While the committee finds some areas of merit, it is, overall, a critical report. “The Committee was impressed with the GOSCC as a model of how industry contractors with particular expertise can be integrated with MoD personnel, and reassured by the clarity with which its mission was communicated,” it reports. GOSCC is the Global Operations and Security Control Centre, comprising a mix of military, MoD civilian and contractor personnel from major industry partners. “Their role is to deliver, manage and defend the Defence Network and provide worldwide assured communications for the MoD around the clock, 365 days a year.”
However, this is in stark contrast to other areas which the committee finds confused, undeveloped and not thought through. “The MoD’s thinking on the best internal structures for cyber-security appears to us to be still developing... At present the stated unifying role of the DCOG is more illusory than real... There is clearly still much work to be done on determining what type or extent of cyber attack would warrant a military response... We are concerned that the then Minister’s responses to us betray complacency on this point and a failure to think through some extremely complicated and important issues.”
The overall conclusion is somewhat bleak. “The cyber threat is, like some other emerging threats, one which has the capacity to evolve with almost unimaginable speed and with serious consequences for the nation’s security. The Government needs to put in place – as it has not yet done – mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyber presents. It is time the Government approached this subject with vigour.”
Cassidian, which is an active participant in the GOSCC praised by the committee, doesn’t believe the report goes far enough in its recommendations – and perhaps not far enough in its praise. “Over the past 7 years this joint Cassidian-MoD team,” it claims, “has successfully mitigated the impact of significant cyber attacks that have crippled other countries’ military networks and thus prevented damage being inflicted on UK military operations.”
At the same time, however, Andrew Beckett, head of Cassidian Cyber Security Consulting Services, warns that “the report stops short of calling for greater pressure to be placed on the international community to create a common response policy to events in cyberspace.” His concern is the difficulty that individual nations face in tackling international cyber attacks. “There is no current legislation to facilitate the prosecution of cyber crime. If an attacker sits in the Ukraine and attacks a server in Texas to gain control and mount another attack on a UK organization then whose jurisdiction does the crime fall under? Who can prosecute it and under which law?” he asks.
Martin Sutherland, MD of BAE Systems Detica, acknowledges the criticisms in the report – but feels that the UK’s overall security strategy is progressing well. “The UK's strategy is still going through a process of implementation;” he explains, “however it is progressing well and has a mature approach in comparison to many other nations. Interestingly,” he adds, “the UK was placed first of the G20 in its ability to withstand cyber attacks and deploy the appropriate infrastructure for a productive economy, according to Booz Allen Hamilton’s recent Cyber Power Index.” Nevertheless, he agrees that “there is still a long way to go before we can say that we are successfully countering cyber threats.”