Cyber security: protection through partnership

Peter ArmstrongThe Ministry of Defence has set out to boost the UK’s cyber security, in partnership with a number of the country’s leading defence firms. Here, Peter Armstrong, Director of Cyber Security at Thales UK, one of the firms involved, outlines for MOD DCB the partnership’s key priorities for the year ahead.

A report released earlier this year by KPMG revealed that British FTSE 350 firms are failing to keep their networks safe, and as a result are putting the safety of Britain’s economy and national security under threat due to simple flaws in web security. And it’s not just the larger firms that are causing concern; a survey by McAfee also highlighted that despite British small and medium-sized enterprises (SMEs) providing training in IT and security, their employees often fail to prevent breaches and data leaks. As the number of threats to British businesses rises month on month, the cyber support to allow British firms and their suppliers to help prevent the nation coming under attack becomes ever more critical.

The Ministry of Defence has acknowledged the need for better cyber security by launching the Defence Cyber Protection Partnership (DCPP) in conjunction with other government agencies and nine UK defence and telecoms firms including GCHQ, BAE Systems, BT and Thales UK. The partnership’s main focus will be to reduce threats to the UK’s defence supply chain, particularly from the aggregation of low-level risks, with the intention of eventually filtering the output down to benefit trade and industry too.

DCPP: just another cyber security partnership?

The creation of the DCPP intends to build upon the UK’s ongoing commitment to the reinforcement of the UK as a safe place to do online business; it is an important government-industry cyber initiative formed to improve the cyber defences of the MOD’s supply chain. The DCPP will work to define and apply a new standards framework that protects investments already made in cyber security, eventually rolling it out to the whole defence industry. It will achieve this by setting high standards, developing best practice, sharing real-time information about the type and extent of cyber attacks that each company is experiencing, and raising the awareness and defence posture in the defence supply chain.

Understandably there may be questions around why the Government needs to launch yet another private/public sector cyber security partnership – surely there are enough of those already? It has been compared to the Cyber Security Information Sharing Partnership (CISP) which launched in March this year to encourage information and intelligence sharing across the private and public sectors. The DCPP, though, has a clear remit to augment, refine or accelerate existing initiatives and as such will support CISP and other initiatives in this field, avoiding duplication but reinforcing the overall cyber defence posture, according to the MOD.

There will be three key activity streams to the DCPP in 2013: information sharing; development of threat-derived cyber standards and a measurement framework (spearheaded by Thales); and communication and awareness in the supply chain. The partnership will address the lack of awareness of cyber risks across the supply chain, with the DCPP partners all collaborating on these activities with a clear focus to improve standards and practices of cyber defence in the whole MOD supply chain.

Protecting the supply chain

The protection of UK companies from cyber attack is one of the most pressing national security issues of the day, identified as a UK National Tier 1 Threat, and the DCPP will encourage the supply chain to embark upon this improvement journey together, both requiring and fostering collective responsibility. Typically, companies’ IT systems and networks must, by necessity, carry large amounts of highly sensitive information, enticing cyber crooks and increasing the impact that any potential attack could make tenfold. Aeronautics giant and IT supplier to the US Pentagon, Lockheed Martin, learnt this lesson the hard way when it famously came under attack in 2011 as a result of hacks at two of its suppliers. This is a classic example of aggregated low-level risk at work.

There are currently over 50 security regulatory standards in existence across the globe, which are adopted by companies according to their geography, industry sector and unique security compliance needs. For multi-national and/or multi-sector organisations this creates a massive compliance headache when trying to improve the security maturity of one’s supply chain. The DCPP intends to create a framework that straight-forwardly compares the effectiveness of these many standards when measured against the threat-derived controls that the MOD is requiring its suppliers to embrace. This will allow organisations that have already invested in a compliance regime to preserve their investments and only augment their regime with a few additional threat-derived controls. The new framework will utilise an easy to use set of assessment frameworks with an easy to understand formula to determine the level of rigour different organisations need to apply to defence in the context of these controls.

Once the DCPP has produced its assessment framework and ensured the members themselves are complying, the members will start extending the compliance to these controls throughout their supply chains, including SMEs. In 2014 the partnership will open up its membership to other firms and eventually to firms in other industries, enabling greater collaboration across the country to tackle the growing threat of cyber attacks on the supply chain.

Spreading the word

The DCPP will enable a collaborative approach to cyber defence across the entire MOD supply chain, and will ensure that every stage of the procurement, manufacturing and delivery process is as secure as it can possibly be. It is imperative that UK businesses acknowledge that cyber attacks are now ranked as a Tier 1 threat to national security, and understand that any company of any size can be hit in a chain of attack.

For more information, visit:

The MOD: innovating in cyber security

Ross Parsell | DCORoss Parsell, Director of Cyber Security at Thales UK, outlines for MOD DCB the Ministry of Defence’s innovations in the realm of national cyber security.

The Ministry of Defence has a greater need than most organisations for innovating in cyber security. A successful attack on a private business can result in financial harm, loss of IP or reputational damage whereas a successful cyber attack against the UK can put critical national infrastructure, vital communications, defence forces and even the lives of UK citizens at risk.

This can no longer be construed as hyperbole. There are now numerous instances of cyber attacks causing real damage to the well-being of nation states. Consider the 2007 cyber attacks on Estonia in which the websites of prominent Estonian organisations such as ministries, the media and banks were suspended or defaced by extended denial-of-service attacks via ping floods and botnets; the attacks on US government or private business websites, attributed by the US government to foreign powers under the ‘Titian Rain’ label; or the attacks during the South Ossetia war of 2008 that disabled a number of Georgian, Russian, Ossetian and Azeri websites.

Fortunately, the MOD is investing in cyber security innovation to make the UK more resilient to the sorts of attacks outlined above through both defensive and offensive measures. The MOD must also be lauded for its collaboration with industry to combat the growing cyber threat.

Combating the cyber skills shortage

To be at the forefront of cyber security, the MOD needs to recruit and maintain an elite cyber workforce. However, the need for cyber security experts in the UK far exceeds the pool of qualified personnel. While the public sector in general cannot compete with the top private sector firms on salaries, organisations such as the MOD and GCHQ are correctly positioning their cyber security employment opportunities as giving potential applicants more interesting work to do than the private sector. Cyber employees at the MOD really are at the forefront of cyber warfare: protecting the UK from malicious attacks from criminal gangs and other nations.

The MOD has also committed to investing heavily in its recruitment process. Under the UK National Cyber Strategy, central government has earmarked £650 million for hiring ‘cyber warriors’, of which the MOD received £90 million. The MOD will supplement this sum with a further £30 million from its own coffers.

Investing in cyber security technology

The MOD has invested in cutting-edge information security technology to ensure that its employees operate in one of the most secure working environments in the world. For example, assurance encryption hardware protects the MOD’s VoIP, email services, networks and storage to the level of IL5, which the nature of the MOD’s work demands. The MOD makes use of surveillance devices that can detect and alert IT departments as to when cyber attacks have occurred. It may seem like the world of James Bond, but some parts of the MOD even employ monitoring systems which can ascertain the stress levels of employees.

Collaborating with industry for cyber excellence

The MOD works with a number of suppliers, such as Thales, to ensure both it and the UK are cyber secure. National security cannot remain in the hands of the public sector alone but requires collaboration with industry. The MOD relies upon these third-party suppliers for everything from encryption hardware and identity management infrastructures to code signing solutions and time stamping.

However, effective cyber security relies upon more than just products. For instance, while at Thales we supply hardware and software to the MOD, we also supply expertise and training. With the UK under threat from an increasingly complex array of attacks from cyber space, suppliers that can offer the MOD value-add consultancy as well as the provision of equipment will be successful. Through collaboration with industry, the MOD’s workforce can develop their cyber skills and constantly improve their cyber maturity.