Defence Committee warns MoD on cyber security
Report praises MoD comms hub but recommends cyber security be prioritised as a matter of 'urgency'
The House of Commons Defence Committee has called on the Ministry of Defence (MoD) to develop rules of engagement for cyber operations as an urgent priority.
The report states that "there is clearly still much work to be done on determining what type or extent of cyber attack would warrant a military response" and recommends that the government identifies "the military resources that could be drawn upon in the event of a large-scale cyber attack."
In a report on 'Defence and Cyber Security', the committee warns that given the Armed Forces heavy reliance on information and communications technology, "should such systems suffer a sustained cyber attack, their ability to operate could be fatally compromised."
The report urges the government to respond with details of any contingency plans it has in place for such an attack, adding that "if it has none, it should say so- and urgently create some."
It argues that the MoD should clarify its cyber security structures and lines of accountability "unambiguously" and in "a more comprehensible fashion". In particular, the report recommends that "the respective roles of the Chief Information Officer and Joint Forces Commander are clarified in relation to cyber security."
The report says that "good cyber security practice needs to permeate the whole of the MoD and the Armed Forces", adding that it would be concerning if different units were to operate in silos or if policy became fragmented. The committee describes MoD's thinking on the best internal structures for cyber security as "developing", and says that "getting this right must be a top priority."
In particular, the report suggests that the MoD should focus on developing career structures for their personnel "that will allow them not only to develop, but build on, their cyber skills." The committee also encouraged the MoD to prioritise "a strategy for recruiting personnel with specialist skills from the private sector."
The committee welcomed "the initial steps taken by the MoD to develop the Joint Cyber Reserve" - a group of IT experts that will help the armed forces protect the UK from online threats- but added that "it is regrettable that information about its establishment was not shared with us during our evidence taking".
The report says that "the MoD must be rigorous in ensuring that all cyber security activity...is fully funded", adding that the committee was "encouraged by the then Minister for the Armed Forces explanation that spending on cyber would be included as a matter of course in future programme budgets."
The committee's report is critical of some of its witnesses, which included academics, MoD officials, Armed Forces Minister Nick Harvey MP and Cabinet Office Minister Francis Maude, saying that they "gave the impression that they believed that an admission of the problem took them close to resolving the problem. It does not."
In particular, the report says that, although the Cabinet Office has "a coordinating role" regarding cyber security, "the location of executive authority is not clear", and it goes on to recommend that present arrangements are reviewed "to ensure that the UK's response to major cyber incidents is as streamlined, rapid and effective as it can be."
However, the committee singles out the Global Operations Security Control Centre (GOSCC), an MoD communications hub, for praise. The committee says that is "impressed" with the GOSCC as "a world-class facility" and "a model of how industry contractors with particular expertise can be integrated with MoD personnel". In addition, according to the report, "the GOSCC should be held up as a centre of excellence to promote good practice within the MoD and other government departments."
The report recommends that the MoD reports to Parliament regarding "cyber incidents and performance against metrics on at least an annual basis."
In conclusion, the report says, "the government needs to put in place- as it has not yet done- mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyber presents. It is time the government approached this subject with vigour."