell that that is where it sits?

Nick Harvey: Cyber is a very high priority for the MoD. The threat to our national security posed by hostile action through cyber space was clearly recognised when it was made a Tier 1 threat in the National Security Strategy. It also reflects the funding allocation to the National Cyber-Security Programme. We take it very seriously in Defence. We think that it is an important part and parcel of our planning ahead and our developing of doctrine and concept. We are also making further investment ourselves, over and on top of those pan-Government funds. We have added another £30 million of funding this year and another £18 million last year. I expect that the Air Commodore will be able to describe what we have been doing with that funding and the sense of priority that he feels that he is creating.

Air Commodore Bishop: Absolutely. This is funding that is coming on top of the funding that exists already for operating and for the current defensive capabilities, so it is new money in that sense. For instance, the money that became available last year to meet some emerging needs as the threat changes was used to improve our analytical tools, to bolster our boundary protection on the edges of our networks in certain areas and, importantly, to improve our overall situational awareness of what "good" looks like and what has changed from what "good" was, because that is the indication that we get. That money has gone into improving our ability to respond much faster and in a much more agile and focused way, so that we are not having to think, "What does that look like and what does that mean?" Instead, we are thinking, "We understand that we need to take these actions to ensure that we can operate the network." It is real investment to improve the availability of our networks as we go forward.

Q95 Ms Stuart: As it stands, would you describe the cyber threats as containable, or are they still an issue of concern?

Nick Harvey: I think that it would be bold to say that. It is a very fast-changing threat. We recognise how serious it is and that is why we give it the priority that we give it. We think that we are doing reasonably well in keeping on top of it, but one really does not know how it will evolve in the future, so one has to be aware of sounding too cocky about it. It is something to which we take a very cautious approach.

Q96 Ms Stuart: Given that we heard earlier about the interconnection across Government, the investment in it and how it is a priority for the MoD, how does your prioritisation compare with other Departments? Are you content with the priority that they give it or not?

Nick Harvey: Each Department has to make its own judgment on the risk that it is prepared to accept to its own information and the systems that it uses to process that. In terms of my dealings with ministerial colleagues who come together in the ad hoc group, there is a wide and growing awareness of the threat and the priority that the Government attach to it. Other Departments have come a long way in the past 12 months or so. John probably has a better view across Government than I have.

John Taylor: I would certainly echo that. I think that if you had asked me that question 12 or 18 months ago, I would have said that the MoD was not quite where it wanted to be, but quite a number of other Departments were not even where the MoD was. Now, as the Minister described, because of the investment we have made and are making, we are getting closer to where we want to be.

I have noticed in my dealings with central civil Departments that-I hesitate to describe it as the scales falling away from the eyes, but I think that there has been quite a lot of that over the past 12 months. What has been the driver of that? It is two things, or two interrelated things. One is, if I can use the term, the austerity measures that we are all having to cope with. That is forcing us to look much harder at how we can co-ordinate and join up to have a more collective response rather than an individual Department response. One ad hoc metric that I might use is the number of Departments that are very interested in seeing Air Commodore Tim’s operation down in Corsham. We are entertaining quite a few people across Government and, increasingly, internationally.

The second big driver is the digital-by-default stance that the Government has taken in putting more and more services online, and getting a much better understanding of the risks, be they risks to the availability of the services, risks to the information being carried by the services or, if you are talking about payments or tax collection, your financial loss as a result of cyber incidents. All those things have contributed to that very significant change in situational awareness.

If I may continue for a minute, the challenge going forward is to come up with practical, cost-effective ways to tackle those-ideally, on a pan-Government basis, where it is sensible to do that. I do not think that each Department will necessarily be able to put the level of investment in. Actually, it would be crazy to do that, because to a large extent, we are all contending with the same range of threats from the low end all the way up to the high end.

Q97 Ms Stuart: As a matter of interest, how often does the ad hoc group meet? What is the pattern?

Nick Harvey: I suppose roughly quarterly.

Q98 Mrs Moon: £90 million was set aside for the Defence Cyber-Security Programme. What will you achieve with that money?

Nick Harvey: You are quite right-that money was set aside, but as I have described, we are putting further money in on top of that. What we are hoping to achieve through the Defence Cyber-Security Programme, as part of the National Cyber-Security Programme, is to mainstream cyber into all of our departmental business. That requires funding of the sort that I have described in order to push it right through the system, but we want to make sure that in all future development of military concepts, the cyber element automatically becomes part and parcel of how we do things.

I have no doubt that we will continue to make the sort of investment that I have described from last year and this year in our future planning rounds. It is about trying to improve our own systems and legacy systems, because there are a lot of small networks in defence that belong to another era. We must to try to make sure that we can protect all of that at the same time as looking to the future. This is why the whole thing is coming under Joint Forces Command. We must try to plan for a future in which everyone at every level thinks-yes-about the air, sea and land domain, but also about the cyber domain and the part it will play in future activity. By 2015, I hope we will be well on the way to achieving that-that it will become a bread-and-butter part of our business. It will be up to an SDSR and a National Security Strategy in 2015 to assess how far we have got and how much more of an investment we will need to make in it from there forward.

Q99 Mrs Moon: Staying up to date with technology, the potential attacks on your technology and the risks associated with that-is it an expensive business?

Nick Harvey: Yes.

Q100 Mrs Moon: It is not like the old days, when you could buy a car and keep it for 10 years-the technology outstrips your capacity. In fact, the moment you buy it, it is almost out of date. How will you ensure that funds are available to maintain security for the networks and maintain the cutting-edge nature of the products that you are using?

Nick Harvey: By bringing the whole cyber concern into the mainstream of what we do, we will ingrain it into all budgetary work, and every time we are assembling budgets for any significant programme, this will be part and parcel of it.

Q101 Mrs Moon: Sorry Minister, but are you saying that you are going to have separately identified resources for cyber, security, and securing networks?

Nick Harvey: I am envisaging a time when this is so absolutely automatic to everything we do that all the programme budgets we devise to do anything will include ensuring that we have the necessary defences in place to guarantee and assure what we are doing. I don’t know whether my colleagues have anything to add.

Air Commodore Bishop: Going forward, just building on what the Minister has said, as we procure future services to replace the legacy, we now know much more about the threat, so within those programmes, we can bake in a certain degree of security and protection for the products and services that we buy, which is the way we have always done this as we procured new capability. There will still be a requirement, if we are to stay ahead of the game, to have specialist cyber units with specialist capability that sit above and beyond what is baked into the normal operational capability that we have. If we do not, we will fall behind very quickly, as you say.

A lot of that is not about buying technology for protecting and defending the networks; you need some technology to do some monitoring. It is what you have on those monitoring devices-in terms of the latest information that you need to have against this threat-that actually makes the difference. It is not just about the kit; it is about the other lines of development that you need supporting the equipment to make sure that you can take a defence-in-depth approach to cyber-security.

Q102 Mrs Moon: My understanding was that you constantly needed to have patches and things in place to ensure that the latest form of threat is dealt with.

John Taylor: If I may respond to that, this has again been a problem that any large Department has had, particularly when they have had a multiplicity of different systems doing different parts of the business. One thing that has perhaps been an unintended benefit of some of the more enterprise-wide approaches we are taking to our networks, information technology and the applications we are using is that we can, as the Air Commodore said, bake in up front the means to provide the technical security, and we can be sure that it is there across the board. However, at the same time, in terms of keeping that up to date, patching, and so on, you only have to do it once, rather than 200 times if you have 200 systems, and hope that all 200 system administrators will do it. So, we are getting some benefit from the fact that we are having to take an enterprise approach, if only to drive down cost. I think as we move more into the pan-Government agenda, we can capitalise on that approach further.

Q103 Mrs Moon: Does Planning Round 12 have a defence and cyber-security programme fund within it?

John Taylor: It does.

Q104 Mrs Moon: Is there a clearly identified, constant stream of funds set aside to tackle this issue?

John Taylor: There is.

Mrs Moon: Thank you. I have to say that, as a cook, baking up front makes absolutely no sense at all. Obviously a man who does not cook came up with that idea.

Q105 Penny Mordaunt: Following on from the resources to look at the planning processes for cyber elements of the next SDSR, could you talk us through what activity is taking place on that, with particular reference to how you are managing to take account of the pace of change and rapid evolution of threats and behaviour in cyberspace, for both the short and long term?

Nick Harvey: Yes. Our operational planning now includes consideration of the cyber dimension to any future conflict or scenario that we think we might find ourselves involved in, so we are ensuring that the cyber element is worked into all future force development. The two joint cyber units-the one at Corsham and the one that is linked into GCHQ and the unique capabilities that it provides-are part of the Defence Cyber-Security Programme. We hope that, in time, we will train more and more of our people to have a greater capability in this area, and to view it as part and parcel of what they do.

In terms of considering the future character of conflict, we are also funding a programme of strategic studies at the Seaford House think-tank, which is part of the Defence Academy, to look at the implications of developments in cyberspace in terms of the environment in which our future security challenges will be managed. So, you are quite right. The pace of change has to be recognised. We have seen significant changes in the cyber-environment, even in the 18 months since we conducted the Strategic Defence and Security Review. We cannot afford to let the grass grow under our feet, but we are really giving this an emphasis and an importance that it has not had before.

Air Commodore Bishop: Also, we can learn a lot-we do-and we share with industry colleagues. Although the aim of an attack against industry may be different from the aim of an attack against us, the techniques that are used to prosecute the attacks are very similar. So, they are having to deal with the same kind of thing that we are dealing with, but from a different perspective of the attacker in relation to industry.

The sharing of information between industry and us, and of techniques that we use to counter attacks, is a very useful way of making sure that we stay ahead of the game. It is not always about buying technology; sometimes it is about sharing information with each other and being open and honest, saying, "This is what we’ve seen. This is what we need to do." That is just as useful as the technology that needs to be there.

Nick Harvey: In terms of the relationship that we have with industry, during the Afghan conflicts the increasing usage of urgent operational requirements has shown how there can be a swift and agile response to a changing need. The relationships with industry that the Air Commodore describes are vitally important, and when necessity brings it upon us we will make sure that we can react very quickly, cutting through some of the normal processes in order to respond to a rapidly changing threat.

Air Commodore Bishop: To add to that, we talked about command and control earlier, and John mentioned the Network Operating Authority. I have the authority vested in me, without recourse higher than me, to direct contractors to break all the contracting rules that we have in place if we have to do something very quickly to defend the network. I can direct them and tell them to go.

Q106 Penny Mordaunt: When you consider the whole horizon, scanning across the whole national security picture, would you say that that is as advanced and well resourced as it needs to be to help you to plan for the future?

Nick Harvey: I think it is adequately resourced. I acknowledge that it is going to have to make considerable further advance. To be honest, it is still somewhat in its infancy and at an early stage. The new priority that the National Security Strategy has given to this, and the National Programme, and the additional funding that has been put in place, recognise that there is work to be done if we are going to stay ahead in this area. We have been describing, during the course of this hearing, some of the means by which we are going about that, but there is a long way to go-I would not that deny for a minute.

John Taylor: There is a piece of work that I am currently leading, again in the pan-Government space, to give effect to the role of the Government’s Senior Information Risk Owner. Currently, that role is held by Mr Watmore in the Cabinet Office. Only now that we have this much more cohesive pan-Government approach both to cyber and ICT have we put proposals to him, only six weeks ago, for how we could give him some machinery to enable that more consistent approach to information and cyber-risks across Government. You will see that coming into being over the next six to nine months.

Q107 Ms Stuart: You have got cyber-security successes, but nothing happens, and you will ask for increasing amounts of money to make sure that nothing happens. I have a twofold question. What metrics are you going to use to show that you have succeeded in nothing happening, and you lose interest because there was not anybody out there who did not attack you? What metrics do you think we should use in order to assess that you guys have been successful and still deserve the money that you have been asking for?

Nick Harvey: That is a very good question, and very well put. Because the threat is so fast-changing, it does make it difficult to measure the effectiveness of our defences. Any adversary is going to be looking for the weak point in our defences. It will look, as we were just saying, beyond our own infrastructure to that of contractors and others we rely on. It is almost trying to prove a negative. Perhaps John Taylor can say a few words about the modelling that we think is the best way of doing this.

John Taylor: This is probably the most difficult set of questions to answer. We have been putting quite a bit of intellectual effort into it, but we are not there yet. The first one I would cite, which relates to some work that we have been quite successful in in the Ministry of Defence, is on what we call maturity modelling. Inherent in that is the fact that you cannot look at just one piece: the technology, the people or the process. You have to look at them in the round. When we look at the cyber defence system, we are not just looking at the technology and the capabilities that we have there; we are looking at the people and their training, the organisational culture, the levels of awareness, skills and processes. We have done that in the information assurance space. It takes quite a bit of effort, but it does give you some quantifiable assessment of where the organisation is in terms of its ability to manage in the cyber environment. The difficulty comes when you try to relate that to the level of investment that you have put in. I think that is one of the challenges that we have still to overcome.

The second approach that we are exploring is putting ourselves in the position of someone who wants to attack us. Let us consider what information he or she might have available on our vulnerabilities. Let us then use our operational analysis expertise to try and get a better understanding of we look like to somebody outside. It is a bit like looking in the mirror. Sometimes you do not like what you see. On the other hand, it gives you that different perspective, a scenario-based perspective, and we can look at that from all the way across the various threats that we are contemplating.

More broadly, we are doing some work on metrics to give us positive evidence that we are as safe as we need to be. That involves looking at metrics in the business infrastructure space, making sure that we understand what assets we have and that we have processes that review information risk on a regular basis. We then need to look in the technology space, making sure that our information is backed up, that we have up-to-date antivirus software-all the hygiene things that you need to do. Then there is the people space-for example, is our security vetting process working properly? We do have to have concerns about the insider threat. I will not go into any more detail on that.

Q108 Ms Stuart: In that case, I hope you did not hear how David Cameron answered the question today about why Coulson was allowed to look at papers without having been security cleared.

John Taylor: Well, there we are-a good example. Then, of course, we have the physical environment: are we controlling access and so on? I think we are already quite mature in quite a lot of these things in the defence context. My challenge in the pan-Government context is perhaps to get some other Departments to pick up some of those things. We are going to be giving them some encouragement to take them up. That will, I think, give us a more consistent approach on a pan-Government basis.

Q109 Ms Stuart: I can see that from your point of view you look in the mirror and you get yourself to a stage where you like what you see, but how do you suggest that we as a Committee test whether you have been successful?

John Taylor: That is a very good question. I think one of the metrics that might be interesting-I am probably being a bit bold here-and that you might explore is this.

Ms Stuart: He’s looking worried!

John Taylor: This is when my Minister might give me a kick under the table. We are looking at this from the point of view of the ratio of how much we are putting into protecting our systems and the information and how much we are investing in the systems themselves. In terms of that kind of metric, if a Department comes in and tells you that it is spending £1 billion on IT and nothing on protection, I would be very worried. I think if we came in and said we were spending £1 billion on IT and half of it was on protection, you would be worried, too. I have already narrowed down the problem space a bit. What I am really suggesting is that we need to develop some benchmarks in this space for what "good" looks like, and there are a number of ways we can do that, along the lines I have described.

Q110 John Glen: How will we avoid the situation in which any relative benchmark from the commercial, business world would be justified by you as not being reasonably comparative, because of the nature of what you do? How do we establish a credible way of doing this? Are there international comparisons? Are there best practices in other jurisdictions that would be relevant here?

John Taylor: There are certainly emerging standards in this space, but I would hesitate to describe them as mature. When we look to the commercial community, I see quite a variable space. The International Standards Organisation is starting to develop good guidance that sets the bar for the sort of hygiene levels we should have. When I look at other jurisdictions, other environments, the challenge is how attractive we are as a target compared with these other areas. That is why we are having conversations on this with our colleagues in the US, who are quite concerned about this issue, both in the defence context and in the national defence context.

Nick Harvey: It does rather depend on your attitude to risk. Commercial companies will want to protect, for commercial reasons, what they do, but in a sense it would not amount to a national catastrophe if some of that got out, whereas if you are dealing in some aspects of our national security, you have to have a more risk-averse approach than some elements of industry might feel they could get away with.

Q111 Thomas Docherty: I want to go back to one of the things that Mr Taylor mentioned. Clearly, our Armed Forces are more reliant on network technologies now than perhaps we were five or 10 years ago. How is the MoD specifically planning to mitigate the risks that that poses?

Nick Harvey: Belt and braces and backups-sort of defence in depth, I suppose you would say. By working with intelligence and security agencies to assess the threat to our systems. By putting in place, as far as we can, technical measures to protect ourselves, restrict access and protect key data from compromise. By carefully segregating the most sensitive systems, carefully patrolling the links and gateways between different elements of systems and ensuring elements are completely autonomous. It is almost a sense of replicating in the cyber domain some of the approaches we would take to security in the physical space. Tim, is there anything that you want to say about that?

Air Commodore Bishop: No, I think that sums up the way we go about doing the business, and then we are into the tactical detail of how you do each one, but the Minister has covered everything.

Q112 Thomas Docherty: In response to a question from Ms Stewart, you talked about a hierarchy of risk. There is obviously a hierarchy of protection. I would imagine that there are some things that are more important to protect than other things. Has the MoD decided its priorities for what needs to be protected? Can you speak to that?

Air Commodore Bishop: Absolutely. It is about the way our protections are designed, they are in layers depending on the sensitivity of the information. The most sensitive information that we hold on our very secure systems does not have direct connections to the internet. The ones where we need to do a lot of business, for instance when we need to do a lot of work with industry, will have connections to the internet, and we will ensure that we can manage those connections and allow only the data through that we wish to go through. There is a lot of separation from our very close-hold information from the systems that genuinely work down at the internet-type level. That is how we go about doing it.

John Taylor: The other process that we have in place is that we have a fairly mature risk-balance methodology working within the Department. What do I mean by that? This is about when we identify a risk with a particular system or capability. We have a formal process for assessing that risk from the point of view of both an operational benefit and the information risk that might be inherent in operating a system in a particular way.

Whereas in the past judgments like that were taken on a somewhat more ad hoc basis, we now require projects and programmes to do a formal risk assessment looking at the benefit from operating in a particular way to the risk to the information or the people who might be using the capability. That is one of the processes that, in my role as the senior information risk owner for the MoD, we police quite systematically. So much so that I have probably taken upwards of 60 or 70 risk balance decisions on behalf of those programmes over the past two to three years. That has given us a very useful set of case law that we use to inform our risk appetite going forward. That very much complements the sort of thing that we are doing in the technical space.

Q113 Thomas Docherty: Following on from that point about the industrial interaction, it is a long-standing tradition that we have required our contractors and suppliers to take physical precautions to protect their estate and their interaction with the MoD. Can I press you to say something about what cyber-security measures you require the industrial supply chain to take?

John Taylor: This is an area that we are giving increasing attention to. I am not convinced we have got this quite right yet. As you rightly say, we are very dependent on those suppliers. Having, if you like, got our own house in reasonable order, we are now starting to work particularly with our key suppliers to help them raise their game in this space. I am clearly not going to talk about any individual supplier but I think we are getting an understanding of what that landscape looks like.

Nick Harvey: It is also something that is being looked at on a pan-Government basis as well. The Department for Business, Innovation and Skills and GCHQ are working together to try to evolve a kite-marking system for suppliers to central Government.

Q114 Thomas Docherty: You will understand, I suspect, my slight concern at the very honest answer that we are not there yet. How concerned should we be? How long will it take us to get to where we feel comfortable?

Nick Harvey: We have very good relationships with key industrial partners. We share information with them. There is a mutual recognition of and understanding of the problem and a determination and will to help each other improve our defences. I think that the ingredients are there to get us to where we need to be, but it is a big task. As we have already commented a couple of times, there is an ever-changing, fast-evolving threat. You have to be very sure of yourself to say that you have cracked the problem. I think John Taylor is acknowledging that there is more to do.

John Taylor: There is also, if you like, a kind of institutional behavioural issue here. If you are sitting in a company that has suffered a cyber-attack that has done some damage, either through information or financial loss, the instinctive reaction is to want to keep that quiet. It is bit like the banks. We all know that they lose so many millions a year through fraudulent activity but it is never really talked about.

Where we have got to now, at least from our engagement particularly with the big defence contractors, is recognition that they should not be shy in coming forward. We are seeing more of that now, particularly in some of the interactions that Air Commodore Tim’s team has with companies. They can also reach out to us for help if they have a particular problem. Although I cannot talk about specific instances, there are certainly at least two cases where I have been directly involved when someone senior from a defence contractor has come to the MoD and said, "We have a problem; can you give us some help?" We are using some of our skills to help those companies raise their game. In direct response to your question whether you should be really concerned, I think it is something I would keep a very close eye on.

Q115 Thomas Docherty: You will be aware that we had your ministerial colleague in yesterday to discuss procurement. Off the shelf came up for debate. I also assume you will have seen Professor Omand’s comments about striking a balance between off-the-shelf procurement and cyber-security. Minister, what is the MoD’s approach to setting that balance between efficiency of purchasing and security? Is there a potential risk from off the shelf in the cyber realm?

Nick Harvey: There is certainly a potential risk; there has to be. It is always a question of balancing risk with the other factors you are going to consider. Obviously, price is one of those, but there is also speed and efficiency of delivery, how urgently necessary the piece of kit is, and the extent to which you have any known concerns about the product that the supplier is potentially going to supply to you. If it has any components that you have a concern about, you have quite a complex risk balance to perform. It is quite difficult to give you a generalised answer, but these are the components that you would weigh in any given situation.

Air Commodore Bishop: We use commercial off-the-shelf products in our cyber-defence systems.

Nick Harvey: There is no reason why you wouldn’t.

Q116 Chair: No reason? If those commercial off-the-shelf products are made in China, does that give you any cause for concern?

Air Commodore Bishop: We are looking for a product that does a specific job for us, and if a product is available that can do that job in the way we wish to use it, there is no reason why we wouldn’t use the product in that way. We would, of course, take advice from the National Technical Authority for Information Assurance on whether the product would allow us to do what we are trying to achieve.

Q117 Chair: You would not really know what was in it, would you?

John Taylor: In terms of our approach to this, it is, as the Minister said, very much about looking at the sourcing risks that you may be taking. There can be a number of factors in an assessment of sourcing risk. Clearly, if it were a piece of equipment that had an inherent IT capability for defensive purposes, we would look at the sourcing of that very carefully.

Q118 Thomas Docherty: Do we buy any of our equipment from the far east? Any of our IT or technology at product level? Do we know?

John Taylor: I think, in terms of end products, the answer would be no. I can let the Committee have a note, if I may, on a particular sourcing decision that we took on IT equipment some years ago.

Q119 Chair: That would be helpful, but we also need an answer in relation to the component parts of end products.

John Taylor: I will certainly try to give you as much as I can on the components, as well as the end unit.

Thomas Docherty: From the thoughtful look on the Minister’s face-he always looks thoughtful, to be fair-can I assume that this is not something on which you have regularly had long discussions within the Ministry of Defence?

Nick Harvey: It is an issue we are aware of. What you are putting to us is not new, as is witnessed by the fact that a decision was taken on this area some years ago, but it is difficult to give you an answer that covers every scenario.

John Taylor: I would also add that, in this space, the question of sovereignty in terms of capability is very much uppermost in our mind. Again, in my note I can give you an example of where there is a very active debate on that issue going on in a particular programme. I am afraid that due to the sensitivity, I cannot share that with you publicly, but I am very happy to give you a note on it.

Q120 Chair: That would be helpful. We have been talking about vulnerabilities, and there is a vulnerability inherent in relying on computer networks, but there is another vulnerability that we need to consider, which is our new reliance on just-in-time procurement. The Libyan exercise last year showed the extent to which industry was able to ramp up production and, thankfully, provide us at the last moment with some really sophisticated equipment that we needed. If industry itself were taken down by a cyber-attack, those defences would no longer be available to us. I wonder about the extent to which that has been factored into your relationships with industry.

John Taylor: That is very much at the heart of the concerns that I expressed earlier about not having quite got there yet in terms of having a complete, end-to-end view of cyber-vulnerabilities in our supply chain.

Q121 Chair: You need that, don’t you?

John Taylor: That is what we need, because although our military colleagues are very self-sustaining, increasingly as we are acquiring these capabilities on a service-provisioned basis, there is the question of what happens if there is an outage due to cyber at the wrong moment. I characterise it in terms of our own internal networks. If you have a problem in the network-not necessarily because of a cyber-attack, but because of a fault-at 7 o’clock on a Friday evening, just before the Minister’s box closes, that can be quite career limiting. I think we could be in a similar place from a war-fighting point of view as well.

Q122 Chair: Minister, in 2010 you made a speech-well, you probably made rather a lot of speeches, but in this particular one you said cyberspace was "a new domain" that "should be subject to the same strategic and tactical thought as a conventional military operation." In many respects, of course, it needs to be subject to completely different strategic and tactical thought, but I think you meant the same amount or seriousness of strategic and tactical thought. There are differences, however, and I wonder whether you would like to share with us your views about what those differences can be in relation to the cyber-domain.

Nick Harvey: I do very much view cyber as another domain for warfare. The US Department of Defense has evolved its thinking along those lines, and we are doing so in the UK Ministry of Defence. To treat cyber as another domain is not to try simply to make it separate from the land, sea and air domains-quite the reverse. The way we look at it is that we have potential adversaries who would seek to do us harm in whatever domain they felt able to.

I think that treating cyber as a domain sends a signal, if you like. It says to our commanders that they have to have their wits about them and recognise the threat-and also, possibly, the opportunity-presented by the cyber-domain. It is not just some technical specialism for which a bunch of experts can be unearthed from some remote MoD section; it is something that should be part of the equation and the military planning at all times.

I am convinced that increasingly this is the way everybody in defence in the UK and elsewhere will come to work this into their thinking. I suppose increasingly the defensive and offensive elements to this will come together and will be worked up into doctrine. It is helpful to think of cyber as a further domain, but everything that we plan for the future needs to have an understanding and a recognition of this in it. To that extent, it is part and parcel, and not separate, but I think it is quite a helpful way of viewing it to think of it as an additional domain.

Q123 Chair: Okay. I want to ask questions first about law, and secondly about deterrents. First, law: do you think the same legal principles apply to cyber-attacks and conventional attacks? You said in that speech that "the established laws governing the use of force and the conduct of hostilities are equally applicable to cyberspace as they are to traditional domains." I just wonder whether everyone agrees with you-and do you agree with you?

Nick Harvey: I certainly hold that view today, as I did in 2010. For me, the law of armed conflict applies as much to cyberspace as it does to any other domain of operation. The principles of proportionality, discrimination and humanity apply to actions that we might take in this domain, as they do elsewhere. We should focus on the intent and the consequences, rather than the means of delivering the effect. Similarly, I suppose, when you are thinking of Article 5 of the Atlantic Treaty, that could apply to an attack in cyberspace, just as it might be invoked for a conventional attack. Whether it would be appropriate-

Q124 Chair: Is that internationally accepted?

Nick Harvey: Who is to say? There are countries, as the Committee is probably aware, who would like, as we see it, to bog the international community down in some slow and doubtless long process of trying to negotiate new treaties and bring about new laws to apply in this domain. We do not believe that those are necessary, because we think that the application of existing law and norms of behaviour will serve us perfectly well. As I say, it is really a question of focusing on the intent and the consequences, rather than on the means by which you bring those about. I think this is what the Foreign Secretary had in mind when he invited people from around the world to London for a conference to discuss these very matters. I think it would be a mistake for the international community to feel that it needs to reinvent a legal code for this domain; it would distract us from trying to work together to evolve norms, which should derive from existing law.

Q125 Chair: Norms and rules of engagement. Will you be involved in that?

Nick Harvey: At this stage we have not sought to develop specific rules of engagement for cyber, but as our understanding of cyber-operations, their potential, their capabilities and the associated norms of behaviour develop and evolve, I could envisage us coming back to that and possibly devising specific rules of engagement at some point in the future.

Q126 Chair: By the time you have done that, won’t it be far too late?

Nick Harvey: Well, that would be my concern about reinventing law here. By the time we had got 200 members of the United Nations to agree to some new law, the technology would have left it all far behind. That is why we are far better adapting existing machinery to this new domain, and for the time being we conduct ourselves in this domain as we would in another. If, as we learn more, we need to devise extra rules of engagement, then we will do that.

Q127 Chair: Getting back to Article 5, is it your view that the cyber-attack on Estonia would or could have given rise to an Article 5 declaration?

Nick Harvey: It is an interesting point. I cannot see in principle any reason why one would say with any certainty that it would not. Potentially, yes.

Chair: The vagueness of that answer-

Nick Harvey: Well, it is a hypothetical question.

Q128 Chair: It was not hypothetical, actually, because it did happen.

Nick Harvey: But the request wasn’t made.

Q129 Chair: The request wasn’t made, possibly because no one was sure what the answer could be. Does that not lead you to wonder whether it might have been helpful at least to have had discussions about whether that Article needed to be clarified?

Nick Harvey: Yes, I believe that discussion would be helpful. As I said, my starting point is that Article 5 could apply to an attack through cyberspace as it might to any other form of attack, but you immediately pulled me up, asking whether that was universally accepted, in which case there would be merit in having discussion with our fellow signatories.

John Taylor: I am no expert in the law on conflict, but I think I understand proportionality. I recall that the Estonian incident was about websites being taken down. The challenge we have is making judgments on proportionality. If the debate were centred on that, it might bring some clarity in this space.

Q130 Chair: Moving briefly on to deterrence, but still staying for a moment on Estonia, do you think deterrence works in the cyber-field?

Nick Harvey: I don’t see why it would not. Perhaps as we go forward and there are more cyber-attacks, or attributable cyber-attacks, and people gain a greater understanding of others’ capabilities, that will, perforce, begin to play into the psychology and logic of deterrence.1

Q131 Chair: But surely the point about cyber-attacks is that they are not attributable. Do you know who did the Estonian attack?

Nick Harvey: No, but we have a pretty good idea-

Chair: That was several years ago now.

Nick Harvey: We have a pretty good idea where attacks on our networks come from.

Q132 Chair: Yes, but it is quite difficult to prove it, isn’t it?

Nick Harvey: Not necessarily.

Q133 Chair: Four years after the attack on Estonia, if we cannot be certain who carried it out, even though we have a pretty good idea, those people who carried it out could be forgiven for thinking that deterrence did not really work, couldn’t they?

Nick Harvey: Why? Simply because of the apparent inability to attribute it?

Q134 Chair: Yes. Changing the subject slightly, if you had an electromagnetic pulse attack-we have done a report on that recently-it would be quite difficult to attribute that, wouldn’t it? That would, or could, take down the entire network, couldn’t it?

Nick Harvey: Yes. John might be better able to speak on this than I am, but in terms of cyber-attacks on networks, we can in many cases tell pretty much exactly where they have come from-not in all cases, by any means.

John Taylor: Perhaps I can try to answer your question in relation to an exercise that I took part in, which was co-ordinated by the Cabinet Office last year. It was a cyber-attack purported to have come from a particular country. It was directed at our UK networks and was particularly targeted at the oil industry. That was the context. Certainly in the exercise, one of the immediate challenges, given the time scale-the very quick impact that such an attack can have-was a question mark over the alleged attribution of where it had come from. There was some doubt, but the sense was that after a relatively short period-two or three days-the sort of capabilities we have could have increased the confidence in that.

That does raise questions, particularly about a challenge that I discussed with General Shaw before he left: how do you position what I would call "active defence" in this space? That is something that we will just have to keep working at.

Chair: Getting back to law for a moment: Dai Havard on the International Criminal Court.

Q135 Mr Havard: During the conflicts in Iraq we had, for example, British soldiers running an internment camp. They were protected in law in a number of different ways, partly because it was all done under the auspices of a UN resolution. So, in terms of things such as claims in the International Criminal Court they gained a form of protection. If rules of engagement are going to be developed for cyber, in an offensive or other role, what work is being done to look at where individuals would find themselves placed in terms of protection, particularly under the International Criminal Court?

The Americans are not a signatory to the International Criminal Court, for example, so if they were working in an alliance, they might find themselves in a very different legal position from other allied forces that they were working with. Is anyone doing any work in this area, to clarify the legal protection for individuals we were asking to work on our behalf in these environments?

Nick Harvey: We would apply exactly the same legal principles that we do in conventional conflicts-actions that we were conducting here. So you are quite right in pointing to events in Iraq. In Afghanistan, we operate under a different legal framework from our American allies, so we are not unused to having our people work alongside them but in a different legal set-up.

In terms of the cyber domain, it would be our starting point that we were applying the same legal principles here that we would apply elsewhere. Yes, you make a good point. I can well envisage circumstances in which people doing things on our behalf were operating within a different legal framework from international colleagues. To be honest, that already happens, but the way we advise and look after our people is to apply the law as it exists to what they are doing in this domain.

Q136 Sandra Osborne: Across Government as a whole, is the capacity for research and development in cyber-security adequate to meet the needs of the MoD?

Nick Harvey: The MoD works with others to promote and stimulate science and research and development. We are currently providing £80 million a year for research in the related areas of cyber and influence. For Defence, that is done through the Cyber and Influence Science and Technology Centre, which is part of the Porton Down Defence Science and Technology Laboratory.

The centre team up here work, as you have heard, with other Departments. We work with research councils to ensure that there is a co-ordinated programme of research here, and we invest, as John has told you, in pan-Government work. We are part and parcel of programmes that have placed work out in a number of universities. There is a lot of activity co-ordinated with other Departments-with the Cabinet Office and GCHQ-developing cyber-centres of excellence. Is there enough? Well, I don’t know. Is there ever enough? There is certainly a lot going on.

Q137 Sandra Osborne: Could research be enhanced by greater involvement with organisations within academia and industry?

Nick Harvey: Well, we do. Certainly, as I have mentioned, when placing these contracts in universities, we will place our research work with whomever we think to be the best-placed supplier. That might well be academia and it might well, in other instances, be part of the private sector. We have a Centre for Defence Enterprise which does its best to place innovative research work in academia and in industry, and it is that expertise and approach that we use when placing work in this relatively new field.

Q138 Sandra Osborne: How much of a constraint is it in relation to fears about giving access to classified information and involving outsiders in the field of research?

John Taylor: That is always something that we have to be conscious of, particularly in terms of the background information that we get from GCHQ. I point to some of the work that we have done under the Information Assurance Technical Programme, which, from last year’s figure, the MoD put around £8 million to £8.5 million into, along with contributions from other Departments. We have found that that is manageable, because it tends to be not large groups of people who are doing the work, so we can make arrangements for individuals proposed to do that work to be appropriately security cleared and to ensure that they handle the information accordingly. I would not have said that that was a major impediment to engagement with these other institutions.

Q139 Chair: Minister, I am going to end with a completely unfair question, which is also about research and development. Yesterday, when we had the Minister responsible for defence equipment and supply in front of us, I asked him whether he might agree that 1.2% of the Ministry of Defence budget being spent on research and development was far too low, and he did agree. Would you agree?

Nick Harvey: Yes, I would certainly agree. I feel altogether more comfortable about doing so if he already said that.

Chair: So that is two down, five Ministers to go. Thank you very much. That was very helpful and we are most grateful to all of you for your evidence.

[1] Ev 46

Prepared 12th March 2013