Cyber security: protection through partnership

Peter ArmstrongThe Ministry of Defence has set out to boost the UK’s cyber security, in partnership with a number of the country’s leading defence firms. Here, Peter Armstrong, Director of Cyber Security at Thales UK, one of the firms involved, outlines for MOD DCB the partnership’s key priorities for the year ahead.

A report released earlier this year by KPMG revealed that British FTSE 350 firms are failing to keep their networks safe, and as a result are putting the safety of Britain’s economy and national security under threat due to simple flaws in web security. And it’s not just the larger firms that are causing concern; a survey by McAfee also highlighted that despite British small and medium-sized enterprises (SMEs) providing training in IT and security, their employees often fail to prevent breaches and data leaks. As the number of threats to British businesses rises month on month, the cyber support to allow British firms and their suppliers to help prevent the nation coming under attack becomes ever more critical.

The Ministry of Defence has acknowledged the need for better cyber security by launching the Defence Cyber Protection Partnership (DCPP) in conjunction with other government agencies and nine UK defence and telecoms firms including GCHQ, BAE Systems, BT and Thales UK. The partnership’s main focus will be to reduce threats to the UK’s defence supply chain, particularly from the aggregation of low-level risks, with the intention of eventually filtering the output down to benefit trade and industry too.

DCPP: just another cyber security partnership?

The creation of the DCPP intends to build upon the UK’s ongoing commitment to the reinforcement of the UK as a safe place to do online business; it is an important government-industry cyber initiative formed to improve the cyber defences of the MOD’s supply chain. The DCPP will work to define and apply a new standards framework that protects investments already made in cyber security, eventually rolling it out to the whole defence industry. It will achieve this by setting high standards, developing best practice, sharing real-time information about the type and extent of cyber attacks that each company is experiencing, and raising the awareness and defence posture in the defence supply chain.

Understandably there may be questions around why the Government needs to launch yet another private/public sector cyber security partnership – surely there are enough of those already? It has been compared to the Cyber Security Information Sharing Partnership (CISP) which launched in March this year to encourage information and intelligence sharing across the private and public sectors. The DCPP, though, has a clear remit to augment, refine or accelerate existing initiatives and as such will support CISP and other initiatives in this field, avoiding duplication but reinforcing the overall cyber defence posture, according to the MOD.

There will be three key activity streams to the DCPP in 2013: information sharing; development of threat-derived cyber standards and a measurement framework (spearheaded by Thales); and communication and awareness in the supply chain. The partnership will address the lack of awareness of cyber risks across the supply chain, with the DCPP partners all collaborating on these activities with a clear focus to improve standards and practices of cyber defence in the whole MOD supply chain.

Protecting the supply chain

The protection of UK companies from cyber attack is one of the most pressing national security issues of the day, identified as a UK National Tier 1 Threat, and the DCPP will encourage the supply chain to embark upon this improvement journey together, both requiring and fostering collective responsibility. Typically, companies’ IT systems and networks must, by necessity, carry large amounts of highly sensitive information, enticing cyber crooks and increasing the impact that any potential attack could make tenfold. Aeronautics giant and IT supplier to the US Pentagon, Lockheed Martin, learnt this lesson the hard way when it famously came under attack in 2011 as a result of hacks at two of its suppliers. This is a classic example of aggregated low-level risk at work.

There are currently over 50 security regulatory standards in existence across the globe, which are adopted by companies according to their geography, industry sector and unique security compliance needs. For multi-national and/or multi-sector organisations this creates a massive compliance headache when trying to improve the security maturity of one’s supply chain. The DCPP intends to create a framework that straight-forwardly compares the effectiveness of these many standards when measured against the threat-derived controls that the MOD is requiring its suppliers to embrace. This will allow organisations that have already invested in a compliance regime to preserve their investments and only augment their regime with a few additional threat-derived controls. The new framework will utilise an easy to use set of assessment frameworks with an easy to understand formula to determine the level of rigour different organisations need to apply to defence in the context of these controls.

Once the DCPP has produced its assessment framework and ensured the members themselves are complying, the members will start extending the compliance to these controls throughout their supply chains, including SMEs. In 2014 the partnership will open up its membership to other firms and eventually to firms in other industries, enabling greater collaboration across the country to tackle the growing threat of cyber attacks on the supply chain.

Spreading the word

The DCPP will enable a collaborative approach to cyber defence across the entire MOD supply chain, and will ensure that every stage of the procurement, manufacturing and delivery process is as secure as it can possibly be. It is imperative that UK businesses acknowledge that cyber attacks are now ranked as a Tier 1 threat to national security, and understand that any company of any size can be hit in a chain of attack.

For more information, visit: www.thalesgroup.com