UK Defence Committee Report on “Defence and Cyber-Security”
Britain launched a National Cyber Security Programme in late 2010 with funding of 650 million pounds ($1.04 billion) over the period of 2011 to 2015 and the Ministry of Defence has been allocated 14 percent (90 million pounds).
About half of the 650 million will be targeted to improve the U.K.’s core capability, based mainly at GCHQ at Cheltenham, to detect and counter cyber-attacks.
Despite these funds, the UK government is not doing enough to address the military opportunities and vulnerabilities of cybersecurity, the Parliament’s defense committee has warned.
The most relevant recommendations of the Defence Committee Report are:
- the Ministry of Defence and the National Security Council should keep under review the delineation of the military role in national cyber-security, not with a view to expanding that role unnecessarily, but to ensure that threats are dealt with in the most appropriate and effective manner, and that the MoD can focus its resources accordingly;
- the Government needs to put in place [with vigour] mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyber presents;
- the Government should ensure that civil contingency plans identify the military resources that could be drawn upon in the event of a large-scale cyber attack, such as additional staff, planning resources or technical expertise. In its response to this report the Government should set out what work it is doing to identify the reliance of the Armed Forces on the integrity and resilience of the Critical National Infrastructure, the steps it has taken to ensure that the CNI will remain sufficiently robust to meet the needs of the Armed Forces and its contingency plans for the event that any relevant part of the CNI should fail;
- the Ministry of Defence should makes development of rules of engagement for cyber operations an urgent priority, and that it should ensure that the necessary intelligence, planning and coordination functions are properly resourced;
- before a ‘lead Government Department’ is identified for a particular cyber incident there is a potential gap during which the Cabinet Office has a coordinating role but the location of executive authority is not clear. It is vital that clear procedures are in place, and communicated, about how ownership of incident response is escalated when necessary from individual departments to higher, central authorities. The National Security Council should review these arrangements to ensure that the UK’s response to major cyber-incidents is as streamlined, rapid and effective as it can be, and that a programme of regular exercises, involving ministers as well as officials, is put in place to test the arrangements;
- the National Cyber Security Programme requires robust governance and the Minister for the Cabinet Office chairs the Programme Board. However, the Programme represents only the tip of the iceberg of the necessary cyber-security activity across government. High-profile and authoritative leadership is required for all such activity;
- cyber-security is a sufficiently urgent, significant and complex activity to warrant increased ministerial attention. The relevant minister should have the authority to direct government departments to take action if they are not performing as required. The National Security Council should also dedicate time, with the relevant minister in attendance, to consider cyber-security matters on a more regular basis;
- the opportunity created by cyber tools and techniques to enhance the military capabilities of our Armed Forces should be explored thoroughly by the Ministry of Defence. To this end, the Committee supports the use of National Cyber Security Programme funding for the purpose of developing such capabilities. In addition, the opportunity to draw upon capabilities from strategic partners, particularly the USA, should be fully exploited;
- the Ministry of Defence should provide Parliament with a report on cyber incidents and performance against metrics on at least an annual basis;
- the Ministry of Defence should build on existing strengths in the ways reservists contribute to cyber-defence and operations, and to retain the particular reserve-led command structures that facilitate those contributions.
Read all the Report here:
mercoledì 9 gennaio 2013