Cyber security and the transatlantic alliance
It is a great delight to be invited to speak here in New York today and to address this forum. As Assistant Chief of the Defence Staff for Global Issues I understand how crucial the transatlantic alliance is and the UK/US relationship in particular.
Since World War II, seven decades ago, British and American Servicemen and women have operated side-by-side in conflicts around the world.
British personnel serve in US units, and American soldiers, sailors, marines and air force personnel serve in British units. In Afghanistan, where we are working side-by-side in support of the Afghan Government, our Alliance is stronger than ever.
But UK/US co-operation on defence is much wider and deeper than working together on operations. An indication of this was the announcement by the PM and the President, during his recent visit to the UK, that we are establishing a new Service Personnel Joint Working Group.
More widely, and as a matter of routine, we work together and share experiences on various aspects of Defence Reform, and we are working with US colleagues to implement the Defence Trade Cooperation Treaty, which was endorsed by Congress late last year. Last but not least, we are closely engaged with the US (and Australia) in considering threats from cyber space.
To my mind, it is this kind of activity that shows the real strength of our relationship- our ability to come together to combat new threats, not just the old ones.
We recognise that there are some threats that we cannot address separately. global problems need global solutions.
And the cyber threat is one of those threats.
We saw it in Estonia in 2007; in Georgia in 2008 and during the Burmese elections in 2010. Most recently, we’ve seen a battle within cyberspace across the Middle East during the recent unrest. A battle over freedom of speech with cyber space used to organise mass protests and disseminate the truth to the masses.
Some say that cyber conflict re-writes the rule book and methodology of inter-state relations – even of war itself. Factor in cyber crime and cyber terrorism and some people argue that our whole world has been upended and everything is changed utterly.
I’m not sure it’s quite like that. As I will go on to say, I think cyber is a means to an end, not an end in itself- and the ends have been with us since the dawn of time.
Today I am going to talk about how the UK sees this threat, and how we recognise that we must work with our allies and with industry to defeat it.
So first, let me talk a bit about the threat.
I find it most useful to define cyber as to do with networked computers and cyberspace as an information space created by networked computers in order to be manipulated and exploited by humans.
Therefore cyber space is a man-made construct which itself sits within the environment of the electromagnetic spectrum. This environment is itself just another medium through which to deliver effect, to be thought of in similar ways to air, land and sea environments, with the major difference that cyberspace is unbounded by geography – it has to be thought of as global.
I find it useful to think in that way as it indicates that cyberspace is a means to an end, it is not an end in itself.
By analogy, therefore, cyberwar, cybercrime, cyberterrorism, cyberespionage are new only in so far as they are new ways of doing war, crime, terrorism, espionage.
So when we talk about ‘cyber security’ we are really taking about security in the digital age. It’s the same security problem just with an added cyber dimension.
What makes the cyber dimension so potent is two factors:
– First, the all-pervasive nature of computers in our lives, in the Critical National Infrastructure, in our economy, in our financial services, in Defence, which creates huge vulnerabilities.
– Second, the low technology entry level, which put the Anonymous hackers on a par with terrorists in creating a huge effect by exploiting our investment in technology – another manifestation of the democratisation of violence of the 21st century.
But before we get consumed by gloom at this apparent catastrophe curve, or discontinuity in the evolution of threats, I would offer some considerations that might encourage us to see some light in the darkness.
Firstly, all technological actions have their reactions. The great Major General Boney Fuller called this ‘the constant tactical factor’, whereby every advance on the battlefield was closely followed by, indeed prompted its response, or counter-measure. Quite what the technological reaction to cyber will be is as yet unclear but a response will emerge; or a different threat will overtake it.
So even as we struggle with this latest ‘big idea’, the smart money will be on finding its successor, the next big idea after cyber. Recognising this helps us avoid the more hubristic judgements about the changes required.
Secondly, what we present as vulnerabilities to ourselves are also vulnerabilities for people we might view as our competitors. Stuxnet terrified the world, the perpetrators (whoever they might have been) as well as the bystanders and the victims. On this basis, the people we should really fear are such as the Lords Resistance Army in central Africa or a ‘lone wolf’ terrorist, with no technological dependence on cyber at all, who might prove immune to any such attack yet develop the capability to use it at will.
Which I suppose points to a final observation I would make about the cyber threat, which is that it is all about people not about technology, at the end of the day. It is a tool by which people interact for better or worse. Keep the people factor in sight and you will keep cyber grounded in its human purpose.
Military role in Cyberspace
So that’s the threat, what then can be done to address it?
One of the decisions made in our Strategic Defence and Security Review was to establish a national programme for cyber space- this provides $1bn of new funding to develop the UK’s capabilities across Government.
After the review reported, I was made the ACDS for Global Issues in the UK MOD, a role that includes nuclear and counter proliferation issues. But most challenging of all, I am the policy lead in MOD and I am responsible for delivering the defence contribution to that programme.
To achieve that I have £90M (about $140M in real money) to make this happen. Not enough to tackle the totality of the issue but a good start in these challenging times.
By 2015, I aim to mainstream cyber operations into defence planning and operations with commanders able to call on national capabilities and international partnerships to meet Defence needs.
But consistent with the one stop shop nature of my role, I also have responsibility for ensuring that our cyber network defences are up to scratch.
Make no mistake, the defensive challenge is huge and we, all of us, military and civilian, are engaged in this battle for security now. And the defences we need are multi-layered.
With a nod to Donald Rumsfeldt, we need strong defences to defend against known threats, we need sensors to make us aware of when our defences are breached and we need a response system to react to known breaches, including a C2 system that allows us to counter cyber activity in a relevant (ie. fast) timeframe; and we need systems that can withstand unknown interference we can’t detect. These sensors, systems redundancy and C2 will not come cheap; but nor does leaving our security backdoor wide open; so this is a classic spend to save measure – although our Treasury might question my logic!
Cyber is a really fascinating area to be involved in at this time. For cyber operations give us new military options for achieving effect.
Financiers hope that cyber offers a cheaper alternative to traditional weaponry; I would urge caution on this, and encourage a view that sees cyber operations as complementary rather than alternative to conventional operations; they are just another way of achieving effect.
In obvious parallels with arguments deployed in the debate between hard and soft power, so cyber operations may in time alter the balance of investment but I doubt they will totally replace traditional tools. These cyber operations could manifest themselves as military ops to further cyber missions by other agencies; or vice versa, national technology supporting military operations.
Over the years I have watched Command and Control Warfare; Information Warfare and Information Operations evolve – along with Electronic Warfare. All of which neatly illustrates that, for me, cyber sits in a continuum of tools to achieve military effect and needs to be mainstreamed into our normal activity, which is my remit from the SDSR.
In the UK, we understand that we must collaborate to deal with trans-national threats and operate in a global domain.
At one level the whole world needs to come together to decide what we think is ‘normal’ behaviour in cyber space. In November, the Foreign Secretary will host the London conference to examine this very point. Representatives from across Governments, multinational orgnisations, NGOs and academia will explore the question of whether we can agree on norms of behaviour in Cyberspace.
But with the US, our closest ally, there are other considerations to be had.
As I said at the start, we work hand in glove with the US on all sorts of issues and that means that we share these threats. For example, if one of us has a gap in our defences it creates a vulnerability for the other.
And that’s why we’ve signed an MOU. So that we can share information and develop novel solutions collaboratively.
But let’s not forget that there’s another stakeholder here too.
We work with Defence industry on both sides of the Atlantic at every level of what we do in Defence and we cannot accomplish any of this without them. So we also need to work with them on cyber defence.
Yes, they are our supplier and can help us build a capability.
Yes, we need a strategy for agile procurement of cyber capabilities from trusted industry partners.
Yes, we need a strategy for sustaining key capabilities within the industrial base.
But it’s more fundamental than that.
Our threats are their threats. Their threats are our threats.
They are the custodians of intellectual property essential to our operational success and our national advantage. As Liam Fox said recently, we are massively concerned about some recent cyber security incidents that many of you will be aware of.
Without proper protection, capabilities that took years of work and millions of pounds of our collective funding to develop could be stolen in an instant. A recent study of the costs of cyber crime suggests that our Aerospace and defence sector is particularly exposed – losing £1.6bn per year as a result of espionage and the theft of intellectual property.
So, a partnership with industry is not just desirable, it’s essential.
The basis of our response to this threat has to be to properly understand the threat and that means we need to share what we know about the cyber threat nationally and internationally.
We cannot be complacent about the level of effort we put into cyber defence. Malevolent actors will continue to up-their-game, whilst there is a reward to chase.
The only way to address this threat is with a real partnership between Governments and Industry- across national boundaries.
It is a partnership between nations because we can’t defeat global threats with national solutions.
It is a partnership between Government and Industry because cyber attacks affect not only national security but through loss of IPR they affect national prosperity too.
We share the risk, so we need to share the solution.
Thank you and I look forward to hearing your questions and views.