









Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Information for scientific research for high school classes
Typology: Study Guides, Projects, Research
1 / 17
This page cannot be seen from the preview
Don't miss anything!










Summary
This House of Lords Library Briefing has been prepared in advance of the debate due to take place on 18 October 2018 in the House of Lords on the motion moved by Viscount Waverley (Crossbench), “that this House takes note of the scale and complexity of cyber threats facing the United Kingdom and the case for innovative approaches across Her Majesty’s Government and beyond”.
In the UK, cyber is categorised as a high priority risk to national security. Cyber threats come both from nation states and from criminal individuals or groups. The Government states that the lines between different threat actors continue to blur as individuals and groups learn from, hire and work with one another. Cyber threats to the UK include cyber terrorism; fraud and serious organised crime; espionage; and disruption of critical national infrastructure (CNI).
In November 2016, the Government published its five-year National Cyber Security Strategy , and made a commitment to invest £1.9 billion in cyber security. The strategy set out the Government’s implementation plan under three objectives: to defend the UK from cyber-attacks; to deter potential attackers; and to develop an innovative cyber security industry underpinned by leading scientific research and development. Cyber security of the UK’s CNI was listed as a priority. In 2016, the Government also created the National Cyber Security Centre. It supports the most critical organisations in the UK, the wider public sector, and industry.
The UK has committed to work in close collaboration with its international allies, including its partners in NATO and as a member of the EU, to improve international cyber security. In May 2018, the UK implemented the EU Networks and Information Security Directive and placed legal obligations on operators of UK critical services to improve cyber-security. The Government has said that after the UK’s exit from the EU it wants to protect its cyber cooperation with the EU.
This briefing focuses on the UK Government’s response to the global cyber threat in the context of its strategies on national security and on national cyber security. It includes an overview of the Government’s policy to improve the resilience of the UK’s CNI to cyber-attack, and measures to address the shortage in cyber security skills in that area. The last section briefly discusses NATO’s and the EU’s cyber security initiatives and the recent allegations against the Russian intelligence service.
Table of Contents
Sarah Tudor 11 October 2018
Table of Contents
A full list of Lords Library briefings is available on the research briefings page on the internet. The Library publishes briefings for all major items of business debated in the House of Lords. The Library also publishes briefings on the House of Lords itself and other subjects that may be of interest to Members.
House of Lords Library briefings are compiled for the benefit of Members of the House of Lords and their personal staff, to provide impartial, authoritative, politically balanced briefing on subjects likely to be of interest to Members of the Lords. Authors are available to discuss the contents of the briefings with the Members and their staff but cannot advise members of the general public.
Any comments on Library briefings should be sent to the Head of Research Services, House of Lords Library, London SW1A 0PW or emailed to [email protected].
Between October 2016 and October 2017, the NCSC received 1,131 cyber incident reports, with 590 subsequently classed as significant.^7 More than 30 were assessed as being sufficiently serious to require a cross-government response process. Two notable incidents which occurred in this period were the WannaCry attack in May 2017, a global ransomware attack which affected a number of networks in the UK, including 45 NHS trust organisations; and the cyber-attack on the email accounts of UK MPs, peers, their staff and parliamentary officials in June 2017.^8
The UK Government has stated that despite greater awareness of cyber threats, most organisations and households across the UK have not “kept pace with the threat”, with attacks becoming more frequent and complex.^9 It has identified the UK’s CNI as a key target.
In response to the growing cyber threat, the Government has developed a national cyber security strategy and a series of initiatives. This briefing focuses on the UK Government’s approach to cyber security.^10 The following sections examine the Government’s response to the cyber threat in the context of its National Security Strategy , and then provide a summary of its National Cyber Security Strategy. This includes an overview of programmes to improve the resilience of the UK’s CNI to cyber-attack, and in particular its measures to address the shortage in the cyber security skills base in that area. The last section briefly discusses NATO’s and the EU’s cyber security initiatives and the recent allegations against the Russian intelligence service.
2. National Security Strategy
The latest UK national security strategy was published in November 2015, as part of the National Security Strategy and Strategic Defence and Security Review 2015 (NSS and SDSR 2015).^11 It set out the UK’s planned strategy for the following five years. The impact of technology, and in particular cyber threats, was identified as one of four main challenges likely to drive UK
(^7) National Cyber Security Centre, Annual Report 2017 , 3 October 2017, p 10. (^8) ibid, pp 10–11. Further information on these attacks can be found in: National Cyber
Security Centre, Annual Report 2017 , 3 October 2017. (^9) HM Government, National Security Capability Review , March 2018, p 3. (^10) Examples of other approaches to cyber security can be found in the NATO Cooperative Cyber Defence Centre of Excellence’s (CCDCOE) briefing, Cyber Deterrence: A Comprehensive Approach? (April 2018); and the Parliamentary Office of Science and Technology’s briefings, Cyber Security of National Infrastructure (May 2017) and Cyber Security in the UK (September 2011). The CCDCOE has also published the national cyber security strategy documents of NATO nations and several other states (accessed 11 October 2018). (^11) HM Government, National Security Strategy and Strategic Defence and Security Review 2015:
A Secure and Prosperous United Kingdom , November 2015, Cm 9161.
security priorities over the subsequent decade.^12
The report stated that the “range of cyber actors threatening the UK” had grown; it identified an increasing number of states, with state-level resources, developing advanced capabilities potentially deployable in conflicts, including against critical national infrastructure (CNI) and government institutions, as well as a growing number of non-state actors, including terrorists and cyber criminals.^13
The strategy set out the Government’s plans to improve the UK’s cyber security in response to the growing threat. The measures included:
Regarding the implementation of the strategy, the paper highlighted the importance of the UK’s early warning systems and how the Government, particularly the National Security Council (NSC) and the Cabinet Office briefing rooms (COBR), respond to crises.^17
(^12) HM Government, National Security Strategy and Strategic Defence and Security Review 2015:
A Secure and Prosperous United Kingdom , November 2015, Cm 9161, p 15. The other three were: the increasing threat posed by terrorism, extremism and instability; the resurgence of state-based threats and intensifying wider state competition; and the erosion of the rules-based international order, making it harder to build consensus and tackle global threats. (^13) ibid, p 19. (^14) The National Cyber Security Centre opened in October 2016. (^15) HM Government, National Security Strategy and Strategic Defence and Security Review 2015:
A Secure and Prosperous United Kingdom , November 2015, Cm 9161, pp 40–1. (^16) ibid, p 78. (^17) ibid, pp 81–3. The NSC was established in 2010 to provide collective strategic leadership on national security and crisis situations. COBR is its operational arm and coordinates the Government response to a crisis.
learn lessons for the future”.^23 The NCSC is part of GCHQ.
3.2 National Cyber Security Policy
National Cyber Security Strategy 2016–
In November 2016, the Government published its five-year National Cyber Security Strategy.^24 It set out its vision for the UK to be “secure and resilient to cyber threats, prosperous and confident in the digital world” by 2021. It made a commitment to invest £1.9 billion in cyber security over the five-year period.^25
The strategy set out the Government’s implementation plan under three objectives:
Cyber security of critical national infrastructure (CNI) was listed as a priority.
The strategy stated that to achieve these outcomes the UK Government intended to intervene more actively and with greater investment. The measures included:^27
(^23) National Cyber Security Centre, ‘About the NCSC’, accessed 4 October 2018. (^24) HM Government, National Cyber Security Strategy 2016 – 2021 , November 2016. (^25) ibid, pp 9–10. (^26) ibid, p 9. (^27) ibid, pp 9–10. (^28) Active cyber defence (ACD) is the principle of implementing security measures to
strengthen a network or system to make it more robust against attack.
National Security Capability Review
In July 2017, the Government launched the National Security Capability Review (NSCR) to ensure that the UK’s investment in national security capabilities was “as joined-up, effective and efficient as possible, to address current national security challenges”.^29 It was led by the National Security Advisor, Sir Mark Sedwill, and the Cabinet Office. On 28 March 2018, the National Security Capability Review was published and included a review of the National Cyber Security Strategy.^30
The NSCR made a commitment to continue to implement the National Cyber Security Strategy and to ensure “it ke[pt] pace with the threat”, including through the NCSC.^31 It also reviewed the Government’s progress achieving the objectives set out in the strategy. Its findings included:^32
(^29) Cabinet Office, ‘Strategic Defence and Security Review Implementation’, 20 July 2017. (^30) HM Government, National Security Capability Review , March 2018. (^31) ibid, p 21. (^32) ibid, pp 21– (^33) ibid, p 21.
whole economy and the whole of society”. The committee also heard evidence from Sir Mark Sedwill, the National Security Advisor, who agreed that the cyber threat cut across the national security and public safety agenda.
The committee argued that the importance of improving the resilience of the UK’s infrastructure, institutions and population had been demonstrated by a series of events, such as the global cyber-attack that affected large parts of the NHS.^38 Mr Sedwill acknowledged the importance of strengthening resilience to cyber-attack and propaganda. He stated that the Government was “conscious of the threat” to the UK’s CNI, and was working with CNI operators to address it.^39 However, he argued that there should be “confidence in our resilience against those threats”, because the attacks so far had “not really worked.^40
The committee welcomed the Government’s “apparent focus on building national resilience”, but urged the Government to increase public engagement.^41 The committee stated that the Government “must do all it can to inform the British public about the threats we face as a country” and to “empower them to contribute to the Government’s response when appropriate”. It called for the Government to set out its plans to develop community and societal resilience to the range of threats that may arise, and to set out its plans for future crisis management exercises.
4. Critical National Infrastructure and Cyber Security
The Government defines critical national infrastructure (CNI) as the assets, facilities, systems, networks or processes which, if lost or disrupted, would affect national security or the delivery of essential services.^42 The majority of the UK’s CNI is privately owned.^43 The Government monitors CNI cyber security by working with private operators through a variety of channels, including lead government departments and the National Cyber Security Centre (NCSC). In May 2018, the EU Networks and Information Security Directive (NIS directive) was transposed into UK national law. The Network and Information Systems Regulations (NIS regulations) established several competent authorities which are required to provide appropriate oversight and an enforcement regime for the regulations.^44
(^38) Joint Committee on the National Security Strategy, National Security Capability Review: A
Changing Security Environment , 23 March 2018, HL Paper 104 of session 2017–19, p 36. (^39) ibid, p 12. (^40) ibid, p 36. (^41) ibid, pp 36–7. (^42) CNI is categorised into 13 sectors: chemicals, civil nuclear, communications, defence,
emergency services, energy, finance, food, government, health, space, transport and water (Cabinet Office, Summary of the 2015–16 Sector Resilience Plan s, April 2016, p 3). (^43) Parliamentary Office of Science and Technology, Cyber Security of National Infrastructure ,
May 2017, p 2. (^44) UK Government website, ‘NIS Directive and NIS Regulations 2018’, 20 April 2018.
Further information on the directive can be found in Section 5 of this briefing.
4.1 Cyber Security of the UK Infrastructure Policy
The Government’s 2016 National Cyber Security Strategy stated that the cyber security of the UK’s CNI—from the physical infrastructure to the digital networks and data—was “critical”, because a successful attack “would have the severest impact on the country’s national security”.^45 Ensuring the CNI is secure and resilient against cyber-attack was set as a priority for the Government.^46 It made a commitment to:
The NCSC warned that the technical barrier to launching successful attacks was decreasing, and that attacks continued to target the UK’s CNI.^48 Current government initiatives for cyber security of the UK’s infrastructure includes the NCSC’s cyber essentials scheme, which provides guidance to organisations on how to protect against low-level threats, and its ‘10 steps to cyber security’, which deals with more targeted attacks.^49 CNI operators are expected to implement advanced cyber security measures. These can include:
(^45) HM Government, National Cyber Security Strategy 2016 – 2021 , November 2016, p 39. (^46) ibid, p 40. (^47) ibid, p 41. (^48) HM Government, National Security Capability Review , March 2018, p 21. (^49) National Cyber Security Centre, ‘Cyber Essentials’, accessed 4 October 2018; and
‘10 Steps to Cyber Security’, accessed 4 October 2018.
In evidence submitted to the committee, the Chancellor of the Duchy of Lancaster and the Minister for the Cabinet Office, David Lidington, provided information on the Government’s plans to publish a cyber security skills strategy and on the existing cyber security skills education and training programmes.
Mr Lidington informed the committee that the Government intended to publish its cyber security skills strategy in December 2018, and that the Department for Digital, Culture, Media and Sport would be responsible for taking the strategy forward.^57 The strategy would set out how the Government planned to ensure that the UK had a sustained supply of cyber security talent with the requisite diversity of skills.
To build a long-term “pipeline of cyber security talent”, Mr Lidington said the Government was “nurturing the right level of aptitude and ambition in the next generation”.^58 For example, he highlighted the cyberfirst programmes. He stated that while the initiatives were relatively recent, and the data limited, the Government could point to some early successes. For instance, in 2017/18, the NCSC hosted 1,818 students, 45 computer science teachers and over 800 parents on cyberfirst summer courses and one day events, including a 44 percent female participation rate on the summer courses. Additionally, Mr Lidington stated that the Government was on target to have awarded 1,000 bursaries by 2020.
(^57) Joint Committee on the National Security Strategy, ‘Correspondence from David Lidington to the Chair 12 July 2018’, 17 July 2018. (^58) ibid.
To address the issue in the short-term, Mr Lidington stated that the existing workforce across Government and industry were being developed and retrained though schemes such as:^59
Mr Lidington also announced the Government’s intention to consult on proposals to develop a cyber security profession in the UK.
5. UK and its Global Partners
The Government stated in the National Security Capability Review (NSCR) that it would “champion coalitions of like-minded” governments and industry partners to “strengthen our cyber defences and collective security”.^60 It made a commitment to encourage collaboration between the EU and NATO, and to increase its investment in building the cyber defence capacity of its international partners.
The NATO alliance is founded on the principle of collective defence, meaning that if one NATO ally is attacked, then all NATO allies are attacked.^61 Cyber defence is an agreed component of collective defence. The UK Government reaffirmed its commitment to collective defence in the NSCR.^62
NATO has implemented several cyber security measures which include: 63
(^59) Joint Committee on the National Security Strategy, ‘Correspondence from David
Lidington to the Chair 12 July 2018’, 17 July 2018. (^60) HM Government, National Security Capability Review , March 2018, p 8. (^61) North Atlantic Treaty Organisation, ‘10 Things You Need to Know About NATO’,
27 February 2018. (^62) HM Government, National Security Capability Review , March 2018, p 8. (^63) North Atlantic Treaty Organisation, ‘Cyber Defence’, 16 July 2018.
The Government’s white paper on The Future Relationship between the United Kingdom and the European Union , published on 12 July 2018, highlighted that at the point of its exit from the EU the UK would be fully aligned with the EU’s NIS directive.^69 The UK’s NIS regulations 2018 implemented the directive and placed legal obligations on providers to protect UK critical services by improving cyber security.^70 The NIS regulations established a number of competent authorities to provide appropriate oversight and an enforcement regime for the regulations. For instance, Ofcom was made the competent authority for the UK’s digital infrastructure.^71 The National Cyber Security Centre (NCSC) is the CSIRT under the NIS regulations.^72
Michel Barnier, the European Commission’s chief negotiator for article 50 negotiations with the UK, has stated that in the areas of justice, freedom and security the EU will need to cooperate strongly with the UK.^73 However, he highlighted that once the UK leaves the EU, it will be a third country, and will have left the EU’s “ecosystem” based on “common rules and safeguards, shared decisions, joint supervision and implementation and a common court of justice”. He stated the UK will therefore need to “build a new relationship” with the EU.^74
5.3 Recent Developments
On 4 October 2018, the UK, Dutch and US governments made a series of coordinated statements alleging that members of the Russian intelligence service, the GRU, had committed a number of global cyber-attacks.^75
The National Cyber Security Centre (NCSC) stated it had identified that cyber actors widely known to have been conducting “indiscriminate and reckless cyber-attacks” around the world “were, in fact, the GRU”.^76 Targets included firms in Russia and Ukraine; the US Democratic Party; and a small TV network in the UK. It also alleged that in March 2018, the GRU attempted to compromise the UK Foreign and Commonwealth Office (FCO) computer systems through a spear-phishing attack. The Netherlands
(^69) HM Government, The Future Relationship between the United Kingdom and the European
Union , July 2019, Cm 9593, pp 70–1. (^70) UK Government website, ‘NIS Directive and NIS Regulations 2018’, 20 April 2018. (^71) A list of the competent authorities can be found in: Department for Digital, Culture,
Media and Sport, Security of Network and Information Systems: Guidance for Competent Authorities , April 2018. (^72) Further information about the NIS regulations 2018 can be found at: UK Government
website, ‘NIS Directive and NIS Regulations 2018’, 20 April 2018. (^73) European Commission, ‘Speech by Michel Barnier at the European Union Agency for
Fundamental Rights’, 19 June 2018. (^74) Further information about the EU’s proposals on future EU-UK security cooperation can
be found in: House of Commons Home Affairs Committee, UK-EU Security Cooperation after Brexit: Follow-up Report , 24 July 2018, HC 1356 of session 2017–19. (^75) BBC News, ‘Russia Cyber-plots: US, UK and Netherlands Allege Hacking’,
4 October 2018. (^76) National Cyber Security Centre, ‘Reckless Campaign of Cyber-attacks by Russian Military
Intelligence Service Exposed’, 4 October 2018.
announced that it had expelled four Russians accused of plotting to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) in April 2018.^77 At the time, the OPCW had been probing the chemical attack on a Russian ex-spy in the UK. The US Department of Justice said its anti- doping agency, football's governing body FIFA and the US nuclear energy company, Westinghouse, had been targeted. In addition, the Canadian government said “with high confidence” that breaches at its centre for ethics in sports and at the Montreal-based World Anti-Doping Agency were carried out by Russian intelligence. As a result of the findings, the US indicted seven people, four of whom were the men expelled from the Netherlands, while the other three were among those charged in July 2018 with hacking Democratic officials during the 2016 US elections.
In a joint statement, the UK Prime Minister, Theresa May, and the Prime Minister of the Netherlands, Mark Rutte, said the alleged plot against the OPCW demonstrated “the GRU’s disregard for global values and rules that keep us all safe”.^78 The European Union, in a joint statement by the President of the European Council, Donald Tusk, President of the European Commission, Jean-Claude Juncker and High Representative of the Union for Foreign Affairs and Security Policy, Federica Mogherini, said they “deplor[ed] such actions, which undermine international law and international institutions”.^79 They stated that the EU would continue to strengthen the “resilience” of its institutions and those of its member states, and also “international partners and organisations in the digital domain”. The UK Secretary of State for Foreign and Commonwealth Affairs, Jeremy Hunt, has said Russia could face sanctions.^80
In response to the allegations, the Russian government said that these announcements were “yet another stage-managed propaganda campaign”.^81
(^77) BBC News, ‘Russia Cyber-plots: US, UK and Netherlands Allege Hacking’,
4 October 2018. (^78) Prime Minister’s Office, ‘Joint Statement from Prime Minister May and Prime Minister
Rutte’, 4 October 2018. (^79) Council of the European Union, ‘Joint Statement by Presidents Tusk and Juncker and High
Representative Mogherini on Russian Cyber-attacks’, 4 October 2018. (^80) Pippa Crerar, Jon Henley and Patrick Wintour, ‘Russia Accused of Cyber-attack on Chemical Weapons Watchdog’, Guardian , 4 October 2018; and BBC News, ‘Russia Cyber-plots: US, UK and Netherlands Allege Hacking’, 4 October 2018. (^81) BBC News, ‘Russia Cyber-plots: US, UK and Netherlands Allege Hacking’,
4 October 2018.