Strategic Perspectives on Cyber Defence
Total Page:16
File Type:pdf, Size:1020Kb
Strategic perspectives on Cyber Defence Dr Joe Devanny ECEME visiting lecture, 31 July 2019 The UK as a Cyber Power Jeremy Fleming, Director of GCHQ, February 2019. 2 Cyber defence in strategic perspective In the last century and during the Cold War we were preoccupied by the risks of territorial invasion and the destruction of industries and cities by wide area aerial bombing. In the 21st-century we should be as concerned about the risks for countries such as the UK to be broken in a confict by the combined application of precision missiles and ofensive cyber, designed to break the functioning of our national life, and this physical efect dramatically amplifed by mass manipulation all forms of media to sow deep cognitive distress amongst the general public. In confict that can now develop at click and missile speed there will be no time to address this strategic vulnerability in the heat of the moment. We need political leadership to reset planning and resourcing - and above all confdence – in basic national resilience at the levels of government, institutions, enterprises and citizens. This will become just a Generalroutine part (Rtd) of lifeSir inRichard a turbulent Barrons, 21st-century. April 2019. 3 The magnitude of cyber threat 2017-18: 40% OF UK 2017-18: UK CITIZENS 2017-18: UK CITIZENS 2017-18: UK CYBER BUSINESSES MORE LIKELY TO TWICE AS LIKELY AS CRIME TWICE AS EXPERIENCED A EXPERIENCE CYBER GLOBAL AVERAGE TO LUCRATIVE AS CYBER BREACH. CRIME THAN ANY SUFFER CYBER GLOBAL AVERAGE. OTHER TYPE OF CRIME. CRIME. 2017: ESTIMATED 2017-19: HALF OF £4.6 BILLION 1100 THREATS STOLEN FROM 17 ADDRESSED BY NCSC MILLION INTERNET ATTRIBUTED TO USERS IN UK. STATE ACTORS. 4 The digital homeland Security is the ‘umbrella’ concept for cyber strategy, encompassing both defensive and offensive aspects of military cyber, but its starting point is the protection of domestic (public and private sector) networks. 5 What is Cyber Security? Cyber Security: refers to the protection of information systems (hardware, software and associated infrastructure), the data on them, and the services they provide, from unauthorised access, harm or misuse. This includes harm caused intentionally by the operator of the system, or accidentally, as a result of failing to follow security 6 procedures. Dimensions of National Cyber Power Protection Deterrence Developmen Resilience t 7 Dimensions of National Cyber Power Intelligenc Military e Security Diplomacy 8 Dimensions of National Cyber Power Educatio Business n Policy Law 9 Governments and Digital Technology Changing attitudes 10 Which one of these people was the first regular user of email as prime minister? Changing attitudes ‘I do not believe we would get a huge volume of email in the long run, but we could expect an initial flood as people around the world tried it out for fun.’ Alex Allan, principal private secretary to the Prime Minister, 22 August 1994 (The National Archives, PREM 19/4621). 12 The first email exchange between heads of government 13 Politicians become more sophisticated, but create cyber security problems 14 Politicians become more sophisticated, but create cyber security problems 15 Use of new media for strategic communication 16 The Evolution of UK Cyber Strategy 17 UK national strategy 1997-2019 Across this period, strategic and policy documents were developed and published by several different departments. Latterly (especially since 2008), publication of national security strategy documents has primarily been the responsibility of the Cabinet Office (caveat: Home Office publishes CONTEST). The increasing role of the Cabinet Office reflects a trend of growing central capacity to coordinate national security issues, including cyber security, across the UK government. 18 Cyber Security Strategy 19 Cyber Security Three national strategies in the last decade 2009: Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space 2011: The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world 2016: National Cyber Security Strategy 2016-21 20 The challenge of cyber strategy UK Generational issues still apparent, especially in senior positions. cyber User behaviour runs faster than bureaucratic practices such as regulation. strategy Government faces competition from private sector in recruiting and has retaining skilled professionals. evolved Government must collaborate with private sector experts. since There is an untidy landscape of institutional actors with its overlapping responsibilities. origins Competition for control over cyber strategy. in the Government has moved away from laissez-faire approach towards more active intervention. 1990s: Improve education and communication, achieving behavioural change across society. 21 UK Cyber Strategy 2009 22 UK Cyber Strategy 2009 23 2009 Strategy: 8 Workstreams SAFE, SECURE AND POLICY, DOCTRINE, AWARENESS AND SKILLS AND RESILIENT SYSTEMS LEGAL AND CULTURE CHANGE EDUCATION REGULATORY ISSUES TECHNICAL EXPLOITATION INTERNATIONAL GOVERNANCE, ROLES CAPABILITIES & ENGAGEMENT AND RESPONSIBILITIES RESEARCH AND DEVELOPMENT 24 UK Cyber Strategy 2009 2009: Office of Cyber Security and Information Assurance (OCSIA) in the Cabinet Office, and Office of Cyber Operations (OCO) at GCHQ. 2009: Lead responsibility for cyber security retained by a GCHQ unit, Computer Electronic Security Group (CESG). GCHQ’s primary mission was intelligence collection and analysis. But agencies and departments remained responsible for securing their own information. 25 UK Cyber Strategy 2011 26 The 2010-15 coalition and national strategy There’s a big diference between talking about strategic issues and being strategic. I think some people round that table [on the National Security Council] thought – because we were talking about Russia, or Libya, or the Middle East – that we were being strategic, but we weren’t. We didn’t. We were talking about policy goals! Lord Richards of Herstmonceux (former Chief of Defence Staff), 2014. 27 The 2010-15 coalition and cyber strategy There were numerous players in the cyber domain: some 15 government departments, agencies and law enforcement bodies saw themselves as having a key role, and many others were attached to these. They covered a vast range of areas, illustrating the pervasive nature of cyberspace: domestic security; business and economic policy; education; foreign afairs; the law; intelligence and security; public safety; and law enforcement. Robert Hannigan, former director of GCHQ (2014-17). 28 UK Cyber Strategy 2011 29 Coalition Cyber Strategy 2010-15 2010: National Security Strategy designates cyber a Tier 1 security threat; allocates £650m for national cyber security programme (rising to £860m); creates a cross-government committee on Cyber chaired by foreign secretary. This is a signifcant investment during a period of public sector austerity. 2011: new cyber strategy’s 4 priorities: Make UK one of most secure places to do business online; more resilient to cyber attack, better able to protect our interests in cyberspace; help shape open, vibrant and stable cyberspace that supports open societies; build UK cyber security knowledge, skills and capability. 2012: Joint Forces Command created, includes military cyber defence and offensive cyber capabilities; 10 Steps to Cyber Security for executives. 2013: Centre for Cyber Assessment (CCA) created to emulate Joint Terrorism Analysis Centre, improving quality of expert analysis available to ministers; creation of cyber security information- sharing partnership (CiSP) with private sector; Joint Cyber Reserve Force as part of Joint Forces Cyber Group. 2014: National Computer Emergency Response Team (CERT UK) created in Cabinet Ofce. 2015: National Security Strategy repeats Tier 1 threat status; announces national cyber security centre will replace CESG’s role as lead agency, but still formally part of GCHQ. 30 National Cyber Security Programme, 2011-15 31 32 Critical National Infrastructure 33 UK Cyber Strategy 2016 34 UK Cyber Strategy 2016 a market based approach to the promotion of cyber hygiene has not produced the required pace and scale of change; therefore, Government has to lead the way and intervene more directly by bringing its infuence and resources to bear to address cyber threats. the Government alone cannot provide for all aspects of the nation’s cyber security. An embedded and sustainable approach is needed where citizens, industry and other partners in society and government, play their full part in securing our networks, services and data. 35 UK Cyber Strategy 2016 Defend Deter Develop 36 UK Cyber Strategy 2016 DEFEND: We have the means to defend the UK against evolving cyber threats, to respond effectively to incidents, to ensure UK networks, data and systems are protected and resilient. Citizens, businesses and the public sector have the knowledge and ability to defend themselves. DETER: The UK will be a hard target for all forms of aggression in cyberspace. We detect, understand, investigate and disrupt hostile action taken against us, pursuing and prosecuting offenders. We have the means to take offensive action in cyberspace, should we choose to do so. DEVELOP: We have an innovative, growing cyber security industry, underpinned by world-leading scientific research and development. We have a self-sustaining pipeline of talent providing the skills to meet our national needs across the public and private sectors. Our cutting-edge analysis and expertise will enable the UK to meet and overcome future threats