Guidance

Secure by Design Problem Book

Published 24 April 2025

Introduction

‘Secure by Design’ is becoming mandated across UK government for securing crown data and services. The ‘Secure by Design’ approach adopted by the Ministry of Defence (MOD) ensures security is designed into any project delivering capabilities or services, such that security is considered from the outset and through life.

Successful adoption of ‘Secure by Design’ requires a step change in design thinking about security.  However, the range of military capabilities that need to be supported means its adoption within UK defence also introduces challenges not found in enterprise settings, or other parts of government. These include social and technical interoperability challenges, technical debt associated with legacy platforms, and the difficulties presented by operating capabilities in harsh and contested operating environments worldwide. 

The root causes of some of these problems warrant further investigation, even if the background to such problems cannot be openly disclosed. 

MOD has neither the capacity nor the expertise to investigate all of these problems on its own. Some problems and their associated challenges require academic inquiry, while the solutions to others will take the form of new products and services. All will require growth in the supplier community to provide solutions necessary for MOD’s adoption of ‘Secure by Design’ to continue at pace, and at scale. However,  investigation of these problems can begin only if people know what they are.

We present a collection of research problems associated with MOD’s approach to ‘Secure by Design’. In doing so, these problems are presented as opportunities for suppliers, from industry and academia, to propose solutions that address them. For each problem, we summarise its importance to MOD and outline different challenges describing sub-problems relevant for different specialist communities.

Problem 1: how do we up-skill UK defence in ‘Secure by Design’?

Summary

MOD policy assumes that those engaged with ‘Secure by Design’ activities are suitably qualified and experienced. However, applying ‘Secure by Design’ requires a ‘one team’ approach across UK defence where different roles - both within MOD and the broader supply chain - play a part in delivering and maintaining resilient capabilities (Secure by Design: User-centred guidance on Digital MOD.UK). 

Each role is associated with a body of knowledge, and effective and efficient approaches are needed to deliver this knowledge.

Challenges

Mapping the body of knowledge

Given the broadness of its scope, MOD’s ‘Secure by Design’ knowledge landscape needs to be mapped. Some, but not all, of this knowledge can be drawn from the Cyber Security Body of Knowledge (CyBOK).

What subset of knowledge and topics from CyBOK, and related literature and standards (both international and UK defence) are relevant for ‘Secure by Design’? 

Because military capabilities require different disciplinary perspectives, and security cross-cuts these perspectives, what knowledge needs to be drawn from intersecting bodies of knowledge - for example, safety, software, system, and human factors engineering?

Delivery mechanisms

UK defence needs a robust Suitably Qualified and Experienced Personnel (SQEP) pipeline to deliver the next generation of military platforms, and continue to maintain those currently in-service. 

New entrants to UK defence might be graduates of appropriate full-time undergraduate or postgraduate programmes, or undergraduate or postgraduate degree apprenticeships.

How can appropriate knowledge be successfully incorporated into this pipeline to ensure new entrants within MOD or the supply chain can confidently apply MOD’s ‘Secure by Design’ principles and practices? 

Competency frameworks

To ensure MOD and supplier teams are staffed with appropriate expertise, some form of competency framework is required. 

What does such a MOD ‘Secure by Design’ competency framework look like, and how can skills within the framework be measured for different levels of expertise - for example, awareness, practitioner, and expert? 

How can such a competency framework also best be situated in UK defence, to make it equally available to MOD and suppliers to set expectations, and encourage new entrants to the UK defence market?

Problem 2: how does ‘Secure by Design’ account for unevenly distributed information and knowledge?

Summary

In theory, ‘Secure by Design’ assumes the presence of professional engineers in a position to openly exchange information and knowledge with other engineers, and stakeholders. In practice, information and knowledge in UK defence is not evenly distributed, and security concerns might span organisational and disciplinary boundaries.

Not all of these asymmetries can be addressed by changes to culture. Therefore, ‘Secure by Design’ approaches need to account for intentional and unintentional inhibitors to sharing and transparency.

Challenges

Capability protection

MOD may not be in a position to share all available ‘Secure by Design’ evidence. For example, disclosing certain threat models, risk information, and security requirements with suppliers could reveal information useful to adversaries. 

What approaches could be taken to share sufficient evidence with suppliers to help them incorporate security into their system architectures and implementations while meeting MOD’s expectations for assurance?

Supplier assurance

MOD relies on suppliers for ensuring the architectural design and implementation of military platforms, as well as their through-life support accounts for ‘Secure by Design’.  However, for different reasons, suppliers may be challenged to share all the information necessary to provide evidence of ‘Secure by Design’. 

Export restrictions could inhibit a supplier from being as open with MOD about their technology as they would like. ‘Secure by Design’ evidence may also be sensitive Intellectual Property that cannot be easily shared without impacting a supplier’s competitive advantage. 

While increased transparency is desirable, pushing for this could disincentivise suppliers from engaging with UK defence, thereby weakening our industrial base. 

How can suppliers provide MOD with the assurances it requires without the disclosure of information suppliers consider sensitive or competitive? 

Disciplinary differences

The multidisciplinary nature of delivery teams and the concurrent nature of capability engineering means that an uneven distribution of knowledge is inevitable. This can be a chance to think creatively about a problem in lieu of scarce security engineering expertise.  However, distributing expertise makes it easier for different stakeholders to fail to appreciate the value of assets, or impact of vulnerabilities afforded by a design should requirements be miscommunicated or misinterpreted. 

What techniques and tools could help share security design knowledge across different disciplines?

How can ‘Secure by Design’ approaches account for the multidisciplinary concurrent design and engineering practices common in UK defence?

Problem 3: how do we incorporate ‘Secure by Design’ into the very earliest stages of capability acquisition?

Summary

In theory, ‘Secure by Design’ should be applied at the outset of a programme or project.  In practice, a military capability’s form and functionality is still emerging at such an early stage, taking the form of little more than a single statement of user need. 

It’s important to understand what ‘Secure by Design’ looks like when applied at the pre-concept and concept stages of acquiring a capability. 

Military capabilities primarily exist to deliver some effect for UK defence, and cyber security will always be a secondary goal. As such, while bolting security on later increases costs and make a military capability more open to attack, interfering with a project or programme drumbeat at the earliest stages could also increase the cost and effort of design, such that the capability itself needs to be reconsidered.

Challenges

Requirements coherence

At the earliest stages of capability acquisition, different engineers might independently be investigating security, safety, and human factor concerns while requirements for the military capability are still being elicited. 

Both the requirements and the analysis that underpins them are an important input for ‘Secure by Design’. 

What tools and techniques can be used to support the coherent engineering of functional and non-functional requirements?

What contribution do these tools and techniques make to the body of evidence required by ‘Secure by Design’?

Pan-DLOD ‘Secure by Design’

Within UK defence, Defence Lines of Development (DLODs)  - training, equipment, personnel, information, doctrine, organisation, infrastructure, and logistics - encompass the different facets of a military capability. Security, like interoperability, safety, and the environment, cross-cuts these DLODs. 

What approaches can be used to model pan-DLOD threats to capabilities, given the interdisciplinary nature of DLODs, and limited knowledge of threats and vulnerabilities to them?

Operational analysis integration

The earlier security is considered, the more different stakeholders may directly or indirectly influence the security requirements for the capability. 

Operational Analysis (OA) plays an important role in not only forming options for a military capability, but helping formulate the risk appetite that feeds into subsequent ‘Secure by Design’ activities and evidence. 

How could OA data and activities effectively integrate with MOD’s ‘Secure by Design’ activities? 

How could MOD’s ‘Secure by Design’ activities and evidence feed back into OA to improve decision making about changes to or the evolution of military capabilities?

Problem 4: how do we support ‘Secure by Design’ through life?

Summary

Many defence platforms are long running. Their engineering can take years, with some capabilities remaining operational for several decades, sometimes beyond the initial planned obsolescence date. 

The rationale that underpin design decisions may rely on assumptions which may be forgotten with the passage of time, the drive for innovation, changes to operating environments, and a new generation of engineers. 

As such, ‘Secure by Design’ approaches need to be sustained as long as the capabilities they support.

Challenges

Continuous risk management

Decision makers may need to make decisions about capabilities based on changes resulting from their interaction with operational environments. 

‘Secure by Design’ mandates the continuous monitoring and assurance of capabilities. 

How can information be drawn directly from capabilities in trials or operations, and used to automate a military capability’s continuous risk management approach?

Coalition partner interoperability

UK sovereign capabilities may be combined with partner nation capabilities for some particular operation or mission. Such coalition partners could be within or outside of NATO. 

What technical and non-technical barriers need to be overcome to facilitate interoperability between MOD’s approach to ‘Secure by Design’, and equivalent approaches adopted by coalition partners? 

What tools and techniques can also be used to exercise this interoperability to provide real-time updates to UK and coalition partner commanders on whether their risk appetites are being satisfied?  

Growing and sustaining the ‘Secure by Design’ research ecosystem

To date, researchers have been disincentivised from tackling security design problems. Generalising research beyond experiments is difficult and time consuming, as is the recruitment of suitably qualified research subjects, and obtaining access to MOD and supplier processes and their results. 

The UK capability for addressing the problems described in this problem book is currently weak. 

What initiatives can be used to build a MOD ‘Secure by Design’ research capability? 

How can UK defence also sustain and grow this research capability, to ensure it remains as through life as the military capabilities it needs to support?