Cyber security: protection through partnership

Peter ArmstrongThe Ministry of Defence has set out to boost the UK’s cyber security, in partnership with a number of the country’s leading defence firms. Here, Peter Armstrong, Director of Cyber Security at Thales UK, one of the firms involved, outlines for MOD DCB the partnership’s key priorities for the year ahead.

A report released earlier this year by KPMG revealed that British FTSE 350 firms are failing to keep their networks safe, and as a result are putting the safety of Britain’s economy and national security under threat due to simple flaws in web security. And it’s not just the larger firms that are causing concern; a survey by McAfee also highlighted that despite British small and medium-sized enterprises (SMEs) providing training in IT and security, their employees often fail to prevent breaches and data leaks. As the number of threats to British businesses rises month on month, the cyber support to allow British firms and their suppliers to help prevent the nation coming under attack becomes ever more critical.

The Ministry of Defence has acknowledged the need for better cyber security by launching the Defence Cyber Protection Partnership (DCPP) in conjunction with other government agencies and nine UK defence and telecoms firms including GCHQ, BAE Systems, BT and Thales UK. The partnership’s main focus will be to reduce threats to the UK’s defence supply chain, particularly from the aggregation of low-level risks, with the intention of eventually filtering the output down to benefit trade and industry too.

DCPP: just another cyber security partnership?

The creation of the DCPP intends to build upon the UK’s ongoing commitment to the reinforcement of the UK as a safe place to do online business; it is an important government-industry cyber initiative formed to improve the cyber defences of the MOD’s supply chain. The DCPP will work to define and apply a new standards framework that protects investments already made in cyber security, eventually rolling it out to the whole defence industry. It will achieve this by setting high standards, developing best practice, sharing real-time information about the type and extent of cyber attacks that each company is experiencing, and raising the awareness and defence posture in the defence supply chain.

Understandably there may be questions around why the Government needs to launch yet another private/public sector cyber security partnership – surely there are enough of those already? It has been compared to the Cyber Security Information Sharing Partnership (CISP) which launched in March this year to encourage information and intelligence sharing across the private and public sectors. The DCPP, though, has a clear remit to augment, refine or accelerate existing initiatives and as such will support CISP and other initiatives in this field, avoiding duplication but reinforcing the overall cyber defence posture, according to the MOD.

There will be three key activity streams to the DCPP in 2013: information sharing; development of threat-derived cyber standards and a measurement framework (spearheaded by Thales); and communication and awareness in the supply chain. The partnership will address the lack of awareness of cyber risks across the supply chain, with the DCPP partners all collaborating on these activities with a clear focus to improve standards and practices of cyber defence in the whole MOD supply chain.

Protecting the supply chain

The protection of UK companies from cyber attack is one of the most pressing national security issues of the day, identified as a UK National Tier 1 Threat, and the DCPP will encourage the supply chain to embark upon this improvement journey together, both requiring and fostering collective responsibility. Typically, companies’ IT systems and networks must, by necessity, carry large amounts of highly sensitive information, enticing cyber crooks and increasing the impact that any potential attack could make tenfold. Aeronautics giant and IT supplier to the US Pentagon, Lockheed Martin, learnt this lesson the hard way when it famously came under attack in 2011 as a result of hacks at two of its suppliers. This is a classic example of aggregated low-level risk at work.

There are currently over 50 security regulatory standards in existence across the globe, which are adopted by companies according to their geography, industry sector and unique security compliance needs. For multi-national and/or multi-sector organisations this creates a massive compliance headache when trying to improve the security maturity of one’s supply chain. The DCPP intends to create a framework that straight-forwardly compares the effectiveness of these many standards when measured against the threat-derived controls that the MOD is requiring its suppliers to embrace. This will allow organisations that have already invested in a compliance regime to preserve their investments and only augment their regime with a few additional threat-derived controls. The new framework will utilise an easy to use set of assessment frameworks with an easy to understand formula to determine the level of rigour different organisations need to apply to defence in the context of these controls.

Once the DCPP has produced its assessment framework and ensured the members themselves are complying, the members will start extending the compliance to these controls throughout their supply chains, including SMEs. In 2014 the partnership will open up its membership to other firms and eventually to firms in other industries, enabling greater collaboration across the country to tackle the growing threat of cyber attacks on the supply chain.

Spreading the word

The DCPP will enable a collaborative approach to cyber defence across the entire MOD supply chain, and will ensure that every stage of the procurement, manufacturing and delivery process is as secure as it can possibly be. It is imperative that UK businesses acknowledge that cyber attacks are now ranked as a Tier 1 threat to national security, and understand that any company of any size can be hit in a chain of attack.

For more information, visit:

NDI Collaborating for Growth conference

NDI Conference | MOD DCOCollaboration is important for growth. The act of sharing knowledge, learning and building consensus is often heralded as imperative in establishing best practice, new opportunities and promoting growth.

Collaboration is important across the whole supply chain, from Primes to Tier 4 contractors. The NDI conference, held on 5-6 March at The Point, Lancashire County Cricket Ground, Manchester, brought together businesses of all sizes to discuss how SMEs can grow for the benefit of both the country and the defence industry. SMEs are a valuable link in the supply chain, employing 13 million people in the UK, and in 2012 40% of new MOD contracts – work worth over £1bn – were placed with SMEs. The NDI Conference, Collaborating for Growth, ran three breakout sessions – Growth through International Trade, Growth through Business Excellence and Growth through Investment & Finance – to discuss the key issues affecting the growth of SMEs.

Philip Dunne, Minister for Defence Equipment, Support and Technology spoke at the event. He said:

“The existence of a strong, diverse supply chain and the vital role SMEs play in nurturing science and engineering skills combine to provide the innovation increasingly relevant to the UK’s defence needs of the 21st century.

“I am fast becoming a strident champion of SMEs working in the defence sector.”

Mr Dunne chairs an SME forum that meets three times a year to discuss the issues specifically affecting SMEs working in the defence industry. The Minister said that the MOD is keen to get SMEs involved in the supply chain, whether directly or indirectly through Prime Contractors. An example of this is the push for transparency by the MOD through the early publication of the ten-year Defence Equipment Plan and upcoming publication of the DSTL plan for investment, which will allow SMEs to plan ahead and potentially be part of the opportunities that will become available.

Mr Dunne also said:

“A vibrant UK defence industry including manufacturing, servicing and exporting is a vital part of our strategy of rebalancing the economy so we can return to sustainable growth.”

Exports play an important part in creating growth and this was a central theme at the conference. Mr Dunne made it clear that defence exports are firmly back on the agenda and said that ministers will lead delegations that include SMEs to other markets in order to help dialogue in places of growth like Brazil. He said:

“We want to help you to maximise your access to overseas markets.

 “We recognise that most defence budgets are under pressure and we want to support you in penetrating markets where there is growth, such as the Middle East, Far East and South America.

“Promoting defence exports is a core part of the MOD’s commitment to the Government’s growth agenda. We will increasingly focus our engagement with prospective partner and customer nations in a way that helps you demonstrate to them the value of long-term equipment support.”

He offered the sale of Typhoon jets to Saudi Arabia of an example of opportunity that filters down the supply chain. Mr Dunne encouraged trade associations, money permitting, to form relationships with similar associations in other countries to help promote growth and exports. He said: “Working together on exports provides the opportunity to reduce the costs of the equipment programmes for UK forces. Export customers can help to spread the costs of development programmes, or the fixed assets needed for long-term support and allow government to recoup some of its investment through the use of export levies.”

“Exports can form an essential element of our defence engagement initiatives.”

There were extensive discussions about exports at the Growth through International Trade breakout session. The UK won £8bn new overseas business across Defence and security in 2011 and it is important for the UK’s exports to grow in order to counteract fiscal pressures at home. Speaking during this session, Keith Venables, Business Development Director, UK Trade and Investment Defence and Security Organisation (UKTI DSO), said: “The UK’s reputation, particularly SMEs, is a strong factor in exporting success.”

He said that businesses have to face up to the reality that defence budgets are being squeezed in Europe and the United States so UKTI DSO has established priority markets, for instance in the Middle East in countries including Saudi Arabia, UAE, Oman, Kuwait, Qatar and Libya, where there is significant business to be won. He said growth is coming from the SME sector and that the players in the export market are changing – those who weren’t exporting in 2006 are leading the way now, while the biggest exporters in 2006 have lost £2 billion worth of exports.

Philip Doyle, Manager, Aerospace and Defence Europe, Government of Victoria, Australia, agreed that static markets in Europe and growing opportunities elsewhere may mean foreign markets may be a better way to grow a business in this economy. He was at NDI promoting business opportunities for UK companies in Victoria, and suggested building relationships and growing a market presence in the market of choice. Collaborating with a business from another market can open up opportunities in both countries.

Warren Bayliss, Assistant Head, International Relations Group, Defence Equipment and Support (DE&S), Ministry of Defence, presented the potential benefits of the US-UK Defence Trade Cooperation Treaty, which came into force in April 2012. The Treaty is extremely attractive to SMEs as it gives an exemption from International Traffic in Arms Regulations that have been found to slow down business with the US. The Treaty makes business faster, gets equipment to the UK Armed Forces more quickly and strengthens the UK’s trade relationship with the USA.

To take advantage of the Treaty, SMEs are urged to be part of an approved community; this takes six months to join and there is a vetting process. However, once a business is part of the community, the US Government will trust it and like to do business with it.

Session Two was called Growth through Business Excellence and was led by John Terry, Director of Argent Vulpes Ltd. The message behind this session was the importance of business excellence at every level in the supply chain, as well as at every level within a business. Every business in the supply chain expects business excellence from those both above and below them in the supply chain.

The one thing that Mr Terry was keen to point out was the importance of the SC21 Awards – a change programme designed to accelerate the competitiveness of the aerospace and defence industry by raising the performance of its supply chains. Having an SC21 Award improves a business’ reliability, especially if it is an SME.

Mr Terry was followed by Dr Derek Ford, Senior Industrial Fellow, IfM Education and Consultancy Services, who said businesses should prioritise their resources. He said: “Companies that exploit their core competencies do better than those who don’t.”

It is important for a business to understand its core strengths and where its priorities are to grow but Lynn Tompkins, UK Operations Director of Semta, pointed out that skills also grow businesses. She said that some SMEs are doing very well by investing in skills as it is another important element of business excellence.

Session Three was Growth through Investment and Finance, led by John Bell, Aerospace and Defence Director, Barclays Corporate Banking. The session looked at ways to fund growth through both traditional and non-traditional methods. Mr Bell was keen to promote making use of grants and subsidies, saying: “I seem to come across a new grant or growth initiative every day.”

Some interesting approaches to funding include collaboration between buyers and suppliers and joint venture bank accounts. Banks provide free advice and knowledge to businesses and Mr Bell said that not enough SMEs make use of this advice.

He urged businesses to check their eligibility for Government grants and schemes, such as the Funding for Lending Scheme, Regional Growth Fund and the Business Growth Fund, as well as checking with agencies and trade associations for possible assistance. He also suggested that SMEs should request a trade review from banks and access research by banks on markets, funding option and clients.

Chris Kirby, Managing Director of Magnomatics, was up next and passed on his first-hand knowledge of the difficulties of finding funding. He provided a very informative and hard-hitting insight on the peaks and pitfalls of searching for funding. Preparation is key in gaining investment as is networking and using the right options out of the range available to businesses.

The important lessons to take away from this event are that help is available and best practice will always heighten a business’ chances of success. Defence, including defence exports, offer opportunities for SMEs within the supply chain and are an important part of the Government’s Plan for Growth