Speech by Philip Dunne, Minister for Defence Equipment, Support and Technology.
I would like to thank GovNet for organising today’s conference and providing me with the opportunity to engage with such an informed group.
You have heard a lot today about the main issues affecting defence and security policy makers at the moment.
In speaking today I will focus on the MOD which may not be of direct relevance to some of you but I hope will be of interest nevertheless.
The government’s recognition of the need to prioritise these issues was reflected in the Chancellor’s Spending Review announcement last week.
We have increased spending on our intelligence agencies, protected our armed forces from any reduction in numbers, increased in real terms their equipment budget and the Chancellor committed to make a major investment in cyber, which he described as “the new frontier in defence.”
As part of this commitment we are extending our National Cyber Security Programme by a further year, investing an additional £210 million on top of the £650 million provided in the Strategic Defence and Security Review in 2010.
It is clear to me, as Minister for Defence Equipment, Support and Technology, that cyber, this new frontier, is having a major impact on the way we are now procuring defence equipment.
And this is something I want to talk to you about today.
Conflict is as old as human history; its energy and the importance of its outcomes have always had an impact on technological evolution.
There have been times where the intensity of conflict has driven developments in civil technology.
Think about rocket, radar and nuclear technology during the Second World War. And there have been times when technological revolutions have driven the nature of conflict.
The discovery of gunpowder by Chinese alchemists had profound consequences for the conduct of battle ever since.
Right now we are undergoing our own “gunpowder” moment.
Cyber technology is not emerging, as you heard from earlier speakers, it has already emerged and is all around us: in your pockets, throughout your houses and moving unseen in the air around us.
What is emerging, though, is defence’s response to this ubiquitous technology.
The importance of cyber to defence
Our first task in deciding how best to respond to the threats and maximise the opportunities presented by cyber, is to understand what it is and how it could potentially affect the business of defence.
I am aware that there are many definitions of the term “cyber”, depending on your perspective and area of interest.
So I shall start by setting out what we in defence mean by cyber.
For the Ministry of Defence cyber is a domain of operations, a man made construct, but one which is increasingly important to our national security.
It embraces our telecommunication networks, our computer systems, and the embedded processors and controllers which run every aspect of our lives.
It is the culmination of all our devices, everything that shares information and is linked, or can be linked, either permanently or temporarily. For us it is much larger than the internet.
In essence it comprises electronic devices, personal data and an ethereal network spanning the globe and extending into space.
The infrastructure that creates the domain is physical, but the connections it creates are not constrained by geography.
This is important to defence because we are concerned with the environments in which armed forces can operate and which they must defend. Traditionally these were the physical geographic domains, land and sea for thousands of years, from the 20th century air and space too.
Now we see cyber as a new global domain, a medium in which we must learn to conduct our defence business.
Cyber has permeated into all sectors of society and life, from smart phones and traditional computers, to the controls that regulate power and traffic as we’ve heard, the integrated logistics systems in supermarkets and even medical devices which keep individuals alive like pacemakers and insulin pumps which now contain wireless transmitters.
The same is true for defence.
Our armed forces depend on computer networks for command, control, intelligence, logistics and administration.
Those systems in turn depend on our partnership with the many contractors who support the defence mission, whether directly as prime contractors, or as part of the broader defence supply chain.
Nowadays, the entire process takes place in the cyber domain, and consequently must be protected from cyber attack.
Imagine if during a conflict a critical replenishment order for the supply of ammunition is interrupted, interrogated or diverted. Such an intervention could have battle losing effect.
Also military platforms and weapon systems are now highly sophisticated, computerised and networked.
Take for example, the navigational data required for advanced jet fighters, which exists in cyberspace.
What would happen to our ability to operate these aircraft if the navigational information had been interfered with?
Because of our dependence on cyber, the nature of our mission and the size of our organisation, it should come as no surprise that defence is a large and attractive target for attack.
Our systems are regularly targeted by criminals, foreign intelligence services and other malicious actors seeking to exploit MOD personnel, disrupt MOD business and operations, corrupt our systems and steal information.
This is not unique to the MOD; other government departments and the private sector are also affected, as has been highlighted previously by the Foreign Secretary and the Director of GCHQ.
But the work of the armed forces can be a matter of life and death, and the nature of operations often means there are adversaries who are striving to counter our efforts.
Maintaining our technology edge over our adversaries is vital, and this means a shared interest with industry in protecting the intellectual property which provides that edge, often in face of sophisticated and widespread cyber espionage.
For many reasons our resilience to cyber attack is vital to the defence of the UK.
The defence response
And this is why defence needs its own cyber response.
Our new Joint Forces Command, which stood up in April this year, leads on that response, ensuring that we consider cyber in all of our future planning and operations; that we have in place the structures and capabilities to operate and defend our systems against cyber attack; and that we have made the vital investment in our people to ensure they have the skills and training needed to do so.
The Global Operations and Security Control Centre, based at Corsham, just outside Bath, is at the heart of this operation.
It brings together our key network providers with the military teams who are able to make minute to minute decisions on the priorities for network operation and defence.
One single MOD/industry team working together to counter the threat supported by GCHQ and our intelligence staffs.
We understand that our cyber defences can’t stand still.
Following the decision by the National Security Council to place the potential threat from cyber as a Tier one threat to the nation as we heard earlier, along with International Terrorism and a major national ecological disaster, this Government committed £650 million to improve cyber security within the UK.
On top of the money allocated to the MOD from this fund in 2010, we have also allocated a further £70M over the next 4 years from within our own budget for improving our cyber defence capabilities.
But this is not just about structures and resources.
It is fundamentally about changing behaviour.
Last week the Chief of the General Staff, General Sir Peter Wall, said that cyber warfare must become an integral part of the work of the armed forces, and that threats presented by cyberspace called for our armed forces to “think and act differently”.
I endorse his sentiments and can reassure you that this is the essence of much of what we are trying to do.
Many of the threats to our cyber security can be mitigated by changes in behaviour, getting the basics right through instilling a culture of “cyber hygiene”.
GCHQ put the proportion of threats that can be stopped by changes in user’s behaviour at 80%; Brett Arsenault, the Chief Information Security Officer of Microsoft, put the figure at 96% at a recent RSA/Intellect conference.
So it is important that we develop a culture of cyber security, because at the moment most of the problems are coming through the cyber equivalent of an unlocked door or an open window.
But the threat is constantly evolving.
Cyber security depends on our whole team being vigilant.
And we are only ever as strong as our weakest link.
This is true for the individuals we employ, but it is also true for the organisations we work with.
In my area in Defence, equipment and support, we receive and share data with thousands of companies.
It is vital that we all view ourselves as one network, working together and learning from one another when it comes to cyber security.
Defence cyber protection partnership
So I am pleased to be able to announce today, as foreshadowed by the Chair, that we have established a partnership with industry that will strengthen our defences throughout the supply chain.
The defence cyber protection partnership brings together nine of our largest contractors to get those basics right.
They have committed to: raising awareness of cyber security as an issue, both internally and amongst their sub-contracting supply chain; exchanging information on threats and vulnerabilities; and working with us to drive up the standards of cyber security throughout the supply chain.
That also means being frank about how mature and effective our arrangements are, and learning from each other’s experiences.
It is a vital part of our strategy to secure the Defence supply chain.
So I’m delighted by the level of commitment shown by BAE Systems, British Telecom, EADS, Hewlett Packard, Lockheed Martin, Logica (CGI), Rolls Royce, Selex ES and Thales in helping us to build our national resilience against cyber attack, and I look forward to more of our key contractors coming on board.
This is a clear demonstration that government and industry can work together, sharing information, experience and expertise, to make sure we do everything we can to safeguard these critical networks, ensuring that the business of defence is robustly protected.
Impact on defence procurement
It is important to get this right as we begin to deliver our new equipment plan, some £160 billion worth of defence equipment and support over the next ten years.
Delivering this programme will see us go through a major upgrade to next generation platforms, which will employ cutting edge communication and weapon systems.
For example, the Joint Strike Fighter (JSF), of which we recently received our third aircraft, draws on some of the most advanced computer systems ever put into military hardware.
One of the things that strikes you about the cockpit of the JSF, as I saw recently on the production line in Fort Worth, is the absence of instrumentation - those of you who are aviators will recognise that cockpits generally do have instrumentation!
That is because most of the displays required to fly the aircraft are contained within the pilot’s helmet.
The implication of all of this next generation equipment is that our capabilities are becoming even more reliant on integrated software and so potentially more exposed to cyber-related risk.
Part of this risk comes from the threat of cyber attack.
But another part comes from the threat of obsolescence.
Some of the platforms we are in the process of procuring, such as the Type 26 Frigates, the first 21st century warship, will potentially be in service for 40 years.
40 years ago, nobody knew what cyber was, the Internet comprised 3 computers in America, and the World Wide Web was 18 years away.
In another 40 years who can predict how cyber will develop.
The rate of technological advance in this field is incredibly rapid.
And defence must make sure we take this into account in our procurement decision making.
In the case of the Type 26 Frigates, we are building these ships in such a way that new equipment and systems can be plugged in easily, allowing them to be more readily upgraded and at lower cost.
Investing in cyber research
Staying ahead of the curve on cyber technology is essential to preserving the operational advantage of our armed forces, so the MOD continues to invest in cyber research and development.
The Centre for Defence Enterprise, part of our Defence Science and Technology Laboratories, is currently funding 11 innovative proposals that will deliver improved cyber situational awareness and cyber defence.
They include ways to model linkages between cyberspace and real world activity and assess vulnerabilities, so that they can be quickly and effectively addressed.
These 11 proposals were mainly from small niche companies and academia.
And we believe these relatively small investments will help give us the foresight to interpret, understand and respond to the impact of the cyber events that will affect defence.
The Centre for Defence Enterprise will be launching another cyber themed call for research proposals this November and I would urge any interested companies in the room to investigate this opportunity when it comes around.
So in conclusion, the development of cyber technology is the most important strategic factor affecting defence at the moment.
For the UK, cyber represents a strength as well as a potential weakness.
It means our armed forces are among the most technologically advanced in the world, giving them operational advantage over many of their adversaries and making the delivery of military effect more efficient.
But it also means almost every aspect of our military capability is potentially vulnerable to cyber attack.
Cyber has become a critical domain for our armed forces and they must learn to operate successfully within it.
The Royal Navy was founded in the 17th Century in response to the need to protect our burgeoning maritime trade.
The British Army was formed in the 18th Century after the creation of the United Kingdom, and was central to us dealing with the existential threat posed by France at the time.
The Royal Air Force was established in the 20th Century, with the advent of the technologies that enabled powered flight.
It is not inconceivable that at some point in the 21st Century a new service is required to utilise and protect cyberspace.
The future is opaque, and no one would sensibly claim to be able to foresee tomorrow with absolute accuracy.
But one thing is clear, the time has come for us to consider cyber in everything we do in defence: in training our personnel, in carrying out operations and in procuring our future equipment.
But the government cannot do this in isolation.
Nor can the armed forces.
The innovation of British industry and science is at the heart of our military capability.
A Briton, Alan Turing, developed the first recognisable computer;
A Briton, Tim Berners-Lee, invented the World Wide Web;
And Britons in our armed forces, civil service, and the industry which supports them continue to be at the forefront of this technological revolution.
Defence must strive to harness the incredible pool of talent we have in this country.
It is only by doing so that we can provide our future security.
I hope that we can all work together to achieve this.