Strategic perspectives on Cyber Defence
Dr Joe Devanny ECEME visiting lecture, 31 July 2019 The UK as a Cyber Power
Jeremy Fleming, Director of GCHQ, February 2019. 2 Cyber defence in strategic perspective
In the last century and during the Cold War we were preoccupied by the risks of territorial invasion and the destruction of industries and cities by wide area aerial bombing. In the 21st-century we should be as concerned about the risks for countries such as the UK to be broken in a confict by the combined application of precision missiles and ofensive cyber, designed to break the functioning of our national life, and this physical efect dramatically amplifed by mass manipulation all forms of media to sow deep cognitive distress amongst the general public.
In confict that can now develop at click and missile speed there will be no time to address this strategic vulnerability in the heat of the moment. We need political leadership to reset planning and resourcing - and above all confdence – in basic national resilience at the levels of government, institutions, enterprises and citizens. This will become just a Generalroutine part (Rtd) of lifeSir inRichard a turbulent Barrons, 21st-century. April 2019.
3 The magnitude of cyber threat
2017-18: 40% OF UK 2017-18: UK CITIZENS 2017-18: UK CITIZENS 2017-18: UK CYBER BUSINESSES MORE LIKELY TO TWICE AS LIKELY AS CRIME TWICE AS EXPERIENCED A EXPERIENCE CYBER GLOBAL AVERAGE TO LUCRATIVE AS CYBER BREACH. CRIME THAN ANY SUFFER CYBER GLOBAL AVERAGE. OTHER TYPE OF CRIME. CRIME.
2017: ESTIMATED 2017-19: HALF OF £4.6 BILLION 1100 THREATS STOLEN FROM 17 ADDRESSED BY NCSC MILLION INTERNET ATTRIBUTED TO USERS IN UK. STATE ACTORS.
4 The digital homeland
Security is the ‘umbrella’ concept for cyber strategy, encompassing both defensive and offensive aspects of military cyber, but its starting point is the protection of
domestic (public and private sector) networks. 5 What is Cyber Security?
Cyber Security: refers to the protection of information systems (hardware, software and associated infrastructure), the data on them, and the services they provide, from unauthorised access, harm or misuse. This includes harm caused intentionally by the operator of the system, or accidentally, as a result of failing to follow security 6 procedures. Dimensions of National Cyber Power
Protection Deterrence
Developmen Resilience t
7 Dimensions of National Cyber Power
Intelligenc Military e
Security Diplomacy
8 Dimensions of National Cyber Power
Educatio Business n
Policy Law
9 Governments and Digital Technology Changing attitudes
10 Which one of these people was the first regular user of email as prime minister? Changing attitudes ‘I do not believe we would get a huge volume of email in the long run, but we could expect an initial flood as people around the world tried it out for fun.’ Alex Allan, principal private secretary to the Prime Minister, 22 August 1994 (The National Archives, PREM 19/4621).
12 The first email exchange between heads of government 13 Politicians become more sophisticated, but create cyber security problems
14 Politicians become more sophisticated, but create cyber security problems
15 Use of new media for strategic communication
16 The Evolution of UK Cyber Strategy
17 UK national strategy 1997-2019
Across this period, strategic and policy documents were developed and published by several different departments.
Latterly (especially since 2008), publication of national security strategy documents has primarily been the responsibility of the Cabinet Office (caveat: Home Office publishes CONTEST).
The increasing role of the Cabinet Office reflects a trend of growing central capacity to coordinate national security issues, including cyber security, across the UK government.
18 Cyber Security Strategy
19 Cyber Security
Three national strategies in the last decade 2009: Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space 2011: The UK Cyber Security Strategy: Protecting and promoting the UK in a digital world 2016: National Cyber Security Strategy 2016-21
20 The challenge of cyber strategy
UK Generational issues still apparent, especially in senior positions. cyber User behaviour runs faster than bureaucratic practices such as regulation. strategy Government faces competition from private sector in recruiting and has retaining skilled professionals. evolved Government must collaborate with private sector experts. since There is an untidy landscape of institutional actors with its overlapping responsibilities. origins Competition for control over cyber strategy. in the Government has moved away from laissez-faire approach towards more active intervention. 1990s: Improve education and communication, achieving behavioural change across society.
21 UK Cyber Strategy 2009
22 UK Cyber Strategy 2009
23 2009 Strategy: 8 Workstreams
SAFE, SECURE AND POLICY, DOCTRINE, AWARENESS AND SKILLS AND RESILIENT SYSTEMS LEGAL AND CULTURE CHANGE EDUCATION REGULATORY ISSUES
TECHNICAL EXPLOITATION INTERNATIONAL GOVERNANCE, ROLES CAPABILITIES & ENGAGEMENT AND RESPONSIBILITIES RESEARCH AND DEVELOPMENT
24 UK Cyber Strategy 2009
2009: Office of Cyber Security and Information Assurance (OCSIA) in the Cabinet Office, and Office of Cyber Operations (OCO) at GCHQ.
2009: Lead responsibility for cyber security retained by a GCHQ unit, Computer Electronic Security Group (CESG). GCHQ’s primary mission was intelligence collection and analysis. But agencies and departments remained responsible for securing their own information.
25 UK Cyber Strategy 2011
26 The 2010-15 coalition and national strategy
There’s a big diference between talking about strategic issues and being strategic. I think some people round that table [on the National Security Council] thought – because we were talking about Russia, or Libya, or the Middle East – that we were being strategic, but we weren’t. We didn’t. We were talking about policy goals!
Lord Richards of Herstmonceux (former Chief of Defence Staff), 2014.
27 The 2010-15 coalition and cyber strategy
There were numerous players in the cyber domain: some 15 government departments, agencies and law enforcement bodies saw themselves as having a key role, and many others were attached to these. They covered a vast range of areas, illustrating the pervasive nature of cyberspace: domestic security; business and economic policy; education; foreign afairs; the law; intelligence and security; public safety; and law enforcement. Robert Hannigan, former director of GCHQ (2014-17).
28 UK Cyber Strategy 2011
29 Coalition Cyber Strategy 2010-15
2010: National Security Strategy designates cyber a Tier 1 security threat; allocates £650m for national cyber security programme (rising to £860m); creates a cross-government committee on Cyber chaired by foreign secretary. This is a signifcant investment during a period of public sector austerity. 2011: new cyber strategy’s 4 priorities: Make UK one of most secure places to do business online; more resilient to cyber attack, better able to protect our interests in cyberspace; help shape open, vibrant and stable cyberspace that supports open societies; build UK cyber security knowledge, skills and capability.
2012: Joint Forces Command created, includes military cyber defence and offensive cyber capabilities; 10 Steps to Cyber Security for executives.
2013: Centre for Cyber Assessment (CCA) created to emulate Joint Terrorism Analysis Centre, improving quality of expert analysis available to ministers; creation of cyber security information- sharing partnership (CiSP) with private sector; Joint Cyber Reserve Force as part of Joint Forces Cyber Group.
2014: National Computer Emergency Response Team (CERT UK) created in Cabinet Ofce.
2015: National Security Strategy repeats Tier 1 threat status; announces national cyber security centre will replace CESG’s role as lead agency, but still formally part of GCHQ.
30 National Cyber Security Programme, 2011-15
31 32 Critical National Infrastructure
33 UK Cyber Strategy 2016
34 UK Cyber Strategy 2016
a market based approach to the promotion of cyber hygiene has not produced the required pace and scale of change; therefore, Government has to lead the way and intervene more directly by bringing its infuence and resources to bear to address cyber threats. the Government alone cannot provide for all aspects of the nation’s cyber security. An embedded and sustainable approach is needed where citizens, industry and other partners in society and government, play their full part in securing our networks, services and data.
35 UK Cyber Strategy 2016
Defend
Deter Develop
36 UK Cyber Strategy 2016
DEFEND: We have the means to defend the UK against evolving cyber threats, to respond effectively to incidents, to ensure UK networks, data and systems are protected and resilient. Citizens, businesses and the public sector have the knowledge and ability to defend themselves.
DETER: The UK will be a hard target for all forms of aggression in cyberspace. We detect, understand, investigate and disrupt hostile action taken against us, pursuing and prosecuting offenders. We have the means to take offensive action in cyberspace, should we choose to do so.
DEVELOP: We have an innovative, growing cyber security industry, underpinned by world-leading scientific research and development. We have a self-sustaining pipeline of talent providing the skills to meet our national needs across the public and private sectors. Our cutting-edge analysis and expertise will enable the UK to meet and overcome future threats and challenges.
37 UK Cyber Strategy post-2016
2016: National Cyber Security Strategy, creates new £1.3 billion national cyber security programme (2016-21). Cumulatively with other expenditure equates to over £3bn between 2016 and 2021.
2016: New National Cyber Security Centre (NCSC) is formed; part of GCHQ, comprising circa 800 staf. Incorporates CCA, CESG, CERT UK and cyber role of CPNI. Advises Defence Cyber Security Operations Centre.
2018: National Cyber Security Skills Strategy published by the Department for Digital, Culture, Media and Sport (DCMS), includes Cyber Security Body of Knowledge (CyBOK) and CyberFirst programmes; Aviation Cyber Security Strategy published.
NCSC runs an Active Cyber Defence programme to protect public sector networks.
Since 2018, National Security Council sub-committee for Strategic Defence and Security Review implementation includes Cyber in its remit; sub-committee of 8 senior ministers chaired by Chancellor of the Exchequer; £40m investment in Defence Cyber Security Operations Capability; CS Export Strategy.
38 Active Cyber Defence
39 40 Active Cyber Defence since 2016
Takedown Service: reduced UK-based phishing attacks by half, to 2.4% of global phishing. 2017: 219,992 takedowns across 72,975 IP addresses comprising 99,543 campaigns. 2018: 192,256 takedowns across 24,320 IPs comprising 51,569 campaigns.
HMRC down from 16th to 146th most phished website in the world, 2016-18.
Protective DNS programme: Restricted access to 11,000 malicious websites every month for public sector internet users.
WebCheck: identifed over 2000 urgent threats and disseminated threat reporting to public sector organizations to take remedial action.
41 (Cyber) Deterrence
42 Cyber Deterrence
43 Cyber Deterrence
To increase the cost and consequences by:
• Enhancing cyber security & resilience • Public attribution, in concert with allies • Criminal proceedings where possible • Diplomatic and economic sanctions • Ofensive cyber and non-cyber military responses
44 Cyber Deterrence how can you deter for example cyberattack or things happening on the homeland? One way with cyber is to establish ofensive cyber capabilities and protocols for revealing them to other countries, which help to ensure that they are deterred from ofensive action within a cyber domain... There is cyber deterrence. It is not remotely sophisticated or developed yet, but we are in the foothills of that. The principal form of deterrence is still in the conventional military and nuclear military areas. That is where the majority of the active deterrence of the Armed Forces sits. Former Chief of Defence Staff General (Rtd) Lord Nick Houghton, May 2019.
45 Offensive Cyber
46 Normalization of Offensive Cyber Operations
Cyber weapons are stealth ordnance, written in zeros and ones, like all computer code. They can infltrate whole networks or infect individual computers. They have the capacity to confuse enemy signals, shut down military attacks before they occur, and stymie communication systems, all without the fash and bang of the typical weapons of war. They rely on software vulnerabilities, poor cyber hygiene, and people who inadvertently open attachments infected with malware. The Trump Administration, with Bolton in the lead, has made offensive cyber operations an integral arm of statecraft. It remains an open question whether they will also become lethal weapons of war. Sue Halpern, ‘How Cyber Weapons Are 47 Changing the Landscape of Modern Warfare,’ The New Yorker, 18 July 2019. US Election infrastructure, 2016
From 2014, 21 US states were targeted by the Russian attacks on voting systems. In one case, those attacks succeeded in breaching a state voter database. One 2017 test of decommissioned voting machine used in one state found that voters could have accessed machine in supervisor mode by using default password, ‘ABC123’. ‘Law enforcement and the intelligence community is going to be signifcantly reliant on what the holders and owners and operators of the infrastructure sees on its system and decides to raise their hand.’ Lisa Monaco, Former US presidential homeland security advisor. Elias Grol, ‘Scope of Russian Election Hacking Remains Unclear,’ Foreign Policy, 25 July 2019.48 Counter-ISIL Offensive Cyber, 2017
This is the frst time the UK has systematically and persistently degraded an adversary’s online eforts as part of a wider military campaign…In 2017 there were times when Daesh found it almost impossible to spread their hate online, to use their normal channels to spread their rhetoric, or trust their publications…We may look to deny service, disrupt a specific online activity, deter an individual or a group, or perhaps destroy equipment and networks. Jeremy Fleming, Director of GCHQ, April 2018. 49 50 51 52 53 Signalling and escalation control
54 National Offensive Cyber Programme
2015: creation of NOCP partnership between MoD and GCHQ, circa 500 personnel.
2018: £250m NOCP investment to grow to 2000 personnel. Defence Cyber School also created.
In medium term, likely endpoint is a small military-led joint cyber force, rather than a separate Cyber Command.
55 National Offensive Cyber Programme: £250m?
56 Offensive Cyber in Whole Force context
80000
70000
60000
50000
40000
30000
20000
10000
0 Army Navy Airforce Reserves Civilians Off. Cyber
57 Joint Forces Command and Offensive Cyber
It’s tended to be a little bit of a poor cousin in terms of personnel priorities. Single services are quite sort of, for justifable reasons, keen to career manage and work force plans. JFC tends to sort of be a bit of an adjunct to that, and what we’re trying to do is to improve the ability for the commander of JFC to manage his or her workforce in a slightly more autonomous way than currently. Vice Chief of Defence Staff General Gordon Messenger, April 2019.
Joint Forces Command is there to be the proponent of the enabling capabilities of the joint force. I hope that it has stuck to its original purpose. There is a risk, I have heard, that it has turned into what some people call a purple skip, into which if anything does not have a home it is chucked. Former Chief of Defence Staff General (Rtd) Lord Nick Houghton, May 2019.
58 Cyber domain – Future Force Concept 2017
Securing access to specialist cyber skills, both within and external to Defence, whilst developing our own broader cyber awareness to improve security, resilience and better employment of cyber and electromagnetic capabilities. Developing cyber and electromagnetic battlespace management to enable agile command and control, information exchange, and joint force integration. Building cyber and electromagnetic resilience through adaptive systems, reversionary modes, better understanding of risk, training and education. Developing and understanding, nationally and through international partners, acceptable norms and protocols to employ efective cyber capabilities.
59 Offensive Cyber - Future Challenges
Continued partnership between GCHQ and Ministry of Defence? Mainstreaming cyber within defence – a career anchor? Future coordination and budget allocation between ofensive cyber and cyber espionage. 60 Cyber Education and Training
61 CyberFirst programme since May 2016
62 CyberFirst and training UK military cadets
63 Cyber Security Education initiatives
Since May 2016, NCSC has run the CyberFirst programme to target 11-18 year olds.
Cadet CyberFirst: £1m per annum to train 2000 cadets in cyber security; grow number of cadets from 43000 to 60000 by 2024.
Cyber Schools, CyberFirst Girls Competition.
Higher Education: CyberFirst Bursaries and Degree Apprenticeships; 28 PhDs; fourteen centres of excellence for research; four university research institutes; the Alan Turing Institute; and the PETRAS Hub for Internet of Things Security; Academic Startup Programme to assist in commercialization of cyber security research.
64 Cyber Oversight
65 Cyber Oversight
Legislative
Judicial
Audit and independent oversight
66 Legislative Oversight
Joint Committee on the National Security Strategy
Defence Select Committee
Intelligence and Security Committee of Parliament
67 Conclusions
Slow development of UK Cyber Strategy, accelerated after 2009; major challenges regarding expertise, recruitment and retention; need to raise public awareness and change behaviour in civil society and private sector. Security as the umbrella concept.
UK Cyber Security Strategy was initially relatively laissez-faire, but after 2016 has become more active and interventionist. NCSC is advisory body, relies on voluntary cooperation – and regulation introduced by DCMS.
Still comparatively modest, but significantly increasing public expenditure; efforts to improve intra-governmental coordination, as well as extensive collaboration with private sector experts. Classic method of coordination across different institutional actors; no lead ministerial authority for Cyber.
68 Thank you …and Questions?