Cyber Priorities After SDSR 2010
RUSI Analysis, 19 Oct 2010
By John Bassett OBE, Associate Fellow, Cyber Security
The UK government's declared focus on cyber-security should focus on three priorities: building capability, nurturing national and international partnerships, and building an effective network defence.
By John Bassett, Associate Fellow, RUSI and former head of GCHQ's London Office
The emphasis on cyber-security in the new National Security Strategy is important and timely. Over the last decade the scale of the cyber threat to the UK has become clearer and clearer. It's been like turning over a stone: the more government and industry have looked, the more creepy crawlies they've found. As Iain Lobban, Director of GCHQ, made clear in his important public statement on 12 October, the UK now faces cyber attacks on an unprecedented and rapidly expanding scale, ranging in sophistication from low end criminal activity to much more sophisticated operations.
The Three Priorities
The challenge now for the Government is to achieve worthwhile enhancements with the increased but still very finite resources available. The priorities are threefold: to develop a much great cyber capability, especially people; to nurture effective partnerships at home and overseas; and to overhaul and transform the effectiveness of Britain's 'network defence'.
People: The Key to Better Cyber Security
People should be at the heart of the creation of an enhanced British cyber capability. Ordinary citizens, people in industry, academia, the military and the public sector all have a role to play.
GCHQ, which has been at the heart of Britain's communications security and intelligence effort for almost a century, already has a cadre of outstanding individuals with world class ability in cyber operations; this will need to be significantly increased and constantly refreshed to provide the country with a centre with sufficient depth and breadth of expertise for the decades ahead.
And while a national centre of exceptional ability and understanding at Cheltenham is essential to British cyber-security, all elements of government and the armed forces will need to increase their expertise in network security; The role of industry in providing coaching and assistance could well be vital here. For some government departments this may entail a change in mind-set as much as or more than a realignment of manpower.
But there's a need to educate and change attitudes more widely than just within government if Britain is to improve its cyber-security capability. Simple and regularly refreshed guidance for ordinary people can at least make things more difficult for those operating at the low end of the threat spectrum, and a strong university focus on cyber issues will be important in producing the outstanding individuals who are critical to ensuring the UK's cyber-security into the second quarter of the Twenty-first Century.
An effective government partnership with industry will be essential in delivering the continuing technological basis for network defence. And government may have useful technological and operational lessons to learn from the experiences of industry, particularly the financial sector, where some major companies run network defence operations that are on a par with those of some national governments.
Strong international partnerships will be important enablers for enhanced UK cyber-security. The relationship with the United States should be at the centre of the UK's international cyber alliances; certainly recent remarks by Secretary of State Clinton illustrate how much importance the US government places in the UK as an effective partner in cyber security. The existing military relationship between the Ministry of Defence and the US Department of Defense, and the UK-USA agreement between GCHQ and the National Security Agency provide firm foundations for arrangements. The cyber relationship between the governments is likely, though, to be more complex and variegated than just these traditional relationships, bringing in agencies and departments in both governments who are less familiar with each other.
Beyond the Trans-Atlantic relationship, the UK should also look to continue to develop cyber partnerships with NATO and European governments, and trusted intelligence partners such as Australia and New Zealand. And there is also scope for exploring possible relationships with new partners like India.
The First Operational Priority: Network Defence
There are a range of network operations in which the Government could invest. While there are synergies between different lines of operations, a step-change in the effectiveness of Britain's 'network defence' should be the highest operational priority and receive the most substantial resourcing. There are pressing operational requirements: as Iain Lobban has illustrated, UK networks are under increasing daily attack; at a strategic level an effective network defence system would be the keystone of a wider cyber security architecture, enabling development in time of active defence techniques and offensive capabilities; and at a political level a Government that puts emphasis on the importance of cyber security would run political risks if it failed to deliver tangible improvements to the country's network defences.
With an operational focus on protecting UK cyber assets, there would be a corresponding need for an effective system of targets and metrics to allow the Government to gauge the improvements in Britain's network defence across the life time of this Parliament.
Cyber In 2020
In the longer term, as Britain builds an enhanced cyber security capability, the aim should be to integrate it into other national security themes. By 2020 Britain's security strategy against non-state actors like criminals and terrorists should be able to rely on effective network security and intelligence as one of its most important tools; in the event of natural disaster UK networks should be suitably resilient and capable of handling the demands of the crisis, while recognising the importance of communications diversity. And the UK should be able to deploy an effective cyber warfare capability alongside more traditional units in future military confrontations.
Further Analysis: Cyber, Technology