LONDON — The British government is not doing enough to address the military opportunities and vulnerabilities of cybersecurity, the Parliament’s defense committee has warned.
In a report scheduled to be released the morning of Jan. 9, the committee will say that the Conservative-led coalition government has not shown “sufficient vigour” in reacting to a threat that can evolve with “almost unimaginable speed and serious consequences for the nation’s security.
“The Government needs to put in place — as it has not yet done — mechanisms, people, education, skills, thinking and policies which take into account the opportunities and the vulnerabilities which cyber presents,” the report said.
Britain launched a National Cyber Security Programme in late 2010 with funding of 650 million pounds ($1.04 billion) over the period of 2011 to 2015. The Ministry of Defence has been allocated 14 percent, or 90 million pounds. About half of the 650 million will be targeted to improve the U.K.’s core capability, based mainly at GCHQ at Cheltenham, to detect and counter cyber attacks.
Government ministers and intelligence chiefs warned last year that Britain is the target of up to 1,000 cyber attacks every hour that bombarded security, economic and social targets.
Francis Maude, the minister for the Cabinet Office, told a conference in December that Britain is in a race to build cyber defenses to match the country’s increasing dependence on online systems.
The committee, though, voiced its concern that insufficient work had been done by the government to develop security doctrine, rules of engagement or internationally accepted norms of behavior in response to a major international cyber incident.
“There is clearly still much work to be done on determining what type or extent of cyber attack would warrant a military response. We recommend the MoD makes development of rules of engagement for cyber operations an urgent priority,” the report said.
James Arbuthnot, the defense committee chairman, said in a statement that cybersecurity demands greater government attention.
“It is our view that cybersecurity is a sufficiently urgent, significant and complex activity to warrant increased ministerial attention,” Arbuthnot said.
Leading British cyber industry supplier Cassidian generally welcomed the report, but highlighted company concerns over the lack of U.K. government involvement with a NATO cyber attack initiative, and the general issue of prosecuting cyber criminals.
“The U.K.’s greater involvement with the NATO Cyber-Defence Centre of Excellence has been slow, and the U.K. now needs to move quickly to position itself as the leader in this area that it should be, based on our national capabilities,” said Andrew Beckett, the head of Cassidian Cyber Security Consulting Services.
Beckett said the report also failed to call for greater pressure on the international community to create a common response policy to events in cyberspace, which do not recognize national boundaries.
“There is no current legislation to facilitate the prosecution of cyber crime,” he said. “If an attacker sits in the Ukraine and attacks a server in Texas to gain control and mount another attack on a U.K. organization, then whose jurisdiction does the crime fall under? Who can prosecute it and under which law?
“There is currently no extradition treaty and no agreements in place for the exchange of evidence, which means that criminals are able to operate with impunity.”
With Britain’s armed forces dependent on information and communications, the committee said it is concerned that a sustained cyber attack could fatally compromise the military’s ability to operate.
“It is not enough for the armed forces to do their best to prevent an effective attack,” the report said. “In its response to this report, the Government should set out details of the contingency plans it has in place. ... If it has none, it should say so — and urgently create some.”
Industry also was criticized over its failure to combat the cyber threat.
The report said it is “imperative that we see evidence of more urgent and concrete action by suppliers to address this serious vulnerability, and of energy and determination on the part of the MoD to enforce this action.”
The committee added, though, that it is impressed by aspects of the cooperation and joint operations between the MoD and private sector contractors.