Intelligence and Security Committee report highlights cyber security failings and GCHQ staffing issu
Intelligence and Security Committee report highlights cyber security failings and GCHQ staffing issu

There is "significant opportunities for the UK's intelligence and security agencies and military" to learn and develop cyber war abilities.

According to the 2011/12 Intelligence and Security Committee (ISC) annual report, some progress had been made in developing cyber war abilities but more had to be done in such a "fast-paced" field.

The report acknowledged that last year there was "insufficient clarity in terms of ministerial responsibility and accountability for cyber security".

It said: “We welcomed the transfer of responsibility from the Home Office to the Cabinet Office, which is better suited to overseeing cross-government initiatives and programmes.

“While the situation now is much clearer than it was previously, we remained concerned as to whether there was still potential for confusion, given the Foreign and Home Secretaries' overall responsibilities for the agencies. This is particularly important for GCHQ, which is the lead agency on cyber security.”

The report also said that a funding shortfall for GCHQ had reduced significantly; this has led to an increase in staffing by a third. GCHQ also reported to the ISC that work to protect UK interests in cyber space has increased significantly in recent years, but more still needs to be done.

However the committee also said that there was a real concern over the ability of GCHQ to retain internet specialists to respond to the threat to UK cyber security.

It said: “In our 2010–2011 annual report we recommended that GCHQ explore ways to improve the situation and that the Cabinet Office, as lead department for cyber security, should consider employing a system of bonuses for specialist skills, such as is used in the US.

“This year we were told that the situation had deteriorated and that GCHQ was 'losing critical staff with high end cyber technology skills at up to three times the rate of the corporate average (3.4 per cent)'.”

The committee also said that the problem was likely to increase in the coming years due to the "growing market for cyber security experts" and that government was unable to match the salaries that the private sector was offering.

It suggested a new employment model, which created mutual benefits for government and industry from trained cyber experts, was needed.

The report also said that there are significant opportunities for the UK's intelligence and security agencies and military that should be exploited in the interests of UK national security. It said that in the committee's view, these could include:

  • Active defence: Interfering with the systems of those trying to hack into UK networks.
  • Exploitation: Accessing the data or networks of targets to obtain intelligence or to cause an effect without being detected.
  • Disruption: Accessing the networks or systems of others to hamper their activities or capabilities without detection (or at least without attribution).
  • Information operations: Using cyber techniques and capabilities in order to deliver information operations.
  • Military effects: The destruction of data, networks or systems in support of armed conflict.

It concluded the section on cyber security by saying that the National Cyber Security Programme has delivered some progress on developing cyber capabilities, but as cyber security is a fast-paced field "delays in developing our capabilities give our enemies the advantage".

“We are therefore concerned that much of the work to protect UK interests in cyber space is still at an early stage,” it said.

ISC chairman Sir Malcolm Rifkind MP said: “It is clear that the provision of security advice and education to government, business and individual computer users will generate the greatest improvement to our collective cyber security. Although CESG and CPNI, among others, continue to provide an invaluable service in this regard, we believe education and basic security measures should be given greater priority.

“We note that GCHQ and the other agencies have had some success developing cyber capabilities. However, the committee is concerned at the lack of progress over 18 months into the National Cyber Security Programme: more needs to be done if we are to keep ahead in this fast-paced field.”