Putting cyber into the context of the 2015 Strategic Defence and Security Review
Vice President of L-3 TRL Technology, Steve Mason, takes a look at cyber security through the lens of the 2015 Strategic Defence and Security Review.
Every five years, the government evaluates its spending of public funds towards the strategic defence of the nation. This review leads to the development of a new five-year defence plan that builds on the achievements of the past five years, while shifting focus to consider the key challenges the UK is likely to face over the next five years.
This five-year plan is published in the form of the National Security Strategy and Strategic Defence and Security Review (SDSR). The latest SDSR was released in November 2015.
The previous plan, published in November 2010, was the first time Her Majesty’s Government (HMG) had allotted significant funding to the cyber issue. The Cabinet Office –in the form of the Office of Cyber Security and Information Assurance (OCSIA) – was allocated £860 million pounds for the National Cyber Security Programme (NCSP, which were used by public institutions across government to tackle cyber issues.
Since 2010, cyber in its broadest sense has grown exceptionally in both scale and scope, and what was once a niche challenge for HMG has become a far more pressing issue.
SDSR 2015 was developed under challenging and demanding global geopolitical circumstances. In 2010, the UK committed to working with Russia to promote energy and political stability globally. Russia has since taken steps to define itself in an anti-Western image, and the country’s unilateral activities in Ukraine and Syria have destabilised both Eastern Europe and the Middle East. Terrorism and extremism stubbornly remain a significant threat, as evidenced by the tragic events in Paris, and most recently in Belgium. As a result, political instability – and the resultant human mass migration – is a significant concern for all nations, most especially Europe.
Cyber in SDSR 2015
The word cyber appears 110 times throughout the 96 pages of SDSR 2015 – it even has its own dedicated section, in chapter 4 – so it’s fair to say that cyber is a significant focal point for government for at least the next five years.
I would even go as far as to say that cyber cuts through the defence and national security priorities of HMG so deeply that it underpins its defence strategy for the next five years.
SDSR 2015 sets out three key national security objectives:
= Protect our people
= Protect our global influence
= Promote our prosperity
HMG has a set of tools it can use to achieve these objectives. And while cyber isn’t a tool in its own right, it reinforces all the other tools at HMG’s disposal.
In order to protect our people, the government has committed to the following:
= spending the NATO-mandated 2% of GDP on defence
= modernising the MOD and intelligence agencies
= responding to state-based threats
= building and maintaining a national deterrence capability to address counter terrorism and organised crime
= becoming a world leader in cyber security
= increasing the UK’s resilience to threats
Cyber – whether offensive, defensive, or both – plays a significant role in all of these aims by reinforcing the activities the government undertakes to achieve them. Take the modernisation of the MOD, for example. Historically unconnected, the worlds of cyber and traditional defence are now crashing together. Soon, the MOD will have a cyber-trained and enabled workforce, capable of conducting cyber activities on any future battlefield. This is the MOD Joint Force of 2025, as outlined in SDSR 2015 and illustrated below:
It would be easy to conclude that the MOD’s cyber modernisation will take shape solely in the Joint Cyber Group outlined under Defence Intelligence in the diagram opposite. But the reality is that the MOD will mainstream cyber on every level of the joint forces shown here. Every tank, aircraft, ship, submarine, soldier, and UAV will become both a cyber sensor and effector on the battlefield of 2025. Cyber capabilities will be used for tactical, theatre and even strategic effect, and thus everything from cyber planning to exercising and training will be ingrained in the DNA of the MOD’s future fighting forces.
One has only to read about the advanced and aggressive cyber attacks against the Ukrainian power grid in late 2015 and early 2016 to understand that protecting our people is only possible through the robust and innovative cyber defence of the United Kingdom’s critical national infrastructure (CNI) – and those of our allies.
To enable the government to protect our global influence, it has committed to:
= protecting assistance to fragile states and regions
= expanding our soft power reach
= building stronger alliances and partnerships
= strengthening international order
= helping overseas allies with their own national resilience
It’s clear that working closely with allied nations is critical to the success of this objective, and while it may be challenging to find a common thread of national interest for the UK and these allies, cyber defence will invariably be a common denominator.
Despite the banking crisis of 2007/08, the UK’s financial institutions remain one of our best international exports. Yet SDSR 2015 leaves us in no doubt that the government sees cyber as a strategically important export over the next five years – and one that will contribute directly to the nation’s global influence.
To promote our prosperity, the government plans to:
= champion a rules-based trading environment
= maximise defence, security, diplomatic and development activities
= work more closely with the private sector to increase innovation
= support the UK’s defence and resilience
Yet again, cyber plays an important role in these activities. The UK has a rich tradition in state-of-the-art technical and engineering innovation, and is a world leader in the development of cutting edge intellectual property (IP). That said, advances in hacking capabilities and tradecraft – combined with lower barriers to entry for advanced hacking operations – means the theft of this world-beating IP is a significant threat to our national prosperity.
Organised gangs of criminals use cyber know-how to steal money and hold valuable information for ransom – therefore, the need to protect the UK’s CNI, including cyber threats to it, is at the top of the government’s agenda. To counter these threats, the UK is developing a stable of market-leading cyber defence capabilities to ensure the UK remains internationally competitive, and a prosperous place to live and do business.
SDSR 2015 commitments
Of the cyber commitments made in SDSR 2015, a few stand out:
= the establishment of the National Cyber Security Centre
= a £2.5 billion increase in funding for our national intelligence agencies
= the recruitment of an additional 1,900 security and intelligence staff across the intelligence agencies
These goals demonstrate the government’s commitment to cyber as an issue of strategic importance.
The government is working with industry partners to develop the capabilities we need to generate outcomes in cyberspace. Input is specifically being sought to ensure HMG has:
= access to the technical innovation necessary to ensure UK cyber solutions are world-class, and to enable the outcomes we need both domestically and internationally
= the massive technical and developmental scale required to create the cyber capabilities and solutions needed by government
= the developmental pace to be able to create capabilities in an agile manner, and to put these in place when needed
But there is a significant bottleneck putting the delivery of SDSR 2015’s cyber objectives at risk: people. Achieving this level of cyber success isn’t an exercise in building great widgets or ‘cyber boxes’ – it’s an exercise in ensuring the UK has the right cyber workforce necessary to deliver success. I would even go so far as to say that, until recently, this was a growing problem: the UK’s education system simply isn’t producing enough talented cyber ninjas to address the need, and demand has drastically outstripped supply.
That said, SDSR 2015 recognises this fact, and I’m pleased to see that government has been taking steps to address this issue. CyberFirst is a fantastic scheme aimed at building the next generation of cyber experts, while CyberInvest is breaking down barriers in the traditionally challenging triumvirate of industry, academia and government. These are just two initiatives developed to address the need, and I’m pleased to see that government are inviting industry to contribute to most of their ideas.
While we eagerly await the upcoming 2016 Cyber Security Strategy, and expect it to reinforce HMG’s established stance on cyber, SDSR 2015 makes it very clear that cyber is no flash-in-the-pan issue. Rather than being this decade’s dotcom bubble waiting to burst, it’s a clear and important priority for HMG for at least the next five years – and companies that have the ability to design and develop the cyber capabilities needed by government have the chance to become part of the UK’s drive for cyber excellence.
About L-3 TRL
With 30 years of experience at the forefront of technological development, L-3 TRL is an official supplier to Her Majesty’s Government, and part of the Cyber Growth Partnership (CGP). Our cutting-edge, best-of-British technology is accredited and approved by CESG, and we have achieved two Queen’s Awards for innovation.
For more information, visit www.L-3com.com/trl