Précis To effectively combat its cyber enemies, the UK needs to wage attacks against its cyber aggressors, according to MPs on the Intelligence and Security Committee (the "ISC"). In the European sphere, the European Commission launches consultation on cyber security.
What? MPs on the Intelligence and Security Committee ("ISC") have called on the UK to actively engage in "defensive" or "pre-emptive" cyber attacks because they believe that the UK's cyber defence programme alone is too weak to endure attacks. This strategy is in line with comments recently made by the head of the Central Intelligence Agency, and reflects the strategy that America has all but admitted in relation to the recent Flame and Stuxnet attacks on Iran's nuclear and energy infrastructure.
At the same time, the European Commission has launched a consultation on cyber security, seeking the views of governments, businesses and citizens to assess possible responses to cyber incidents causing major internet disruptions. The Commission has launched the consultation to help it prepare a legislative proposal on security, ahead of its upcoming EU strategy on cyber security. You can read the consultation here.
So what? Following the announcement of the National Cyber Security Programme in 2010 to transform the UK's cyber skills and capabilities by 2015, which received a mid-recession budget of £650m, the focus has been on developing the UK's capabilities in defending against such attacks. Although the defence strategy remains a priority for the UK, MPs on the ISC acknowledge that:
"cyber security is a fast-paced field and delays in developing [its] capabilities give [the] enemies the advantage".
Thus, the resilience of the UK's defence capabilities is weakened by ever-changing techniques employed by cyber attackers. Therefore, MPs believe that military and intelligence agencies should be allowed to go on the offensive in the cyber war.
Interfering with the systems of those trying to attack UK networks, hacking into enemies' networks and systems or destroying enemy data without being detected are examples of "active defence" measures that the ISC would support.
It is interesting to note the change in terminology of late. There is an ever-increasing use of military language of defence and attack, security, battle lines, etc. These are emotive words, which position cyber attacks as part of a "war" thereby seeking to justify ever-increasing use of cyber capabilities, whether to defend or attack.
Cyber warfare attacks are considered to be the fasting growing threat against national security. It would seem that the heightened risk to national security has exposed the limitations in the UK's defence capabilities to counteract cyber attacks. The offensive play (or at least the admission of such a play) is relatively new, and reveals the priority that Government is giving to this area.
In relation to the consultation, leading academics and practitioners have long been calling for global cooperation, with Eugene Kaspersky, whose lab discovered the Flame virus, stating that "only a global effort could stop a new era of cyber terrorism".
Whilst we have been reporting that the UK has significantly stepped up its efforts, the battleground is still confused. Nation states, supranational bodies, businesses and criminals are all players. Nation states are both the hunter and the hunted, actively targeting others' infrastructure - there have been allegations, for example, that the current US administration developed and deployed the Flame virus, which severely degraded Iran's nuclear and utilities programmes. The consultation is a preliminary foray into the feasibility of proper supranational legislation. It's too early to tell whether the US, China or other global actors will desire some shaping involvement. It's safe to say that there isn't a great deal of cybertrust at present. Which means that cyberparanoia will prevail for the time being.