Cyber Defence – Boots or Sandals, Sidies or Beards

The National Security Strategy categorised Cyber Attacks as being one of the most direct and likely threats the UK will face in the coming years, a Tier 1 Threat.

A recent speech from the Director General of GCHQ was notable because it was given at all, cyber defence is coming out of the shadows, however, reading the speech, there is no mention of war, battles, defences or anything remotely military.

Also notable was the Chief of the General Staff discussing the issue, calling for the setup of a UK Cyber Command

We must learn to defend, delay, attack and manoeuvre in cyberspace, just as we might on the land, sea or air and all together at the same time. Future war will always include a cyber dimension and it could become the dominant form

Is this difference in approach, GCHQ and the military taking understandably different positions, a sign of a coming turf war for funding and control or is it entirely natural that we should approach the issue at many levels.

When it comes to actually creating a capability to defend against cyber attack and possibly use it in our own offensive operations where should the priorities lie?

I tend to think it should be concentrated away from the military, funding is tight enough as it is, diluting our already sparse resources to chase after cyber capabilities and follow the US fashion is a bad idea. It also fails to take into account the connectedness of modern systems, to defend in depth, one needs cooperation from a range of nations and organisations.

NATO and the EU joint capability areas would be a good place to invest and where military expertise needs to form part of the mix, as surely it will, it should be on a secondment or joint basis.

Let’s not reduce the UK’s military capability by diverting precious funding to an area best served by those with beards and sandals (sorry about the wholly out of touch stereotype!)

Intelligence and the civilian security sector are far better placed, supported by the military, but certainly not commanded by them.

26 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Jed
Jed
January 16, 2011 4:07 pm

H’mmmm while I can see what your getting at, I think your taking a slightly simplistic view of the whole arena.

While we are not quite into the realms of what is currently considered to be science fiction, we are rapidly heading towards it, with recent USN comments about the capabilities of the Next Generation Jammer including the ability to use clever wave forms to attack (software controlled) receivers (be they radar, or comms) to insert spurious information (perhaps even virus ???).

However we are not quite there yet, and this remains a messy area of jurisdiction. GCHQ equates to the Intelligence services level of things, on the civil side there are police agencies that deal with cyber crime. In the military there are very necessary capabilities, mostly oriented to protecting our networks rather than attacking those of the enemy. In fact there is a TA Specialist Unit that is manned by people who do this kind of thing for their “day job” .

The problem of course is how you split the responsibilities. If you diagnose a current attack as being against the Critical National Infrastructure, how do you then figure out if its being perpetrated by organised crime, terrorists, or agents of the government of another state – in a timely manner. Again timeliness then responds on your policy with respect to response. If its organised crime are you going to attempt to find and arrest them, if its terrorists are you going to do the same as above OR bomb their camps ? If you can PROVE its the actions of a hostile government, are you going to respond in kind with a cyber attack, or a you going to bomb them ?

So as per usual, policy and strategy need to be decided first. Cyber can and will become a true Tier 1 threat, but at the moment with bigger issues on the conventional side of the house perhaps your right that the armed forces should not step up from the currently modest invest – Yet !

Personally I would suggest the most holistic approach possible with an overarching national coordinating function. This could be an off-shoot of GCHQ or even better a new separate agency hosted and supported by GCHQ. It would be responsible for turning National Security Council policy into strategy and policy. It would be the coordinating body between Intelligence, Police and Military AND the point of liaison with corporate UK. It might hold the R & D budget and be the public face of cyber security.

With a purely military aspect, Cyber needs to be subsumed into the Joint Information Operations Command. Giving a truly purple tint to all elements of Info Ops, including Psyops, Media Ops, strategic communications (not in the military context, but as in military PR / coporate comms), running the various military comms networks (strategic and tactical) and of course military Cyber Operations. As a sop to those in Light Blue, I would establish the command on an RAF base and make them the host service (after all, I would be talking all the shiny helicopters away from them…..).

Jed
Jed
January 16, 2011 4:15 pm

With ref to above:

Royal Corps of Signals TA ‘Land Information Assurance Group’:
http://www.army.mod.uk/signals/organisation/9190.aspx

And this newer outfit that has some overlap

Land Information and Communications Services Group:
http://www.army.mod.uk/signals/organisation/9191.aspx

Jed
Jed
January 16, 2011 4:22 pm

Back again….

Information Operations, Information Systems and Intelligence are all ‘trades’ in the Royal Naval Reserve:
http://www.royalnavy.mod.uk/operations-and-support/royal-naval-reserve-2/about-rnr/roles-within-the-rnr/index.htm

However a quick search does not reveal much about RAF / RAFR / RAF Regiment units with respect to IT / Cyber, can some one with intimate knowledge fill in the gaps ?

IXION
IXION
January 16, 2011 4:53 pm

This is stuff is dangerous, it will get more so.

I doubt if it truly fits into any exisiting service structure.
Some people have posted to the effect that 30 or so Tomahawks can cripple the national grid. Well how about just turning it off at the switch!

Take note all the the ‘we must keep soverign capability’ crowd; the US have recently started to worry that all the chinese made chips in their weapons, could have a secret switch off signal.

This is one of those areas where anyone prognosticating on what will be involved, and how it could effect things will almost certainly be wrong, (me included)!

The rapid growth of information technology and it obvious benefits means this stuff will have effects out of all sorts of areas One example mentioned to me recently was this.

‘Look at all the Sci fi stuff major films of 30 years ago who have completly missed the mobile phone, the personal computer even the IPhone etc etc’ and they were supposed to be the seers of this stuff’.

Just imagine what happens to your lean manned logistic system, if all the chips in the shipping containers scramble, or reset to rice pudding.

So who gets to do it is important. And too neglect this field out of service rivalry wouild be criminal. Having just argued, that Raf should be shut down, i see myself being pursuaded that a sepperate Intelligence/police/defence force doing this stuff might just be necessary,.

Jed
Jed
January 16, 2011 5:29 pm

Ixion – I think some of us made coherent arguments to get rid of the RAF completely (or in my case, shrink it and hand over some stuff) based on capabilities rather than platforms.

To raise a new ‘national’ Military / Para-military service to do “cyber” is an intriguing idea, but I feel it misses the point a little. Since Sun Tsu we have recognized that information is key on the battlefield. Information warfare is a very wide area, including media ops, psyops etc. I suppose we all have a tendency to drop ‘cyber’ into the same pot. So above I called for cyber to be part of a joint Information Operations Command.

However, if we spin it the other way, Information and Communications Technologies (ICT) are now completely fundamental to both civilian and military life. In the military they maybe the only ‘area’ of operations that cross the divides between offensive, defensive and logistics operations. I am rambling, sorry…….

I think what I am trying to say is that cyber is everywhere, and will become as important as providing clean air, food, water and ammo. It will be become the 5th dimension of the integrated battle space ( alongside land, sea, aero-space and time). Squaddies, Matelots and Crabbs must all be switched on to cyber threats, and must all be able to deal with them at a tactical and personal level; with possibly some distinct formations at higher levels.

So in summary, I think cyber will be so pervasive, that a new single, separate force might be the wrong way to go, but that it something which must be integrated into everything we do, including the operations of the existing force elements.

ArmChairCivvy
ArmChairCivvy
January 16, 2011 6:12 pm

Hi Ixion,

I don’t watch StarTrek but wasn’t this “Beam me up, Scotty” done about then, all over a mobile of the later, fashionable clam-shell design?
RE “all the Sci fi stuff major films of 30 years ago who have completly missed the mobile phone…”

John Hartley
John Hartley
January 16, 2011 6:22 pm

If all our computers are made in China there can be no cyber defence. Mrs T asked why no video recorders were made in Britain, so a factory was set up to do that(Sharp?).
If anyone in Whitehall was awake, we would be giving a modest grant to make laptops/desktops/flatscreen tvs in the UK.
Also note todays spammers/hackers can be recruited by intel to be future cyber warriors. Law enforcement needs to be more pro active hunting these guys down. If they are abroad, inform anyone local with influence (national & local government, police, religious leaders, media, utilities, Etc.)
All helps to put pressure on.

IXION
IXION
January 16, 2011 6:25 pm

Jed

On a more serious note to my earlier post, I think we need to watch this, stay flexible, I can see recources being wasted going up blind alleys as those in power pick wrong horses in the race.

However as you say this is so pervasive in millitary and civilian life, that we are just going to have to accept that will happen.

I can see each force having to look after it self defensivly, but who would look after strategic atack, who gets the repsonsibility of taking out an enemies powergrid via e attack? Having this will just be so cross force responsibility.

I have not mentioned the intelligence gathering / counter intelligence stuff, I suppose that remaisn GCHQ/MI 5-6.

Not claiming any foresight except, (If I may quote my teenage daughter), ‘it’s going to be Mega’.

IXION
IXION
January 16, 2011 6:30 pm

ACC

Any modern mobile manufacturer would laugh his head off at the clunky short range design and function of the ‘Beam me up Scoty’ Communicator.

I did not say the all got it wrong only that many did.

ArmChairCivvy
ArmChairCivvy
January 16, 2011 8:08 pm

Here is a small excerpt from an interview with a man who donated £ 95 m to Oxford Uni so that they could study future threats and problems without a bias:

“Officials in both the US and Britain have already warned that their respective electricity grids have been targeted by hackers. In Britain, Iain Lobban, the director of GCHQ, said last October that the threat of a cyber attack on critical national infrastructure such as the grid “is a real and credible one”.

Meanwhile, Joel Brenner of the US National Counterintelligence Executive said in April 2009 that the US authorities have detected “Chinese network operations inside certain of our electricity grids”.

Despite knowing the risks, however, Martin believes that not enough is being done by western governments to address the threat, largely because the security of the power supply is seen as the responsibility of the private companies in charge of the grids.

“If you talk to government they say it’s not their problem because everything on the grid is private corporations and we can’t tell individual corporations how to behave so it’s up to them to make it secure,” Martin said.
– James Martin that is, if anyone wants to Google
– 5 yrs, he says, it would take to totally insulate against internet (and obviously cost a lot, too)

x
x
January 16, 2011 8:29 pm

This really falls under GCHQ remit so need for a separate force as such. (Though I think some of them would like a Star Trek uniform. Preferably not one with a red jumper.)

The main problem is the pool of possible recruits. ICT at secondary level is a joke. A-level isn’t much better. And the number of IT graduates sinks year on year; the quality of degrees ranges from world beating to crap. The trouble is that it is cheaper for the larger institutions to outsource to India so the bottom has fallen out of the market.

One of the best things “we” could do is to shift away from Windows onto a BSD system. It is this out layer which is the problem. I remember when the Internet became and systems designers would leave there stuff frighteningly open. To those of us who came from closed structured world of the mainframe it was very disconcerting. Physical security is often forgotten; does this system really need to reach the outside world and if so how far? Look at the US military’s moratorium on USB memory sticks. IT is perhaps the one area where bespoke at times would be better.

It is an interesting debate in some IT circles whether open countries (like the West) or closed countries (like China) breed better “hackers.” The former has access to everything and can test and play to their hearts’ content. The latter has access to nothing and needs to improvise to get anywhere.

All good clean fun.

Mike
Mike
January 16, 2011 9:43 pm

I agree with Jed, its a much broader sphere of operations, but its also one thats just not soley military – so perhaps joint funding with other offices and agencies? – like X says; more a military intelligence/counter intelligence/GCHQ job… so would better come from their budget but with defence contributing too.

Either way, I think that is the UK’s ‘achillies heel’ really, but I would prefer a joint UK-Franco/US/EU/NATO effort rather than us going it alone.

Cyber warfare is pretty big, lol TD it would require its own series of posts!

DominicJ
DominicJ
January 17, 2011 9:40 am

The sensible defence would be the traditional defence.
Isolate the system.
The electricity grid can be shut down by hackers, why in gods name is it connected to the internet?

I just dont believe anything has changed in reality, apart from the word cyber has become “cool”

The Eastern Front of the first world war was decided (or massivly influenced) by the fact that Russians didnt have encrypted radio.
Anything the two Russian armies said to each, other, and much of the internal Russian communication was picked up by the Prussians. They literaly had the full Russian battle plan a day in advance.

Is turning off a power station “Cyberly” really that different than doing so “kineticaly”?

Dangerous Dave
Dangerous Dave
January 17, 2011 1:41 pm

I agree at least in part with most of what has been said. So, just to add my ha’penneth worth:

Since our country creates service arms dependant on the operational medium (sea/land/air), having a separate “Royal Cyber Force” might be a good idea. It would certainly prevent stovepiping of capabilities and wasted/duplicated effort as all 3 of the traditional services develop strategies.

However, I agree with IXION and some of Jed’s post that maybe cyber warfare should be the remit of the Security Services (Defence of the Realm), and SIS (Offensive Action), supported as they traditionally are by GCHQ. There could be a requirement for all three of the armed forces to get their comms/C4 gear tested by the cyber warfare bods at regular periods to ensure it is safe by design, and that SOP’s are up to the job of keeping it secure . . . it’s sufficiently esoteric to keep it with the “spying” part of the civil service, and not necessarily manpower intensive.

DominicJ has made the point that “The electricity grid can be shut down by hackers, why in gods name is it connected to the internet?” This is of course the best action. When I worked for a water company, although our water treatment and storage plant was linked to the office, it was a separated system. A discrete network that you had to pysically break into (using a vampire tap) to gain unathorised access.

It has been fashionable in recent years to use the Internet for this as it saves money because the infrastructure of connections is already in place (the POTS – Plain Old Telephone Servie). However companies have been willfully ignoring the fact that the Internet was designed to encourage the free disemination of data (everything from a pdf ro a virus to a command string is data in this context). So it has a complete lack of in-built security and filtering tools, it wasn’t part of the original remit. And any security systems built on such chaky ground cannot be secure by default. As I always say, you cannot build security out of insecure foundations.

The answer? Well, it’s expensive – what needs to be built is a National Infrastrucute network. That was the comms for Nationally sensitive sites such as the National Grid, Nuclear Powerstatins etc. can have their own discrete network for C&C. Such a network could include secure data and comms for the Armed Services, Police and Government, something I’m sure they would consider worthwhile. Of course, what must not be done is connect this new network to the existing Internet via gateways, as this just creates a weak point that is vulnerable to cyber-attack.

Hope I haven’t rambled too much :-)

Dangerous Dave
Dangerous Dave
January 17, 2011 1:46 pm

@ Dominic 16/01:

“Is turning off a power station “Cyberly” really that different than doing so “kineticaly”?”

Similar effect, but much cheaper/quicker. Once the cracker is in the system (I don’t like the use of “hacker” for this type of person) and the relevent command codes are known, then a script could be used to shut off *all* the powerstations simultaneously by using whatever unique ID they have as part of the script.

Pro’s: Cyber is quicker and cheaper (no actual missiles / attack aircraft / SAS teams involved)

Con’s: The target is only disabled, as only a restart, or hard reboot is necessary to get it all back on-line. Even a reinstall from backup and restart would be quicker than rebuilding a power station after a physical attack(!)

paul g
January 17, 2011 2:13 pm

cyber skills doesn’t exactly require the need to run 10 miles with half a house strapped to your back (not having a pop a IT guys, well i can’t i’m cisco qual’d myself now) Why can’t we utilise the people leaving all 3 services at the age of 40. All 3 services have great engineers that carry on skills learnt when they return to civvy street, they would bring military knowledge (let’s face facts it’s a different langauge) and security clearance to boot. There would be no problem if they had to scoot overseas at short notice as well, just a thought.

ArmChairCivvy
ArmChairCivvy
January 17, 2011 2:19 pm

Hi Paul g,

A great idea. Did anyone notice that an SAS general (or of high rank anyway, after losses due to the recent resignations)was put in charge of coordinating cyber defences?

Jed
Jed
January 17, 2011 2:49 pm

Dangerous Dave said: “The target is only disabled, as only a restart, or hard reboot is necessary to get it all back on-line.”

Not so, your not using your imagination. Think of the recent StuxNet attack, aimed (“allegedly”) at Iranian nuclear production. The attack wrecked the centrifuges by constantly messing with the frequency of the motors used to spin them. Take the same principal and apply it to the generators in an electricity plant – you might be able to wreck the gennies, burnout transformers or other distribution gear, cause a bloody melt down in an a nuke etc. Did you not see the episode in the last series of 24 where they attacked a gas plant ? :-)

You can do a LOT of physical damage via “virtual” attack.

DominicJ
DominicJ
January 17, 2011 6:33 pm

jed
i and a friend wrote a virus that messed with cpu, gpu and memory clock speeds, we were trying to work out if we could burn out hard drive motors before we got bored.
It usualy crashed before anything broke, but we took out a few pieces of kit.
Couple of 16 y/o’s and delphi.
Not surprising the pro’s did better

El Sid
El Sid
January 18, 2011 11:26 am

The New York Times had a good article on Stuxnet recently, in the light of recent admissions about it. The Israelis now think that Stuxnet put back the Iranian bomb progamme by three years, as much as an air attack would have done – no wonder that cyberwar is suddenly so much in vogue.

ArmChairCivvy
ArmChairCivvy
January 18, 2011 11:43 am

Hi El Sid,

Yes, and now the national pride forces the Iranians to push it into use while the Russian technicians helping are warning their own political masters that a Chernobyl could be in the making.

a
a
January 18, 2011 3:16 pm

However, I agree with IXION and some of Jed’s post that maybe cyber warfare should be the remit of the Security Services (Defence of the Realm), and SIS (Offensive Action), supported as they traditionally are by GCHQ. There could be a requirement for all three of the armed forces to get their comms/C4 gear tested by the cyber warfare bods at regular periods to ensure it is safe by design, and that SOP’s are up to the job of keeping it secure.

This makes a lot of sense. There’s not much obvious overlap between the roles of the armed forces and the cyber threat. Making sure that the electricity grid is robust against cyber attack is a national interest, but that doesn’t necessarily make it a forces problem – after all, making sure that our road network is robust is a national interest as well. The defensive side of things could be left to CESG, whose responsibility it should be now in any case. As for the offensive side, you have to ask the question: should we be in the business of deliberately destroying civilian infrastructure?

Brian Black
Brian Black
January 18, 2011 3:43 pm

It makes sense that cyber defence be primarily in the hands of the civilian security agencies; the potential threat that we face is not just aimed at the military, but industry and national infrastructure too.
——————–
With regards to the earlier comments about systems and networks being connected to the internet.

Stuxnet is speculated to have got through to the Iranian plant through either the supply chain -using hardware or software already infected with the virus, as reflected by IXION’s earlier comments regarding US concerns over foreign bought equipment- or through the deliberate/careless use of an infected memory stick.
——————-
Another point worth noting is that Stuxnet could have been opperating unknown to the Iranians for as long as 17 months, and could have been lying dormant -waiting to gain access to the relevant industrial processes- for a lot longer.

Cyber attacks can certainly involve playing the long game, we could already be at war and not know a thing about it.

DominicJ
DominicJ
January 18, 2011 6:07 pm

i think were safe from ‘long game’ beyond practice penetration.
At the end of the day, whats Iran going to do?

If the ivans pulled stuxnet on aldermasten we could start blowing up the nucsubs we just track today

McZ
McZ
January 20, 2011 2:12 pm

I think, this Dep. of Homeland Security paper sums up the tasks of cyber defence pretty well.
http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf

StuxNet started just a few weeks after the paper got public. Siemens was deeply involved in this science effort. “PCS 7 is being assessed for cyber vulnerabilities at the Control System Security Center”. STEP7, which is the compromitted system, is the programming language for PCS 7.

As StuxNet is mentioned a few times: think of it as a very specialized piece of software, requiring absolutely specialist knowledge of the target. StuxNet without much insider info from the manufacturer would have been impossible. Also, StuxNet was targetting a system having abolutely no security or validation features. It entered the system by using an obscure exploit, then launching itself through the printer queue or one of six security holes in two different OSS, just to scan the programmable controller’s data for certain parts, simply reprogramming by overwrite (possible, because there are no checksums).

What can we learn?
1) Unmanaged code in unsafe. Most exploits would simply not have been possible.
2) Using code without checksums or other basic security measures is … errrm … optimistic.
3) Encryption of internal communication would have defeated StuxNet. Too bad, the SIMATIC OS does not know any encryption technique.
4) As StuxNet doesn’t have any current cloaking techniques, there are two possiblities: the attacker had not the time to cloak, or he wanted the target to get the message.