.
Protecting the British Cyber Pass
Folks, you’d be forgiven for thinking that the sky was falling in. We’re all doing our best to adjust to post-Brexit Britain with some people distinctly annoyed that the world hasn’t spun off its axis. As the more risk adverse of the nation descends into a maelstrom of uncertainty and self-flagellation, most would be content to lock the door, close the curtains and hunker down until the storm passes. With Britain forging a new direction in the world, David Cameron, the Prime Minister, has resigned - leaving the government flock to be shepherded by the Merkel of Maidenhead. Meanwhile, Her Majesty’s Official Opposition is left navel-gazing and experimenting with political mitosis.
Nestled amongst the political turmoil, however, is a subject sorely neglected. Precious little has been mentioned on the state of British security, at a time when we stand at risk to a host of pernicious existential forces. The chief security risk is arguably cyber. Whilst it may be adding salt to Britain’s wounded vanity, the cyber realm exposes how vulnerable the UK is. Individuals, businesses, organisations, and government are an increasingly attractive target for cyber adversaries. Much like the defensive and strategic significance of the Khyber Pass, the online borders that defend our national infrastructure - our British Cyber Pass - remain in jeopardy and, unless we floss our brains and waken up, carnage will be coming to a town near you soon.
The Cambridge Centre for Risk Studies recently estimated that £442 billion could be excised from British GDP over five years in a ‘worst-case’ cyber attack on our power stations. Adverse effects would include the loss of up to one million train and 300,00 airport journeys per day, 40-55% of UK port freight, and substantial shortages of food and fuel. There would also be widespread disruption to transportation, digital communications, and water services. Hungry; parched; stranded in the dark; and cut off from the world. From leafy suburbs to bustling urban centers, the nation would abruptly come to a halt. My friends – don’t be under any illusion; this is no projected fear, but the realisation of a very real and present danger.
Currently, we are applying pressure to a slip knot in a deluded attempt to make us feel more secure, but I warn you all now - standby! In 2014, the Rt Hon. James Arbuthnot MP, whilst chairing the Defence Select Committee, identified that our national grid faces relentless cyber attacks every minute. Worryingly, our Industrial Control Systems (ICS) – the gizmos that control the national grid, as well as the water, gas and electric plants we rely upon – have numerous flaws. Not only are they expensive to maintain, ingurgitating large amounts of memory space and battery life, but the ICS often have legacy issues: running on outdated technology. As the cyber threat constantly changes, the defences of our critical systems are always left one step behind. What’s more, the growing trend of attacks on such systems has shown little sign of slowing. From an exploding pipeline in Turkey to a broken steel mill in Germany, cyber is on the march. It’s troubling stuff!
But don’t despair. For all this doom and gloom, the UK government is making some headway toward protecting our critical systems. In 2013, then Defence Secretary, Rt Hon. Phillip Hammond MP, announced the creation of a Joint Cyber Reserve Unit to protect our critical computer networks and information assets. This has been further supplemented by £2 billion over the course of this parliament, including the recruitment of 300 experts from the UK's underground hacking community. Add to this is the introduction of coding and programming into the curriculum from age 5 and the 2014 government policy that I developed to incorporate cyber training into the UK Cadet Force training programme. The UK is making headway to invest in protecting our future critical infrastructure.
Yet, whilst the government’s intention to secure our future systems is to be applauded, more investment is a must if we are to secure the nation with a proper cyber knot that will hold us steady. Currently, the industry is plagued by a considerable cyber skills deficit – and the few with the expertise command lucrative salaries; a demand the private sector can meet but the government coffers cannot. And it is an unfortunate reality that many of these skilled individuals - the recusant, ponytailed, pierced, bespectacled techies, as they are often caricatured - may be unwilling to be inducted into the military fold to join the cyber reserves. Of course, the government have already made a concerted effort to lure them in with concessions, including waiving fitness tests. Cyber reserves can rest assured they won’t have an SA80 thrust upon them, only to be dropped out of the back of a Hercules in some arid backwoods. Lt Col Michael White has even lent consideration to hiring convicted hackers (and quite rightly so), if they can pass through vetting. But this may not be enough. As the exact number of cyber reserves serving is unknown (due to national security), we have no idea what our capability is. Beyond recruitment and retention, the unit won’t even be fully operational until 2017 and its remit extends only to the protection of MoD assets – even the government is unclear as to whether this would cover our critical infrastructure. How can we adequately prepare for an attack when there is no consensus as to who is protecting what? It's like squinting in 51 degrees of heat and applying factor 5 to the nation’s body; we're all going to get burnt!
One solution the government should cogitate is establishing a national register of cyber security professionals who can be called upon in the fallout of a significant attack upon critical national infrastructure. In 1987, under President Reagan, the United States Selective Service was instructed to develop a register of healthcare professionals to aid the armed forces in wartime, providing a short-term panacea to revive the languishing conscription of doctors and nurses. There is no ostensive reason why this initiative cannot be mapped over to the cyber domain and employed to plug the shortage of cyber security professionals protecting the UK’s critical assets. What could become known as The UK Cyber Security Registry would enable hundreds more individuals to offer some degree of national service in protecting our critical infrastructure without the responsibility and restraint of military service (to which not all are suited). This platform would coordinate with other defence units – the Joint Cyber Reserve Unit, the Computer Emergency Response Team (CERT) etc. – in managing the consequences of a devastating cyber attack. Moreover, the issue of salary would be rendered inconsequential; individuals would be free to continue working in the private sector and simply rally to the nation’s aid at the sound of the clarion call.
With this in mind, there is a clear opportunity to be seized. A national Cyber Security Registry would ensure the UK is well equipped to deal with the consequences of an attack against the British Cyber Pass. The government has already taken a number of positive steps in this direction but as the UK Cyber Security Registry has shown, there is more to do. So, there’s nothing left to say, except who’s got the sunblock and… carry on up the cyber!
The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.
a global affairs media network
Carry on up the Cyber!
August 2, 2016
Protecting the British Cyber Pass
Folks, you’d be forgiven for thinking that the sky was falling in. We’re all doing our best to adjust to post-Brexit Britain with some people distinctly annoyed that the world hasn’t spun off its axis. As the more risk adverse of the nation descends into a maelstrom of uncertainty and self-flagellation, most would be content to lock the door, close the curtains and hunker down until the storm passes. With Britain forging a new direction in the world, David Cameron, the Prime Minister, has resigned - leaving the government flock to be shepherded by the Merkel of Maidenhead. Meanwhile, Her Majesty’s Official Opposition is left navel-gazing and experimenting with political mitosis.
Nestled amongst the political turmoil, however, is a subject sorely neglected. Precious little has been mentioned on the state of British security, at a time when we stand at risk to a host of pernicious existential forces. The chief security risk is arguably cyber. Whilst it may be adding salt to Britain’s wounded vanity, the cyber realm exposes how vulnerable the UK is. Individuals, businesses, organisations, and government are an increasingly attractive target for cyber adversaries. Much like the defensive and strategic significance of the Khyber Pass, the online borders that defend our national infrastructure - our British Cyber Pass - remain in jeopardy and, unless we floss our brains and waken up, carnage will be coming to a town near you soon.
The Cambridge Centre for Risk Studies recently estimated that £442 billion could be excised from British GDP over five years in a ‘worst-case’ cyber attack on our power stations. Adverse effects would include the loss of up to one million train and 300,00 airport journeys per day, 40-55% of UK port freight, and substantial shortages of food and fuel. There would also be widespread disruption to transportation, digital communications, and water services. Hungry; parched; stranded in the dark; and cut off from the world. From leafy suburbs to bustling urban centers, the nation would abruptly come to a halt. My friends – don’t be under any illusion; this is no projected fear, but the realisation of a very real and present danger.
Currently, we are applying pressure to a slip knot in a deluded attempt to make us feel more secure, but I warn you all now - standby! In 2014, the Rt Hon. James Arbuthnot MP, whilst chairing the Defence Select Committee, identified that our national grid faces relentless cyber attacks every minute. Worryingly, our Industrial Control Systems (ICS) – the gizmos that control the national grid, as well as the water, gas and electric plants we rely upon – have numerous flaws. Not only are they expensive to maintain, ingurgitating large amounts of memory space and battery life, but the ICS often have legacy issues: running on outdated technology. As the cyber threat constantly changes, the defences of our critical systems are always left one step behind. What’s more, the growing trend of attacks on such systems has shown little sign of slowing. From an exploding pipeline in Turkey to a broken steel mill in Germany, cyber is on the march. It’s troubling stuff!
But don’t despair. For all this doom and gloom, the UK government is making some headway toward protecting our critical systems. In 2013, then Defence Secretary, Rt Hon. Phillip Hammond MP, announced the creation of a Joint Cyber Reserve Unit to protect our critical computer networks and information assets. This has been further supplemented by £2 billion over the course of this parliament, including the recruitment of 300 experts from the UK's underground hacking community. Add to this is the introduction of coding and programming into the curriculum from age 5 and the 2014 government policy that I developed to incorporate cyber training into the UK Cadet Force training programme. The UK is making headway to invest in protecting our future critical infrastructure.
Yet, whilst the government’s intention to secure our future systems is to be applauded, more investment is a must if we are to secure the nation with a proper cyber knot that will hold us steady. Currently, the industry is plagued by a considerable cyber skills deficit – and the few with the expertise command lucrative salaries; a demand the private sector can meet but the government coffers cannot. And it is an unfortunate reality that many of these skilled individuals - the recusant, ponytailed, pierced, bespectacled techies, as they are often caricatured - may be unwilling to be inducted into the military fold to join the cyber reserves. Of course, the government have already made a concerted effort to lure them in with concessions, including waiving fitness tests. Cyber reserves can rest assured they won’t have an SA80 thrust upon them, only to be dropped out of the back of a Hercules in some arid backwoods. Lt Col Michael White has even lent consideration to hiring convicted hackers (and quite rightly so), if they can pass through vetting. But this may not be enough. As the exact number of cyber reserves serving is unknown (due to national security), we have no idea what our capability is. Beyond recruitment and retention, the unit won’t even be fully operational until 2017 and its remit extends only to the protection of MoD assets – even the government is unclear as to whether this would cover our critical infrastructure. How can we adequately prepare for an attack when there is no consensus as to who is protecting what? It's like squinting in 51 degrees of heat and applying factor 5 to the nation’s body; we're all going to get burnt!
One solution the government should cogitate is establishing a national register of cyber security professionals who can be called upon in the fallout of a significant attack upon critical national infrastructure. In 1987, under President Reagan, the United States Selective Service was instructed to develop a register of healthcare professionals to aid the armed forces in wartime, providing a short-term panacea to revive the languishing conscription of doctors and nurses. There is no ostensive reason why this initiative cannot be mapped over to the cyber domain and employed to plug the shortage of cyber security professionals protecting the UK’s critical assets. What could become known as The UK Cyber Security Registry would enable hundreds more individuals to offer some degree of national service in protecting our critical infrastructure without the responsibility and restraint of military service (to which not all are suited). This platform would coordinate with other defence units – the Joint Cyber Reserve Unit, the Computer Emergency Response Team (CERT) etc. – in managing the consequences of a devastating cyber attack. Moreover, the issue of salary would be rendered inconsequential; individuals would be free to continue working in the private sector and simply rally to the nation’s aid at the sound of the clarion call.
With this in mind, there is a clear opportunity to be seized. A national Cyber Security Registry would ensure the UK is well equipped to deal with the consequences of an attack against the British Cyber Pass. The government has already taken a number of positive steps in this direction but as the UK Cyber Security Registry has shown, there is more to do. So, there’s nothing left to say, except who’s got the sunblock and… carry on up the cyber!
The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.