The UK Defence Committee is urging the Government to be more vigorous in its approach to cyber threats.
A new report released by the Committee says that the British military is now too dependent on information and communications technology.
The Committee believes this could be fatal if sustained cyber attacks were to occur.
CBR rounds up expert opinion on the need for the UK government to urgently create contingency plans for such attacks.
Yogi Chandiramani, European senior manager of systems engineering, FireEye
"We now rely on internet connectivity to support so much of our daily lives that Shaw’s call for an aggressive public awareness campaign can only be welcomed. Human error still accounts for too many cyber incidents, and a widespread lack of understanding – coupled with the increasing sophistication of cybercriminals – has led to a significantly raised threat level. Today’s hackers are moving beyond the typical phishing attempts of previous years to more targeted, intricate and complex attacks. With this in mind, continuingly educating and re-educating the public on the growing security risks would be a positive step for the government in controlling the threat.
"The UK government’s investment into the National Cyber Security Programme is a promising sign that the issue is finally being acknowledged by the powers that be, however urgent action must be taken to protect both the British military and the general public from the potentially devastating effects of a cyber attack or even prolonged cyber espionage campaign – as the stakes have never been higher. As traditional security tools are no longer fit for purpose in tackling the threat alone – governments and organisations must start deploying defences that are as sophisticated as the threats they are trying to thwart. Quite simply, there can be no room for complacency when it comes to this issue, and the growing prevalence of high-profile data breach victims and the emergence of highly advanced malware should be taken as an urgent call to action."
Chair of the Committee, Rt Hon James Arbuthnot MP
"There is a consensus that cyberspace is a complex and rapidly changing environment. It was therefore important for us to consider the implications for UK defence and security. It is our view that cyber security is a sufficiently urgent, significant and complex activity to warrant increased ministerial attention. The Government needs to put in place – as it has not yet done – mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyberspace presents."
"The opportunity created by cyber tools and techniques to enhance the military capabilities of our Armed Forces is clear. We want to see the MoD explore this thoroughly. For this reason, we support the use of National Cyber Security Programme funding to develop these capabilities, but also wish to be assured that the MoD will maintain its investment in existing defence intelligence services which provide a vital UK cross-government capability."
Dr Andrew Murrison, Minister for international security strategy
Far from being complacent, the MOD takes the protection of our systems extremely seriously and has a range of contingency plans in place to defend against increasingly sophisticated attacks although, for reasons of national security, we would not discuss these in detail." Government funding to tackle this threat underlines the importance we attach to these issues.
Professor Paul Cornish, Chatham House
In cyberspace the boundaries are blurred between the military and the civilian, and between the physical and the virtual; and power can be exerted by states or non-state actors, or by proxy. Cyberspace has made it possible for non-state actors, commercial organisations and even individuals to acquire the means and motivation for warlike activity.
The UK Cyber Security Strategy notes that a number of different groups — criminals, terrorists, politically-motivated ‘hacktivists’, foreign intelligence services and militaries — are active today against the UK’s interests in cyberspace, but with the borderless and anonymous nature of the internet, precise attribution is often difficult and the distinction between adversaries is increasingly blurred. Threats to security and information in the cyber domain include state-sponsored attacks, ideological and political extremism, serious organised crime, lower-level/individual crime, cyber protest, cyber espionage and cyber terrorism.
Professor Brian Collins, former Chief Scientific Adviser in the Department for Business, Innovation and Skills
If I had suggested three years ago that people would be organising riots in the streets using Facebook, no one would have even understood what the words meant. Last summer, that is what we saw. Now, if you say to law enforcement or, indeed, maybe to parts of our military operations, ‘Do you expect to see those sorts of applications being used to organise a significant threat to us?’, I do not believe that we have the mechanisms in place a priori, as opposed to by way of response, to anticipate where some of those things may be hitting us.
There is maybe too much emphasis on the short-term tactical as opposed to the long-term strategic. Tactically, I don’t think we are in bad shape at all. However, to be in a situation in which you can anticipate where some of these things might be coming from is a combination of intelligence-gathering together with some idea of where individuals or groups might be taking their thinking, when we would regard that as undesirable for us. That horizon-scanning function is a piece that I see missing.
Martin Sutherland, Managing Director, BAE Systems Detica
The UK’s ability to defend itself against cyber attacks does not rest in the hands of any single entity. Ensuring our national and economic security in an increasingly interconnected world requires all organisations – government, public and private sector – to put in place robust cyber security defences as well as appropriate response procedures in the event of a successful attack.
To improve the effectiveness of these measures we need to encourage more organisations to share best-practice approaches to cyber security and provide more information about the nature of the attacks they’re seeing, particularly given that many private sector firms act as suppliers to Government or are delivering essential services that our nation relies upon every day. Accordingly, much of the Government’s Cyber Security Strategy focuses on enabling organisations to better defend themselves – for example, the creation of the ‘Cyber Security Guidance for Business’ document and the recently launched UK government backed Cyber Incident Response Scheme.
The UK’s strategy is still going through a process of implementation; however it is progressing well and has a mature approach in comparison to many other nations. Interestingly, the UK was placed first of the G20 in its ability to withstand cyber attacks and deploy the appropriate infrastructure for a productive economy, according to Booz Allen Hamilton’s recent Cyber Power Index. However, there is still a long way to go before we can say that we are successfully countering cyber threats" said Martin Sutherland, Managing Director of BAE Systems Detica.
Ross Brewer, managing director and vice president, international markets, LogRhythm
For government organisations, the consequences of cyber attacks are not restricted to the loss of sensitive information or financial penalties. With cyber criminals deploying ever more sophisticated tools, the potential for cyber attacks to cause real world damage grows. This is particularly true for UK’s armed forces, which is becoming an increasingly popular target for both independent cyber criminals and those controlled by other governments.
It is unfortunate that most government-led cyber security policies focus on catching and punishing criminals as opposed to preventing computer crime. It’s therefore no surprise that public calls for urgent and more aggressive government action are gathering steam. LogRhythm’s own research has shown that more than two thirds of the UK public now back pre-emptive cyber strikes on enemy states. Furthermore, 45 percent believe that the UK government needs to step up its protection of national assets and information against cyber security threats, and 43 percent think that the threat of international cyber war and cyber terrorism is something that needs to be taken very seriously now.
However, any pre-emptive strike could incite disturbing consequences such as the execution of even more sophisticated attacks on the UK’s critical infrastructure. Rather than attacking ‘enemy’ networks, the scale and nature of today’s cyber threat calls for proactive, continuous monitoring of IT networks to ensure that even the smallest intrusion or anomaly can be detected before it becomes a bigger problem for all – after all, you can only defend against that which you can see.
Wieland Alge, vice president and general manager for EMEA at Barracuda Networks
The danger of a cyber attack on the nation is and always will be a threat and the problem is not restricted to the military. Take large hospitals, our banking systems and transport infrastructures such as airports and railways for example – all are relied upon to carry on with our day-to-day lives and all have core IT processes that rely on the ability to keep data flowing securely.
Firewalls and related security systems are responsible for protecting these crucial technology infrastructures and the Government should regularly review its security plans across its whole organisation. Malicious attacks, data loss and network downtime is something that the military and all other government sectors cannot afford to ignore or take lightly.