Chris Morriss, Team Leader – Cyber Assurance at the Defence Science and Technology Laboratory (Dstl) details the role of government science and technology, and Cyber Capability
The Defence, Science and Technology Laboratory (Dstl) provides cyber advice to the UK government informing both military and civilian domains of potential vulnerabilities and risks. One of Dstl’s most recent initiatives, working with both the Ministry of Defence and wider government, is the Cyber Vulnerabilities Investigation (CVI) project.
The aim of the CVI project is to work with those responsible in government to help transition the management of cyber risk into one of business as usual against a backdrop of continually changing technology and threats. There are many enterprise risks in any business, whether that business is defending the realm or providing essential services through Critical National Infrastructure (CNI). This is particularly important for a number of government departments as they have responsibilities to work with selected CNI industry areas.
Cyber is not a risk traditionally captured in an organisation’s risk register. There is a strong possibility that nobody will be responsible or accountable within the business governance framework for making sure cyber assets are suitably considered from a protection and resilience perspective. Cyber systems are of course prevalent in all businesses, large and small, and often represent the backbone of operations. Remove the backbone and the organisation will retain little capacity to operate sustainably, if at all. This increasingly becomes a concern as major military systems and operators of CNI adopt a more automated approach due to technology upgrades, efficiency savings and regulatory requirements.
Dstl has a broad and deep science and technology portfolio. It has developed the capability to co-ordinate advice, support and bring rigour and clarity to customers with fit for purpose advice. Dstl is one of a number of organisations in government working together to support a collaborative approach to providing impartial advice to support the National Cyber Security Programme (NCSP). Dstl knows that within the UK supplier base there are commercial entities that can also help provide advice and it actively seeks to leverage these to support this work.
The cyber domain is fast-moving, evolving and refreshing its technology capability on a regular basis. Visibility of its operation is largely hidden within computing devices and cables (or over the air e.g. Wi-Fi) and it often cares little about geography. Hence, consideration of how to protect the electronic borders or gateways within CNI as well as the devices and software within it are all key considerations. Both information technology networks (IT) and operational technology networks (OT) are areas of cyber risk and should be considered and sponsored appropriately and regularly.
The work that Dstl has been carrying out has identified, at a very high level, that there are 2 elements to mitigating cyber risk. The first of these is the traditional consideration of appropriate technical solutions and assurance. Operating systems such as Windows XP are no longer supported, so any new vulnerability is unlikely to be patched. These types of issues exist for computing hosts, servers and industrial computing solutions such as programmable logic controllers. The second element is governance, with many organisations not funded for even the most basic situational awareness tools such as network monitoring.
The western industry is a financial construct. As such it will typically invest only as much as it needs to conduct business as usual. This includes investment in cyber solutions. Under static and controlled conditions this would be fine. Unfortunately, the cyber domain is not static, has few borders and can suffer from inside and outside threats, both deliberate and undeliberate (introducing malware as part of uncontrolled media for example) or clicking on a phishing email.
So there are governance challenges regarding investment in cyber risk mitigation from the perspective of protecting against domain threats, staff education (at all levels of a business), cyber policy and control and audit of devices. Many businesses are now recognising cyber risk and investing appropriately. Dstl has seen a spectrum of maturity in many CNI sectors and is confident that with buy-in at the right level, the majority of the risks can be mitigated.
The UK government has a part to play here too. Traditionally, advice to the industry has been provided from disparate sources. This is changing rapidly with cyber initiatives such as Dstl’s CVI project supporting lead government departments to provide a focal point for industry guidance.
Team Leader – Cyber Assurance
Defence Science and Technology Laboratory (Dstl)