We rely on heavily on badly-protected technology, say MPs
MPs have complained about government “complacency” in their assessment of when military forces should involve themselves in cyber warfare, pointing to a potentially fatal reliance on inadequately protected systems.
In a report released today, the Defence Committee said the government did not appear to have a fully-constructed plan for dealing with a major cyber attack. Meanwhile, the ever-changing threat landscape, coupled with a major reliance on IT, made for a potentially lethal brew for the UK military as it prepares for cyber warfare.
The current government pumped an extra £650 million into cyber security in 2011. Most – £157 million – has gone on “national sovereign capability to detect and defeat high end threats”, as shown in the chart below. By comparison, £28 million has gone to police via the Home Office, and £31 million to the Ministry of Defence.
Cyber warfare worries
“The evidence we received leaves us concerned that with the Armed Forces now so dependent on information and communications technology, should such systems suffer a sustained cyber attack, their ability to operate could be fatally compromised,” the report read.
“In its response to this report the government should set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so – and urgently create some.”
The committee also said there appeared to be little consensus on identifying the source of attacks – something that would be necessary in determining whether to retaliate to a cyber hit.
Many professionals agree attribution is very difficult, given the tools available for encrypting and routing traffic through servers across the world. Former minister for the Armed Forces, Nick Harvey MP, said it was doable in “many cases”, but not all.
But the government’s own Cyber Security Strategy said “with the borderless and anonymous nature of the internet, precise attribution [of attacks] is often difficult and the distinction between adversaries is increasingly blurred”.
“There is clearly still much work to be done on determining what type or extent of cyber attack would warrant a military response,” the MPs wrote.
“Development of capabilities needs to be accompanied by the urgent development of supporting concepts.
“We are concerned that the then Minister’s responses to us betray complacency on this point and a failure to think through some extremely complicated and important issues.”
MPs demanded greater clarity for the government on executive authority in the event of a major cyber incident. The report called for “a programme of regular exercises, involving ministers as well as officials, is put in place to test the arrangements”
It also recommended the Ministry of Defence should provide Parliament with a report on cyber incidents and performance against metrics on at least an annual basis.
“The government needs to put in place – as it has not yet done – mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyberspace presents,” added chair of the Committee, James Arbuthnot MP.
What do you know about online security? Try our quiz and find out!