When the UK Defence Secretary Philip Hammond announced on Sunday 29th September that he was establishing a Joint Cyber Reserve to create a cyber attack capability, reaction focussed on the ‘attack' angle. But industry experts saw this public revelation of attack capability as primarily for his political conference consumption, perhaps a rash thing to do, but only making public what was already understood to be the case.
For many, the implications of the word ‘Reserve' drew most attention, with questions about how such a private sector force would operate within military command structures. Dr Thomas Rid, reader in war studies at Kings College London, commented to SC Magazine: “The intelligence services do not have a reserve system, therefore they are unable to tap into private sector expertise in a similar way. Some people think the Ministry of Defence (MOD) is going to be competing with GCHQ for talent, but it's not, as people can stay in their positions in the private sector and still contribute to the public sector work – an intelligence agency can't set up a reserve unit.”
A spokesperson for the MOD confirmed to SC Magazine that these new recruits will indeed maintain their civilian jobs while working alongside regular forces – partially countering concerns voiced about the shortage of likely candidates, highlighted earlier this year in a National Audit Office report, which identified a shortage of UK IT experts able to combat cyber attacks.
Recruitment for the unit begins this month, and former Armed Forces personnel and current and former reservists with the necessary skills are invited to apply along with civilians who would need to be security vetted, meet citizenship and residency requirements, and agree to annual training. Part of the new British Joint Cyber Reserve will support a section of the Joint Cyber Unit stationed at MOD Corsham in Wiltshire.
"The Cyber Reserves will be an essential part of ensuring we defend our national security in cyber space," said Hammond. "This is an exciting opportunity for internet experts in industry to put their skills to good use for the nation, protecting our vital computer systems and capabilities."
The move is welcomed within the security sector, with former RAF Sergeant Jim Seaman, a specialist in cyber security at RandomStorm, commenting, “Much of the communications technology that we take for granted today has its roots in military technology, including the internet, mobile and wireless comms and encryption. As a result, many people with a military background move on to careers in the high-tech sector. It makes sense for the MOD to call on highly trained and skilled personnel once they have moved into civilian roles, as well as recruiting talented individuals whose computing skills and innovations can bolster our national defence force.”
Ross Brewer, vice president and managing director for international markets at LogRhythm, agrees, telling SC Magazine, “Anything that brings government and industry to work closer together makes sense. There are policy documents [in government] about how organisations should secure networks that cannot be made public to avoid being seen by criminal organisations [but would be useful for industry]. Security clearance and vetting procedures need to be commensurate with the information being shared to avoid insider threat. Bringing in leaders and specialists in industry and briefing them on the threats identified by government will enable better use of the resources that already exist. The benefits outweigh the risks.”
The detail of how this force will be organised and operate raises further issues. “Will people be on secondment? Available for a few days a week or weeks per year?” asks Brewer. Also, the infrastructure used would be a concern – if these are roving reservists remotely connected via mobile or the cable infrastructure, there are new vulnerabilities to consider.
Neil Robinson, a research leader at RAND Europe, suggested to SC Magazine that one of the biggest concerns would be how a reserve might be organised and who would join it. “Establishing a Cyber Reserve raises interesting questions about how the military reserve model applies in the cyber sphere. There are complexities around the social, behavioural, training, skills and overall nature of the individuals. Technology experts typically don't sit well in a military framework of orders, process and a rules-based environment. They are typically more free flowing, problem-solving and would suit a ‘special forces' model with a great deal of operational freedom to achieve an outcome with free thinking. But this posses its own problems.”
Incentivising sign up and retention was also viewed by Robinson as potentially a problem as the drivers for such people tends not to be money, nor necessarily service of one's country – but more about academic credibility and a willingness to help ones peers. This latter characteristic would also be called upon to overcome the potential issue of commercial confidentiality, where reservists from competing companies work together on a defence project. Robinson suggests that peer sharing in a trusted environment, as already happens in Information Exchanges run at the UK's Centre for Protection of National Infrastructure, would provide the model for cooperation. Brewer felt that for industry individuals, being a reserve would aid their understanding of the sector and government and thus their credibility, giving an opportunity to get into the heart of government. He would welcome his staff taking part.
Amanda Finch, general manager at the Institute of Information Security Professionals, added, "I think it is a good thing for our profession, again emphasising the importance of the role our members perform. It is good for them from a professional perspective, giving them a window to new environments and systems, providing intellectual challenges on something different, which they would welcome."
Another organisational issue that could occur is availability of personnel in case of a national crisis like the one in Estonia. Some people called upon for the reserve could be fighting for their own company and be called away to fight for the government.
“There is a very small pool of high-end experts and they may be in demand by both government and the private sector during a crisis," says Robinson. "What if they are employed in a critical infrastructure like a telco? The government would dictate the priority in a national cyber crisis. Also, a commercial concern will not want to invest in security beyond commercial viability, whereas for government there will be a higher level of need to ensure the viability of systems – such as power, the financial system, communications etc. – so there needs to be discussion as to how this can be done.”
Commentators were divided on the advisability of building and announcing cyber attack capabilities. Kristiina Pennar at the NATO Cooperative Cyber Defence Centre of Excellence, in Tallinn, Estonia, whose organisation wrote the rulebook on cyber warfare (The Tallinn Manual), took a relatively relaxed view, commenting to SC Magazine: “The announcement made by the UK government could be a sign that nations are becoming more open about their activities in cyber space. It has been rumoured for quite a while that some nations already have and are further developing their offensive cyber capabilities, but very few are willing to talk about this openly. We should not forget that there is a big difference between having a capability and actually using it against another nation. Such a capability can be used for purely defence, training and deterrence purposes without using it in real military conflicts.”
According to the Tallinn Manual – which is a recommendation not an agreement – existing laws should apply in cyber space as the UN Charter applies to the use of force (violating sovereignty) regardless of weapons used.
However, Rid pointed out that the current view in Washington is that cyber sabotage attacks may be less useful than originally thought, as a leaked high-profile document demonstrated, Presidential Policy Directive 20. Also, an aggressive intelligence gathering operation would be needed to secure the level of detail required to sabotage the control element of a target – and then it becomes questionable whether you are deterring or escalating a situation. Rid added: “Do we want this widespread penetration to test vulnerabilities to become the norm?” Robinson largely agreed with this argument, that ‘active defence', with extensive reconnaissance, or moves to reduce the ability of an enemy to conduct reconnaissance, could quickly escalate.
This concern does not seem to have affected the UK public, for while they opposed going to war in Syria this year, they are more gung-ho about cyber warfare. Brewer noted: “LogRhythm's research found that 65 percent of UK consumers felt pre-emptive (cyber) strikes on enemy states that pose a credible threat to national security are justified, while 45 percent believed that the UK government needed to improve its protection of national assets and information against cyber security threats.”
However, Brewer emphasised that attribution as to where the threats were coming from was a challenge, telling SC Magazine: “If it was coming from a known source – and in some cases the particular buildings and centres are known – then you can block that IP range and use the telcos to block their communications. But with certain instances and certain states there would be obfuscation of the source. And then there is the use of individuals' zombie machines to attack. Do you kill the hard drive of 50,000 PCs of people who don't know they are infected?
“Before launching any pre-emptive strike, government organisations must make sure that they have all of the facts in hand – something that can only be achieved by truly understanding every single piece of activity across their networks. To gain this level of visibility, proactive, continuous monitoring of all IT networks must be in place to ensure that any intrusion or anomaly can be detected before the problem snowballs. Such deep and granular insight will equip the government with the ability to instantly determine the scale of an attack, and most importantly, increase the accuracy of attribution.”
Robinson saw this level of effort so onerous as to make attribution less of an issue, noting that cyber space attacks were unlike real world attacks given the panoply of options and routes to attack. Instead, Robinson suggests that the move could be part of strategic defence. In ‘deter by denial', you actually create a barrier so strong that the efforts to gain access exceed the benefit of doing so – or strategically, you create the impression that this is the case.
With an estimated £500 million to be spent on the project over the next few years, on the back of a £650 million national cyber security programme launched two years ago, the implications are clear: There is increasing demand in the UK IT security industry in terms of expertise and effective solutions.