Cyberattack could leave UK 'fatally compromised', MPs warn

Defence Select Committee uncovers complacency

A major cyber-attack on the UK could leave the UK's armed forces "fatally compromised" without a viable 'plan b' a committee of MPs has warned the Government.

Despite acknowledging the UK's world-leading expertise in the cyber-defence, the influential Defence Select Committee uncovered a complex web of weaknesses and uncertainties that it said urgently needed to be addressed.

The first was simply a general complacency about the amount of progress that had been made to date, and a lack of clarity about how military and government might respond in certain scenarios.

"The evidence we received leaves us concerned that with the Armed Forces now so dependent on information and communications technology, should such systems suffer a sustained cyber-attack, their ability to operate could be fatally compromised," the Committee's report concluded.

Despite this, it was unacceptable that the Government had yet to set out its cyber-attack contingency plans, nor even whether it had one in place.

"Events in cyberspace happen at great speed. There will not be time, in the midst of a major international incident, to develop doctrine, rules of engagement or internationally-accepted norms of behaviour," said the MPs.

The committee was also unconvinced that the Ministry of Defence had done enough to secure its supply chain and industrial base.

"It is imperative that we see evidence of more urgent and concrete action by suppliers to address this serious vulnerability, and of energy and determination on the part of the MoD to enforce this action."

There was a risk that different Parts of the armed forces competed with one another for resources, leading to fragmentation into 'silos'.

The UK had recently become involved in the NATO Cyber-Defence Centre of Excellence but needed to accelerate its efforts on this initiative.

In short, the stresses of cyber-defence have challenged the whole defence system to change its models from one based on physical assets to the acknowledgement that any future conflicts will have a frightening electronic and digital dimension.

The MPS seem to be saying that the military and perhaps government have yet to fully digest the implications of this change.

"Interestingly, the UK was placed first of the G20 in its ability to withstand cyber-attacks and deploy the appropriate infrastructure for a productive economy, according to Booz Allen Hamilton's recent Cyber Power Index," pointed out Martin Sutherland of BAE Systems Detica.

"We need to encourage more organisations to share best-practice approaches to cyber security and provide more information about the nature of the attacks they're seeing, particularly given that many private sector firms act as suppliers to Government or are delivering essential services that our nation relies upon every day," he said.

An anxiety running through the report is the ambiguity of cyber-attacks and in quickly identifying who is responsible, and in which circumstances retaliation might be justified.

"The other serious issue when it comes to cyber-attacks on the military is that even once a cyber-breach has been remediated and any potential damage minimised, there often remains an enormous amount of uncertainty surrounding the origins of the attack," agreed LogRythm's Ross Brewer.

In fact, this might just be a consequence of the lack of ready precedents for the military to study; others have argued that in a real-world scenario the chances of a country not having a good deal of knowledge about who was attacking it are over-stated. The real issue is how to respond.

Another approach would be for the UK Government to press for international co-operation; today's Internet is still to open to exploitation by small groups, including criminals, and that's before fully-resourced militaries are added to the calculation.

"There is no current legislation to facilitate the prosecution of [international] cybercrime," pointed out Andrew Beckett, head of Cassidian Cyber Security Consulting Services.

"If an attacker sits in the Ukraine and attacks a server in Texas to gain control and mount another attack on a UK organisation then whose jurisdiction does the crime fall under? Who can prosecute it and under which law?," he said.

"There is currently no extradition treaty and no agreements in place for the exchange of evidence which means that criminals are able to operate with impunity."

Join the CSO newsletter!

Error: Please check your email address.

Tags Ministry of Defencesecurity

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place