Professional Blogs

NCSC Alert – A Welcome Approach to Defending Critical National Infrastructure

Last week the National Cyber Security Centre (NCSC) issued an unprecedented alert regarding malicious cyber activity conducted by the Russian government. This marked a significant milestone in the international fight against the cyber threat that our country, and in particular our Critical National Infrastructure, faces. The alert was particularly noteworthy for 3 reasons:

  • The alert was written and issued in full partnership with colleagues in the United States from both the Federal Bureau of Investigation and the Department of Homeland Security. This is the first time this has happened; whilst there has long since been excellent cooperation across the pond (this is one area where the ‘special relationship’ is alive and well) there has never before been such a clear demonstration of the strength and depth of the partnership. Such a unified approach will ensure resilience capability develops at pace whilst also sending a powerful message to our adversaries.
  • The alert speaks clearly and with certainty about attribution. It unequivocally calls out Russian intent to exploit our cyber infrastructure and records it plainly in the public record. This level of certainty will be rooted in robust intelligence and it is reasonable to surmise that clear evidence of Russian intent and activity exists. Until very recently this level of intelligence and its associated analysis would be heavily classified and distribution would be limited. Releasing such intelligence product into the public domain is a game changer. To my mind the fact that this can now happen is one of the biggest successes of the NCSC.
  • The technical note actually offers simple and practical guidance that can be implemented by organisations of all sizes. It explains Russian tactics and techniques, offers tips on how to identify compromises and suggests mitigation actions. In short it is a useful guide to those at the coalface working in cyber defence. Similar notes in the past have often been overly generic and bland to the point of uselessness.

It is difficult to overstate how important and welcome this more open and more technically useful approach is. The cyber world is becoming more collaborative and more open – this trajectory must be maintained if we are going to overmatch the threat and generate genuine resilience.

Getting this right is nationally important. We are beginning to talk openly and in detail about the threat to our Critical National Infrastructure, indeed the Joint Technical Report released last week explicitly spoke about Russian prepositioning on Critical National Infrastructure targets.

This is an extremely positive development; the first step to addressing a problem is to be honest about its existence. With aligned leadership at the national level on both sides of the Atlantic it is really encouraging to see that process beginning.

Cyber Operations – The Challenge of the Three Sided Coin

As cyber operations have increased in scope and credibility their integration into wider military operations has developed organically. The organisations that design and deliver cyber capability have similarly evolved over time rather than being designed from first principles. This agile approach has served a purpose, but we have now reached a level of maturity where a well-conceived structure and governance model would bring substantial advantage. However, meeting this challenge will mean overcoming a conundrum that lies at the heart of all military cyber structures.

Operating Defence communications networks is something that we have done well for many years. Like most other organisations, the UK military maintains a network operating centre, which acts as a hub from which global networks are managed. Also in common with many large organisations the MOD has a security operating centre that is responsible for preventing and reacting to cyber attacks. It is evidently desirable that these organisations are conceptually (and physically) very close to each other. It would be nonsensical if those who operate our networks and those who conduct defensive cyber operations on our own networks weren’t in the same business space; they are two sides of the same coin.

If we now consider cyber’s contribution to Full Spectrum Effects operations then it is immediately apparent that all elements of cyber operations must be considered in tandem during the planning process. PROTECT is just as much a mission verb as DISRUPT, and for a plan to be successful both offensive actions and defensive actions must be considered simultaneously. This concept is well established in military planning; it is inadvisable to go on the offensive unless you start from a well-established and secure base. Offensive cyber operations and defensive cyber operations must also be conceptually close; they are two sides of the same coin.

The structural problem is that there is no three-sided coin – defensive cyber operations cannot easily be bedfellows with both offensive cyber and network operations concurrently. In the UK our organisational model has evolved to structurally separate network management and military operations. This has had the effect of splitting defensive cyber operations in two so that routine defending sits with network management whilst defensive cyber planning is considered operationally as part of Full Spectrum Effects planning alongside all offensive options. This solution works, but it is inelegant and inefficient. The division of defensive cyber operations makes a unified defence more challenging to achieve than it could be.

It may be that there is no perfect solution to this; certainly none of our international partners have found the ideal solution. However as we consider designing the next generation cyber enterprise it is important that we give this structural challenge all due consideration so that our future operating model is as efficient as it can be.

The Combat Effect of The Royal Signals

In many organisations there is a sharp divide between the ‘doers’ who deliver the final product and those who support them. Nowhere is this division as stark as in the Army. We have it cemented in the lexicon – every soldier either belongs to a combat arm or a support arm. Needless to say it is the combat arms that are first among equals. They provide the majority of the Army’s senior generals and they almost exclusively occupy the key decision making posts on the path to senior leadership.

The Royal Corps of Signals are traditionally anchored in this supporting role. As a corps we are seen (and indeed we see ourselves) as a cohort of communications specialists who enable everything the Army does; never have communications been as critical as they are now on the modern battlefield. Despite this vital role we are like stage lighting – when it goes well we go unnoticed but when it goes wrong the pointed ‘wrong crystals’ jibes come thick and fast. By being comfortable in this ‘supporting actor role’ we are selling ourselves short and adopting a position from which it is difficult to exert influence. 

The reality is that Royal Signals are already well established as agents of combat effect. The Corps has long been the Army’s proponent of Electronic Warfare providing offensive capability in the electronic spectrum. More recently Royal Signals personnel have been at the vanguard of developing cyber capability tactically in the Land Environment and at the operational and strategic level in the Joint battlespace. The importance of these contributions to full spectrum targeting is both growing at pace and quickly increasing in relevance. Cyber operations provide the targeteer with options throughout the spectrum of conflict including when kinetic strikes are not militarily or politically viable. Likewise, EW and cyber effects are a potent force multiplier when woven and synchronised with other effects.

As this fundamental evolution of warfare unfolds before us it is imperative that the Royal Signals moves quickly to ensure its ambition and influence match an increasing contribution to effects delivery. A cultural change is required; the Corps must see itself differently by thinking in a J3 (Operations) way alongside the more traditional J6 (Communications) mindset.

The Royal Signals must be better at training our people to be war fighters and we must work to place our best people in crunchy planning, operations and targeting jobs at all levels. Concurrently, of course, an influence campaign will be required with the old guard of traditional Army leadership who will understandably be wary of a newcomer to the party.

There are elements of the Royal Signals that effectively perform the function of a combat arm now. Let’s have a moment to let that sink in, then pull up our socks and take our rightful place at the table.

The Value of the Specialist

I once served with a Warrant Officer who worked as a technical supervisor within an operational military team. Highly qualified and self motivated he did his job ably, but unremarkably. He left the Army and, due to a reorganisation he was immediately re-employed as a civilian doing exactly the same job. Within weeks it was apparent something special was happening to him; in a very short period of time he had become much better at his job. He quickly established himself as a leading expert and soon the organisation became utterly reliant on him for all technical decision making. The reason was simple; he had been freed from all the additional and distracting responsibilities that come with being in the Army. He didn’t disappear on exercises, physical training or weapon ranges – he simply did his core job, and he got very good at it very quickly. Over time he stayed in that appointment far longer than would ever be possible if he were still in the Army and as a result the effect was multiplied several times over. He became utterly indispensible.

This tale highlights a flaw in the way the British military views the profession of soldiering. We are an organisation of generalists and as a result we rarely let our people become specialist, and if we do we immediately move them on to another job. Even pilots must give up flying at a relatively junior rank because practising their core skill quickly becomes detrimental to their career prospects.

Perhaps the clue is in the rank of our senior officers; in the Army it is ‘generalism’ that gets you promoted. I agree that there is merit in leaders having a breadth of experience but it should not be such an all-pervasive philosophy that it is ruthlessly applied to everyone. There are some aspects of any business where it is important to specialise, and those that choose to do so should be valued, respected and rewarded for making that choice.

The generalist versus specialist debate has never been as important as it is now in cyber operations. As we build the cyber force it is abundantly clear it is not a discipline that people can ‘dip in and out’ of. It takes years to accrue the requisite skills to plan and deliver cyber operations. Subsequent operational experience only adds to the richness of that skill set making our best surely indispensible. Yet it is exactly these skilled and experienced practitioners that we so frequently fail to reinvest into the cyber enterprise, preferring instead to broaden their profile rather than deepen it. If we are to truly excel in cyber operations we must keep our people in the business. We must learn to value the specialist and give them opportunities to advance within cyber. Doing so is practically achievable, but it will require a change in culture and mindset that will be hard to win.

Information Assurance and Defensive Cyber Operations – An Important Distinction

During a recent planning meeting I found myself explaining my views on the difference between Information Assurance (IA) and Defensive Cyber Operations (DCO). This is something I do a lot, but it is worth doing because it is an important distinction. Knowing which you are pursuing ultimately determines what you do, the mindset and methodology you adopt and who in your organisation is accountable.

IA has been established and understood for some time and, until recently, it sufficed as an approach to achieving protection in cyberspace. IA is focused entirely on protecting information systems at an accredited baseline level. This extends to technical measures, both hardware and software but also extends to the physical security wrap around a system. Routinely these measures are built into procurement so that a base level is achieved at the beginning of a system’s lifecycle. This is then maintained through life with periodic reviews and frequent updates and patching. Both in analogy and literally it is making sure the door is locked and the intrusion alarm is on.

Until fairly recently IA was considered sufficient; if the accreditors ticked all the boxes on their inspection sheet then information was ‘safe’. There are benign occasions when this might be true, but in the majority of cases, and especially on deployed military operations, a completely different approach is required to raise the standard well above base level protection.

This delta is met by Defensive Cyber Operations. These are fundamentally different from IA in that they focus on mitigating operational risk by delivering Cyber Mission Assurance. This is not the domain of the accreditor, rather ownership sits squarely with leadership and their operations team.

DCO are proactive and draw on an offensive spirit; they are the antithesis of sitting in a locked house not knowing what threat lies outside. They are rooted in understanding and therefore begin with detailed and aggressive threat analysis so that the intent and capability of the adversary is understood. This should include actively hunting for adversary activity. Additional measures can then be taken to counter that threat. DCO are less worried about protecting individual systems and more concerned with operational resilience, so business continuity and rapid response and recovery become essential. Perhaps most importantly, DCO are not limited to protecting information on command and control systems. Their scope is much wider, essentially anything that could impact the mission must be considered. This includes platforms, Industrial Control Systems, supply chain systems and welfare communications irrespective of who owns them. Finally, under certain definitions, and with the correct authorities in place, DCO can include the ability to strike back at an adversary to stop, or even prevent, an attack.

Fundamentally protecting our businesses in cyberspace is about mindset. To do it well we must think more in terms of operational assurance and less about simple compliance.

The Bright Future of Military Offensive Cyber

This article was originally published at www.wavellroom.com in September 2017

It is unfortunate that, for many staff officers, the practicalities of ‘cyber operations’ consist of a brief and contrived power cut on the annual CPX for the sake of objective box-ticking. There are others who dare to imagine something more potent but who have become disillusioned because of the constant mantra from the non-kinetic effects community that real life isn’t like the movies; ‘there is no magic cyber button’. The truth is, cyber operations became a faddish focus of senior leadership long before we were ready to deliver on the promise and the inevitable result was a deep-rooted and perfectly understandable cynicism.

There is a gathering body of evidence that the situation is changing and is doing so at pace. The potency of a ‘cyber-attack’ is abundantly apparent in the media. It is easy to forget that even five years ago such stories were relatively rare and were far removed from the reality of daily life. Contrast the situation today when there is invariably an open source daily dose of reported cyber incidents that have a clear and understandable impact. Invariably the majority concern bulk personal data loss, often perpetrated by criminals. In such cases the effect is often negligible save for the reputational damage of the victim. Increasingly, however, cyber operations are becoming more sophisticated in their ambition and intent. Perpetrators are using Cyber operations to have a focussed effect on individuals, groups of individuals and even nation states. Sometimes this is simply through the manipulation of information, as was the case with Russian interference in the US 2016 election, but it can also be through the delivery of physical effects through cyberspace. Whether it is Ukrainian power outages or electronic destruction of Saudi government computer hardware it is not difficult to find examples where (usually) state actors have had a calculated effect on their adversary – be that as a standalone effort or blended with other instruments of soft and hard effects

There is evidence too that Western nations are embracing this new tool of influence. At the 2016 RUSI conference, the Secretary of State for Defence acknowledged that the UK is already integrating offensive cyber into its full range of military effects. Across the Atlantic, the US is so energised about the possibilities that cyber will bring that they are elevating US Cyber Command to Combatant Command status. Canada has, for the first time, acknowledged that they too are aggressively investing in offensive cyber. Amongst our close allies, cyber is transitioning from the theoretical to the practical.

So offensive cyber is a proven potent weapon and its possibilities are being enthusiastically embraced by Western Powers. The resultant challenge faced now is how to best leverage at scale what has hitherto been a niche and largely insignificant capability? This question is exercising minds across government; integrating a new domain of tools into the national arsenal is an exceedingly complex business. Although evidently not a complete solution, the following 3 points are critical to success:

Technical Credibility.  It is critical that credible and relevant offensive cyber options continue to be delivered in short order. This will not only ensure that meaningful effects are achievable, but it will also serve to build operational evidence to challenge the cynics. For this to work, cyber effects must be developed to support existing national contingency plans and their employment must be woven into to operational planning from the outset. Capabilities must not be delivered simply because they are technically interesting; there is no room in the modern world of professional cyber for the enthusiastic hobbyist.

Effects Focus.  Those involved in cyber operations tend to be drawn overwhelmingly from the intelligence and communications fields. This is entirely understandable – offensive cyber has evolved largely from signals intelligence because of shared access techniques, and communicators, especially in the military, are likely to have the baseline skill level required to build cyber expertise. These are not, however, those who typically have operations and targeting experience. This needs to change; those that once saw themselves pigeon holed in an exclusively combat support role are on point to deliver effects. This equally applies in defensive cyber operations, which have for too long been solely about protection rather than proactively setting the conditions for operational success. Mindsets and skills will need to change accordingly.

Partnerships.  Despite considerable recent investment across Defence, cyber is not exclusively a military effort. Indeed the real UK expertise and capability is invested in those with many years of relevant experience across government departments. Developing an autonomous military cyber capability would be hopelessly inefficient and would create an artificial and unhelpful divide between cyber used in pursuit of military and wider national objectives. The answer is a full and true partnership to create one single focus for UK Cyber operations.

There is no question that cyber is here to stay. Getting it right now is inevitably going to be difficult and expensive, but the price is worth paying to ensure we are postured to stand up to our adversaries and lead the way amongst our allies.