In the new online issue of Defence Management Journal, Shadow Minister for Home Affairs and Counterterrorism Crispin Blunt MP takes aim at the New Labour government’s approach to cybersecurity and concludes that things are moving too darned slow. Notwithstanding the imminent general election (our own SecDef Ainsworth says May 6), are Blunt’s gripes unfounded or not?
Cyber security is one of those issues that intimidate politicians. It is a highly technical field with a wall of jargon that is a barrier to understanding. It is, however, increasingly important to our national security and there is no excuse for our government having been slow to grasp this. It is an issue that everyone has to take seriously and politicians who aspire to have responsibility for the nation’s security must do so more than most.
Has Labour been slow? It’s hard to tell. Last June’s Cyber Security Strategy (CSS) seemed to have been well-timed and, although I’ve heard it described as a ‘policy to have a policy’, it came only a month after the US Cyberspace Policy Review. Last November, Blunt toddled off to Washington to see what the mighty Yanks had been up to and he seems very impressed:
The United States began work on cyber security and cyber defence under President George W Bush and the issue has now been given even greater political emphasis by the Obama administration, which has put it at the centre of its deterrence and security policy.
Part of the US response has been to create a Cyber Command within the Pentagon. Information systems have become essential tools with which to support conventional forces, correspondingly, cyber warfare has become an essential part of every nation’s armoury. If you cannot support your tanks, aircraft and ships with a cyber capability, you are likely to lose a conflict against an adversary that can. Much has been made of the revolution in military affairs flowing from the digitisation of the battlefield; it is essentially a force multiplier. If you cannot defend your networks and disrupt your opponent’s you will be minus that battle winning capability. For most of the 20th Century, air supremacy or at least superiority was an essential tool. Cyber superiority is likely to play a similar role in the 21st Century.
The US has not only grasped this – as we should note, so have the Chinese – but is also thinking deeply about the full spectrum of cyber attacks, from individuals’ identity theft through to espionage and the capability to disrupt a nation’s critical national infrastructure.
Not only the Chinese, Mr Blunt, but also dozens of other states, including Russia, France, and Israel. Why single out China? Zeitgeist, perhaps? He could also have mentioned the UK here but that would have weakened the following criticism:
The UK is proceeding at a more leisurely pace, our cyber security strategy, a diluted version of President Obama’s, was published at the end of June. It has taken three months to establish the new Office of Cyber Security and it will not be fully operational until March 2010. Work in this area is much more urgent than this timetable suggests.
A ‘diluted version’? Well, it didn’t have so many appendices, and it didn’t suggest concentrating responsibility for cybersecurity at No.10, so in that sense, yes, it could be construed in that way, although I prefer to look at it as a British document, not one that was drafted in DC and tweaked for local use.
Second, the Office of Cyber Security (OCS) and its sister the Cyber Security Operations Centre (CSOC) are very busy, if quiet. Both organisations were promised in the June CSS and there have been questions in the House since about their status, resources, remit, etc. By contrast, one of the few concrete recommendations of Obama’s cyber review was to appoint someone to coordinate the huge cybersecurity program outlined in the document. After six months of serious wrangling, this only happened just before Christmas 2009, with the appointment of Howard Schmidt as US ‘cyber czar’. See, Mr. Blunt, things can move even slower in the US.
Cyber security doesn’t respect national borders and international cooperation is essential. The criminalised part of the cyber threat has been addressed in the Council of Europe Convention on Cybercrime. This was submitted for member states ratification in 2001, as an open convention it was ratified by the US in 2006 but, over eight years on, the UK has yet to complete the ratification process.
That is a good point, and I haven’t heard too many mutterings about changing the situation either. It’s worth pointing out that Russia and Turkey have yet to even sign it, and the list of non-ratifying countries is long: Belgium, Czech Republic, Georgia, Ireland, Spain, Sweden, Switzerland…
Although an important step, this Convention does not address national security. As cyber warfare capability gains the potential to bring modern nations to a standstill, this is a glaring gap that has to be filled. All states, including those we have a sometimes difficult relationship with, have too much at stake not to cooperate in this area. We can all unwittingly harbour groups who will attack other states electronically. This was a casus belli (justification for acts of war) when Afghanistan played host to al-Qaeda [was it?]. With the damage that can now be caused by successful electronic attack, this threat must be managed. A new Geneva Convention on cyber warfare is required. This is but one area on which the UK’s cyber security strategy is almost completely silent. Greater urgency and commitment is needed in our response to cyber security, particularly in securing an international legal framework on cyber warfare.
Silent, except for the bit where it says, “The UK is committed to working multi-laterally to develop a strong rules-based international system to promote economic growth and development, as well as mitigate the risk of another state acting to damage our economic well-being in a way that poses a threat to our national security.” It would be silent on a Geneva Convention-style suite of protocols, as these relate to the humanitarian treatment of the victims of war. I think Blunt chose the wrong historical analogy here, unless he really is talking about collateral damage.
I’m not sure this is even worth electioneering on. The Tories have already made it clear that they wish to introduce a Cyber Threat and Assessment Centre (CTAC), which looks to be a more offensive version of CSOC, and will lay “the foundations for the development of a National Operations Centre able to respond to cyber events”. This will presumably be tied into the new War Cabinet National Security Council and Secretariat, also announced in the January National Security Green Paper. Personally, I’m glad government is taking a few months to check out its options in what the Tories themselves call an ‘international and multifaceted’ operating environment. Better that than going off half-cocked in pursuit of whichever chimera has just hove into view this week.