UK cyber security under firePosted: 14/01/2013
By Islam Al Tayeb, Research Analyst, IISS-Middle East
The British military could be ‘fatally compromised’ by a major cyber attack because it lacks clear contingency plans and depends on technology with no verifiable back-up systems. This was the principal warning contained within the Defence and Cyber Security Report 2013 published last week in the UK. The report said the armed forces were now completely reliant on IT, but the MPs on the committee said they were uncertain who would be responsible for what in the event of a prolonged cyber attack. ‘The government should set out details of the contingency plans it has in place should such an attack occur,’ they say. ‘If it has none, it should say so – and urgently create some.’
The report called on the government more broadly to act ‘with vigour’ to boost efforts on cyber security. ‘The cyber threat is, like some other emerging threats, one which has the capacity to evolve with almost unimaginable speed and with serious consequences for the nation’s security,’ it insisted. ‘The government needs to put in place – as it has not yet done – mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyber presents.’
Indeed, it is not only the military facing cyber threats in the UK, but other government departments, private businesses and individuals. The Information Security Breaches Survey published by consultants PwC in April 2012 found that 93% of large corporations and 76% of small businesses in the UK had a cyber-security breach in 2011. The cost of each was estimated at £110,000–250,000 for large businesses and £15,000–30,000 for smaller ones.
Since then, the number of UK cyber incidents has continued to increase. In May 2012, UK officials admitted that there had been some successful breaches of classified MoD networks. In June, the head of the UK Security Service said that a London-listed company lost an estimated £800 million as a result of state-backed cyber attacks. A month later, a Shanghai-based group linked to the People’s Liberation Army, and identified as ‘Byzantine Candor’ in leaked US cables, was found collecting information about several targets, including UK defence research firm Qinetiq.
The British government needs to appreciate that cyber attacks are not merely technological failures, but international incidents requiring strategic assessment and a comprehensive doctrinal approach. Thus, any advances on the technological front must be accompanied by the development of a working legal and policy framework governing norms of engagement. As cyber attacks are fundamentally cross-border incidents, internationally orchestrated responses can be pivotal in increasing the ability to combat them.
The progress made in implementing the 2011 UK Cyber Security Strategy is a step in the right direction in managing cyber incidents, yet it remains toothless in preventing attacks. Learning from the experiences of other security-minded countries could therefore serve to provide points of reform for the current system.
To cope with the security risks that reliance on IT brings, Britain needs to streamline its efforts on increasing understanding, developing comprehensive rules of ICT governance and regulation, forming cross-border partnerships and building technologically advanced sets of tools and skills.
Issues of politics, sovereignty and intelligence-sharing are critical to the development of a more comprehensive cyber strategy. If these issues are tackled by the British government, high-level prevention and mitigation of cyber attacks could flow naturally as part of a more collective response supported by strong, internationally recognised rules of engagement and governance of the cyber domain. The British government has no time to lose.