20 November 2013
How the UK Developed Its Approach to Cyber
Fierce Domain: Conflict in Cyberspace 1986 to 2012. Jason Healy,
Editor. Cyber Conflict Studies Association. 2013.
Unglamorous Awakenings: How the UK Developed Its Approach to Cyber
Group Captain Shaun Harvey RAF858
Britain is quietly proud of its heritage in cyberspace. If evidence is needed,
one need only look at the billing given to the inventor of the World Wide
Web, Sir Tim Berners-Lee, at the opening ceremony of the London 2012 Olympics.
Since the mid-nineteenth century, in producing such British visionaries as
Charles Babbage, who conceived of the first computer, or William Fothergill
Cooke and Charles Wheatstone, who developed Britains own telegraph
system, the UK has been at or close to the forefront of employing information
and its supporting technologies for national ends. Today, Britain has a thriving
technology sector, a population that has embraced a parallel digital existence,
and even the worlds first human cyborg in the shape of Professor Kevin
Warwick.859 The Nations military power relies heavily on
Network Enabled Capability to provide the leverage and flexibility it needs
to deliver its international security contribution. The UKs diplomatic
prowess is vested heavily in information, via public diplomacy and the soft
power projection of national values. Moreover, 21 percent of GDP growth in
the UK is attributed to Internet technologies. London is a core hub of Internet
connectivity, and with an estimated 6 percent of the nations GDP resulting
from e-commerce,860 the UK is increasingly alive to both the
opportunities and vulnerabilities presented by cyberspace. Thus, Britain
can still claim to be at the vanguard of the information revolution.
In 2009, the Cabinet Office produced the first UK National Cyber
Strategy,861 and thereafter, the National Security Strategy in
2010 identified hostile attacks upon UK cyberspace by other states and
large-scale cyber crime as a Tier 1 National Threat.862 The Strategic
Defence and Security Review of 2010863 provided £650 million
of investment over four years and established cyber security as a programme
at the heart of government.864 This chapter will describe some
of the events that have led to the gentle awakening of the UKs cyber
consciousness. It has been written primarily from a UK MOD perspective because
of the size, complexity, and cyber-dependency of that organization. Nonetheless,
it will be shown that at each juncture, wider issues than those first apparent
were at play, forcing the view of cyberspace to become ever more holistic.
The evidence presented in this chapter will show that, rather than employing
a deliberate strategy, the UK governments journey through cyber conflict
has emerged from a holistic approach to information issues, operational lessons,
the exigencies of government reorganization, budget cuts, and the occasional
moment of serendipity. Nonetheless, the end result has allowed Britain to
take its seat at the international cyber top table, at the right hand of
There is very little in the public domain about UK government cyber security
incidents, either concerning evidence that exposes vulnerabilities, current
operational techniques, or developing capabilities. This information rightly
remains classified. Indeed, the unsung heroes of UK cyber operations are,
with little doubt, the men and women of the Government Communications
Headquarters (GCHQ) in Cheltenham. Regrettably, recent stories of GCHQs
exploits must remain unsung.865 However, there is much that we
can learn from the approach the UK military has taken to the lower-level
problems of cyberspace. These are developments that can be mapped largely
to the responses of the burgeoning cyber community to even seemingly innocuous
incidents and opportunities.
This chapter will describe a brief history of the UKs involvement in
cyberspace. It will chart some of the early pioneering technologies and the
uses to which the UK put them, highlighting the historical importance of
information to Britains national interests. It will then show how in
the years following the end of the Cold War, Britain attacked the combined
challenges of modernizing its Armed Forces and making reductions in its defense
budget. Also to be examined are the topics of how this dilemma shaped the
approaches of British policymakers; and how a philosophy of pragmatism, broadly
inspired innovation, and the ability to make do have created
the governance structures, practices, and institutions that constitute the
UKs response to the cyber security question. It is not yet possible
to publish any details relating to major UK operational cyber activities.
However, many of the events that have shaped the thinking and approaches
of the small cadre of personnel involved in protecting Britains interests
in cyberspace are explored in the chapter. It is important to acknowledge
just how much progress has been made in developing a UK Cyber Strategy that
is genuinely cross-governmental. This chapter describes some of its key features
and alludes to some of the challenges that are most likely to be faced in
the next few years.
Before It Had a Name: the Early Evolution of UK Cyber
Long before William Gibson coined the phrase cyberspace in his
novel Neuromancer,866 the UK understood the value both
of information and exploiting technology to maximise its value. The
entrepreneurial spirit so crucial to Britains success throughout the
Industrial Revolution also spawned important national information capabilities
in intelligence and espionage. The Zimmerman Telegram in 1917, and later
the extraordinary and successful efforts to decode the German UItra ciphers
at Bletchley Park, not only pioneered the new world of signals intelligence,
but also gave rise to the development of one of the worlds first computers,
in the form of Colossus.867 Information was established firmly
as a strategic asset. Coincidentally, knowledge was (and still is) viewed
as power, and with the need to know principle in full force,
the culture was set to establish stove-pipes of excellence across government.
In 1940, the early use of Radar technology and the development of a network
of Royal Observer Corps aircraft spotters informing command and control at
Group Headquarters were vital contributors to the success of the Royal Air
Force in the Battle of Britain.868 After World War II, Flight
Lieutenant Arthur C. Clarkes discovery of geosynchronous space
orbits869 made possible the global telecommunications revolution
that would follow. In the years of the Cold War, Britain developed further
capabilities in its military and civilian telecommunications sectors, but
the greatest progress was state-led. Then with the privatization of British
Telecom in 1984,870 market-driven commercial pressures were applied
to the British Telecommunications industry. This also accelerated the transition
to the private sector leading the public in technological development. In
1982, the UK was first surprised and then stretched to the geographical limits
of its reach by the Falklands War. Britains victory was hard fought,
but its military success was significantly aided by new smart
weapons, such as the latest version of the US air-to-air Sidewinder
heat-seeking missile, secure command and control enabled by military
communications satellites, and the availability of space imagery intelligence
from the US. These technologies were not physically networked, but the potential
advantages in concentration of effort, synchronization of forces, surprise,
and lethality whet the appetites of military planners. It was a valuable
reminder to the British of the vital importance of information, both to conflict
prevention and to the conduct of war itself.
Not a decade later in 1991, by expelling Iraqi forces from Kuwait, the US
showed the world what was possible with technological superiority, driven
by the microprocessor. Royal Air Force aircraft were controlled from Airborne
Warning and Control System (AWACS) aircraft in the air over the Gulf and
connected electronically via secure digital data links. UK Royal Navy warships
were linked to their Maritime Commander in Theatre and to Headquarters back
in the UK via satellite communications. The satellites themselves, the UKs
Skynet 4 constellation of three geosynchronous communication satellites,
were controlled by the Royal Air Force at 1001 Signals Unit at RAF Oakhanger
in Hampshire, England. One of the satellites was re-positioned in orbit to
provide better coverage of the Gulf region.
The British Army headquarters in the field enjoyed reach-back
communications to the UK via satellite and was able to employ its Ptarmigan
radios to deliver some data, as well as voice communications. Given the media
frenzy over the technical wizardry of the Allies, one could be forgiven for
thinking that in an instant, Cold-War doctrines had been abandoned and western
militaries had all become post-modern manoeuvrists. Yet, as it happened,
the UK military in the Gulf was able to achieve its objectives without abandoning
the fundamental principles of its most classical doctrine. Continuity was
shown to be as important as change. The post-war quest for improvement then
centered on the need to synchronize forces electronically, to exploit information
to deliver increased precision, surprise and concentration, and also to pay
for the investment necessary by reductions in mass elsewhere. The seeds were
sown for what became known as the UKs Network Enabled Capability
(NEC), which was strongly analogous to Network Centric Warfare (NCW)
in the US.
British military commanders were becoming ever more reliant on connecting
to secure, networked command, control, and intelligence channels. This required
connectivity to information systems from the planning headquarters to the
foxhole and huge increases in required bandwidth to accommodate the growth
in demand for information services. But in the 1990s, the expectation of
a post-Cold War peace dividend delivered its own strategic
paradox.871 The goals of modernization and capability uplift would
have to be accomplished under increasing pressures both on finances and the
front-line strength of the British military.
In terms of conceptual development, the works of American futurists, like
Alvin and Heidi Tofflers War and Anti War,872 were
studied in British Staff Colleges and assisted in a re-evaluation of how
Britains forces were equipped, trained, and directed in battle. Yet,
in typical and peculiarly British fashion, the impetus for change resulted
far less from the evangelical drive of the new gurus of the information age
and much more from the need to craft business cases that would pass rigorous
financial scrutiny at the Ministry. Following the introduction of the New
Management Strategy in the early 1990s, the government pushed new cost-cutting
initiatives, known variously as Options for Change and
Front-Line First.873 These ventures were, in part,
designed to adapt UK forces to the needs of a post Cold-War world. They provided
for delegated budgets, but also demanded significant efficiency savings including
substantial manpower reductions and restructuring. Any proposed increase
in capability, such as the networking of systems and functions, had to produce
a net reduction in the defense budget. This meant the potential cutting of
other capabilities and the challenging of traditions of the Services. Moreover,
it set the conditions for every budget holder to establish and run separate,
stove-piped874 information networks and systems, without any of
the higher governance that would be needed to integrate their functionality.
The British involvement in the Balkans during the mid-1990s was too soon
after the Gulf War for the UK to have benefited from a significant growth
in its cyber capabilities. However, these operations cemented the British
view of the need for expeditionary military capability, with the ability
to execute complex operations using a lighter, more agile force structure.
This agility and responsiveness would rely on expert intelligence and
increasingly, networked command, control, and situational awareness.
Modern, Agile, Capable Forces: Organizing to Exploit Cyber
The 1998 Strategic Defence Review (SDR)875 provided the policy
framework for modernization. It also provided centralization through joint
organizations to fund capability from a joint budget at MOD and direct all
expeditionary military operations from the new Permanent Joint Headquarters
(PJHQ). In some ways, this was a mirroring of the Goldwater Nichols Act in
the US (although the US retained Title 10 funding through individual Service
channels). Another trans-Atlantic reflection was the creation of the Defence
Communications Services Agency (DCSA) on 1 April 1998. The DCSA was very
similar in character and constitution to the Defense Information Services
Agency (DISA) in the US. Led by a military two-star, Major General Tony Raper,
from the outset the DCSA comprised military, civil service, and contractor
staff. One of its most important features was the Global Operations Security
and Control Centre (GOSCC), whose mission was to direct and control end-to-end
information services for defense users worldwide, 24/7.
Within the GOSCC, the Defence Computer Incident Response Team (DCIRT) was
formed to execute the Computer Network Defense (CND) mission for the MOD.
This joint, military-led team included engineers, computer technicians, military
police, and an active duty Major exchange officer from the USAF, positioned
so that the UK could maintain a strong awareness of tactical cyber developments
in the US military. In the same year, the government also introduced an updated
Data Protection Act,876 mandating formal governance over all personal
information held on electronic systems in the UK.
Further information security support was provided by the Joint Security
Co-ordination Centre (JSyCC) at MOD headquarters in London. This organization
provided information security threat assessments and security incident
investigations. It also established the nations first Warning, Advice,
and Reporting Centre (WARP) structure that was later adopted across the UK
to assist in the protection of the Critical National
The formation of the DCSA and creation of a central MOD Directorate for the
procurement of all Information Systems created the conditions to standardize
the Departments information architecture and provide both the efficiencies
and operational benefits of common service management. These benefits also
included improved and more direct accountability for cyber security. Significant
defense programs delivered the foundational defense cyber architecture. These
comprised the Defence Information Infrastructure (DII),878 which
brought nearly all MOD computer users onto a single service-managed
infrastructure; Skynet 5, which provided cutting-edge military satellite
capabilities under a Private Finance Initiative contract;879 and
the Defence Fixed Telecommunications System (DFTS), which replaced nineteen
existing telecommunications networks to provide the fixed telecommunications
infrastructure.880 It was the UK MOD way of delivering the spirit
of the 1996 US Clinger Cohen Act,881 but without the formality
of national legislation and stringent congressional/governmental
As the DCIRT began to assert its influence, it became clear just how many
disparate information system architectures existed across the MOD and its
connected civilian partners. With the growth of the public Internet and the
increasing need routinely to access both webpages and commercial email from
the military desktop, the military/government infosphere was extending far
beyond its previous borders. It therefore became vital to fully understand
the vulnerabilities presented end-to-end across the military intranet. A
major initiative entitled Establish the Baseline was launched
across the MoD to discover the configuration of defense networks and the
connectivity that existed to other systems. The early results were sobering,
reflecting the piecemeal development of information capabilities over nearly
two decades of devolved budgetary responsibility and precious little central
governance. Additionally, it highlighted the need to pay significant attention
not just to external threats, but to the behaviors and practices of the
MODs own users and service providers.
The threat posed by the product of system vulnerability and the capability
and intent of adversaries at last began to appear as risks on military and
government risk registers. Accordingly, this improved focus on cyber security
was further enhanced by the appointment of a MOD Chief Information Officer
(CIO), Mr. John Taylor, as both the Chief of Defence Staffs Chief
Information Advisor and Senior Information Risk Owner (SIRO). CIOs were created
across government departments, and communities of interest were generated
to share their growing knowledge and experience. These contacts also extended
to the 5-eyes military community of the US, Canada, Australia,
the UK, and New Zealand, enabling improved interoperability, information
sharing and the opportunity to accelerate the understanding of cyber issues.
A key issue of coordination, particularly if any nation intends to do more
than just defend its networks, is cyber equities. For example, an agency
wishing to exploit a vulnerability in a network to undertake intelligence
operations is potentially denying the opportunity for defenders to correct
vulnerabilities in their own networks. The reverse-engineering of security
updates highlights vulnerabilities that may or may not have previously been
understood. With this knowledge, there is a balance to be struck between
securing vulnerabilities and allowing them to remain for potential exploitation.
This is a problem made much more complex when making the assessment at a
national level and across a broad critical national infrastructure. In 2005,
the MOD set up an equities forum with GCHQ to investigate how such assessments
could be made and to provide the basis for any necessary coordination. Such
discussions and the development of frameworks for risk assessment would become
important elements of future national and international collaboration efforts.
Shaping the Cyber Awakening - the Importance of the Most Unremarkable of
Britain is quite happy to learn its lessons vicariously, hence the attention
it pays to the pioneering efforts of its closest allies. Policymakers have
closely observed events such as the Titan Rain exfiltration of data from
the US NIPRNET; the GhostNet infiltrations of Western systems; Estonia in
2007 suffering Distributed Denial of Service (DDOS) attacks from Russian
patriot hackers, Georgia in 2008, and the use of the Stuxnet
Worm to attack precisely-targeted SCADA systems in Iranian nuclear facilities.
These events demonstrate the increasing sophistication and depth of penetration
possible with cyber attack. However, it is also becoming clear that while
the character of conflict in cyberspace changes with sophistication and
encourages some observers to make extraordinary claims about the catastrophic
potential of cyber power, the essential nature of conflict is the same, whether
it be in cyberspace or any other domain.883 A prudent response
to the evolving story of cyber conflict would therefore involve critical
observation, openness, and the ability to discern the new from the familiar.
Nevertheless, several cyber-related incidents in the UK have pricked the
consciousnesses of the policy elite, and a few of these will be discussed
A prescient reminder that the design and therefore vulnerabilities of the
Internet are man-made came in the guise of the Y2K bug. As revelers
celebrated the passing of the Millennium, Information and Communications
Technology (ICT) providers, the UK military, and critical infrastructure
providers were rather nervously attending to their networks and services,
to ensure that suspected anomalies with computer clock functions did not
result in embarrassing, or worse-yet, catastrophic system failures as the
clocks ticked past midnight. The new Millennium passed without any of the
feared issues arising,884 but several salutary lessons were learned.
The first was the need for a better understanding of the physical and logical
architecture of our information systems, their vulnerabilities, and how network
risks manifested themselves within a system of systems. The second was the
need to identify and organize business continuity efforts across the government,
the military, and what became defined as the Critical National Infrastructure.
Thirdly, it directed attention to the differences in age, operating systems,
configuration, and patch status (and by implication, quality of husbandry)
across information systems supporting key UK functions. Ironically, the Y2K
experience also served to increase the skepticism of business leaders and
heads of government concerning their IT departments and to increase the profile
of the CIO on the governing boards of both government and industry.
In early 2003, as the Lovgate computer virus spread across the
globe,885 a number of MOD systems were infected. Lovgate spread
rapidly. It reproduced by sending email messages which masqueraded as a reply
to the victim and by copying itself to shared network folders. MOD technicians
spent more than four weeks isolating and cleaning computer systems across
30 sites. The report on the incident concluded that the worm was probably
introduced onto its systems by a single user, who infected an MOD computer
by inserting a floppy disc.886 The Lovgate virus presented a low-level
risk and although there was no operational impact and no mission-critical
systems were affected, this was the first major infection to be spotted and
responded to by the DCIRT. It was a wake-up-call for the leadership. Senior
officers were alarmed by the apparent vulnerability of a MOD system. But
the response of the DCIRT provided the organization with added credibility.
The incident also resulted in questions in Parliament and a focus on the
ability of the National Infrastructure Security Co-ordination Centre to protect
the Nations Critical National Infrastructure.
One morning in May 2005, rumors circulated within the UK Permanent Joint
Headquarters that the computers in MOD HQ had crashed due to an Amarillo
Virus spreading across its primary computer system. With Britain supporting
concurrent missions in Iraq and Afghanistan, the inability to exchange data
such as emails with MOD HQ was of immediate concern and prompted swift
investigation. What transpired was not a virus. The mail server had crashed
due to a funny video attachment to an email that was going viral
around the staff of the HQ, as it was being sent between friends and
colleagues.887 The actions of the MODs own staff had in-effect
created a self-imposed denial of service attack on the email system. Once
it was understood what was happening, it took very little time to restore
the system to normal functioning, but several key lessons resulted.
The description of this incident as a virus attack implied a cyber attack.
Although it clearly had nothing to do with malevolent software or an attack
from an outside threat vector, the effect on service availability
was essentially the same. The system managers blocked the video clip from
email messages and moved it to an intranet website, so that users could see
it without affecting the overall performance of the system. Had there had
been a facility for the user to save the file as a video clip on a military
website and then send a hyperlink in the email (and not the document itself),
the email servers would not have been overloaded, and the incident could
have been avoided. This underlined the importance of robust information
management for cyber operations and the need both to provide more facilities
to users and to educate them on how to avoid practices that could disrupt
information services. The infamous military sense of humor was both demonstrated
and tested that day: additionally, cyber incidents and information management
were shown to be unusual but unavoidable bedfellows.
On 9 January 2008, a Royal Navy recruiters laptop was stolen from the
trunk of his car parked in Birmingham, England. Though the device did not
contain any classified information, it held the unencrypted personal details
of more than 600,000 people. Regrettably, this was not the first embarrassing
loss of UK government data. Sir Edmund Burton was commissioned to report
on the circumstances surrounding the incident and to recommend appropriate
action. Though the incident investigation focused on a lack of adherence
to the Data Protection Act, the report criticized the MOD for failing to
treat information as a strategic asset and asked probing questions about
the governance of information risk.888
In January 2009 and despite the repeated issue of warnings to update system
software patches, the MOD, and the RAF in particular, was hit by the Conficker
virus.889 The response required the deployment of technicians
from the Royal Air Force 90 Signals Unit to the affected units and the
expenditure of an estimated 10,000 hours of technical effort.890
Governance systems and warning information remained up-to-date throughout,
and importantly, no mission critical systems were infected. But the incident
underlined the potential disruption that could result from even the most
simple of infections, the importance of rigorous standards of system management,
and the necessity to retain expertise in depth and to surge it to problem
areas where needed.
The thread of continuity that runs through these incidents is the personnel
involved. A small cadre of engineers, police, policymakers, intelligence
analysts, and procurement officers were learning these lessons under the
purview of an increasingly interested senior leadership team. These same
personnel are now in the Cabinet Office, GOSCC, DCIRT (now called the Joint
Cyber Unit (JCU) in Corsham), the Defence Cyber Operations Group in MOD HQ,
exchange posts with the US Armed Forces, CIO functions, and service provider
organizations across the Government.
Who is in Charge Now? Central Government Steps Up
The absence of a cyber Pearl Harbor in the UK may well have
contributed to the relatively piecemeal development of its early capabilities
and structure, but it has also allowed the dominant narrative of cyberspace
in the UK to be one of economic growth and social communication (on the upside)
and of organized crime (on the downside). The 2009 Cyber Security
Strategy891 established the Office of Cyber Security (OCS) at
the heart of the UK Governments power (within the UK Cabinet Office).
Its early objectives were to secure the UKs advantage in cyberspace
by reducing the risks of usage, exploiting opportunities, and improving knowledge
capabilities and decision making. Strategic leadership and maintaining
cross-governmental coherence were the tasks of the OCS. Another organization,
the Cyber Security Operations Centre (CSOC), was established to conduct national
monitoring and assessment, and to provide outreach across government departments
to the nine sectors defined as forming the Critical National Infrastructure
(CNI), as well as more broadly to industry. A 2011 Chatham House Report on
Cyber Security and the UKs Critical National
Infrastructure892 criticized the government for the lack of
productive coordination that had developed between government and the elements
of the CNI since the crafting of the strategy. Most worryingly, the
reports research reflected high levels of ignorance and even an
unwillingness to engage, among a significant proportion of the CNI organizations
canvassed. The OCS continued to take the threat seriously and in November
2011, it issued a renewed Cyber Security Strategy that went beyond the
establishment of organizations to the appointing of specific lead agents
and to implementing actions across government departments.893
In a perfect reflection of the awakening that occurred at the MOD, the OCS
also recognized the same umbilical connection between cyber security and
the strategic value of information. Hence, the OCS re-named itself the Office
of Cyber Security and Information Assurance (OCSIA). Importantly, the OCSIA
was appointed as the national strategy lead for cyber, and also was handed
the responsibility both to understand and to balance the opportunities and
threats presented by cyberspace.
The OCSIA has the task of allocating the £650 million of new money that
the government has provided for the nations cyber security to 2015.
This and a fast-track route to the agenda of the National Security Council
provide it with considerable political power. It has set itself four objectives
to achieve by 2015: to tackle cyber crime and for the UK to be one of the
most secure places in the world to do business in cyberspace; for the UK
to be more resilient to cyber attacks and better able to protect its interests
in cyberspace; for the UK to have helped shape an open, stable, and vibrant
cyberspace, which the UK public can use safely and that supports open societies;
and for the UK to have the cross-cutting knowledge, skills, and capability
it needs to underpin all of its cyber security objectives.894
The Accelerating Challenges of Future Cyberspace
With organizations, structures, and governance processes established under
the apex of central government and with the cadre of UK cyber professionals
improving their ability to make sense of and determine a path through the
current cyber maze, Britain has established its cyber foundations. However,
it has yet to have its pedigree tested by a major disruptive cyber attack.
Exercises provide an opportunity to improve cross-domain collaboration. These
need to be extended where possible to the CNI and beyond. The planning and
execution of pivotal national events, such as the London 2012 Olympics and
Paralympics have provided ideal opportunities to develop norms of behavior,
set standards, and learn lessons. The knowledge gained can be shared with
the CNI, industry, and the public using mechanisms such as the UKs
Cyber Security Hub.895
Meanwhile, the constitution and uses of the Internet will continue to develop
at break-neck speed. Many of the future innovations of cyberspace will be
unanticipated. However, it is also possible to see significant challenges
looming from the developments that are already apparent, though these are
in their infancy. Mobile working is likely to increase significantly over
the coming years, demanding ever-more wireless connectivity and raising questions
about issues such as wireless encryption, identity management, and attribution.
The current trend towards cloud computing represents a potentially significant
challenge in the area of data protection and integrity. What has become known
in some circles as the Internet of things poses a number of security
issues, as uses of many items in the physical domain rely on cyberspace for
their core functionality. For example, the government must understand and
be able to legislate over the difference between a smart meter that controls
the gas and electricity in a home and the potential functionality that such
a device might afford as a cross-domain weapon. New and more sophisticated
computing devices and technologies, such as bio-computing and nanotechnology,
might not only revolutionize existing processes and capabilities, but also
spawn completely new technologies and capabilities.
One of the themes of this chapter is the broadening of skills and experience
needed to craft an appropriate strategy for cyberspace. Polymath expertise
may be desirable, but it is clear that the basic mix of ingredients in any
cyber policy unit now includes people with engineering, police, legal, finance,
and business expertise; members from academia and training experts; military
strategists; and even social anthropologists. Bringing this breadth of talent
to bear on the issue of cyber strategy is a challenge akin to managing the
creative explosion accomplished under the Medicis in Renaissance Florence.
The legal maze surrounding cyberspace only adds to the policy makers
woes. Legislation has tended to lag behind technologys advancements,
and the UK government has espoused an ambition to make illegal on-line what
is illegal off-line. Nonetheless, the power of any nation to take action
against wrongdoers has its primacy in law. Where there is a time lag between
the technical opportunity presented by cyberspace technology and the legal
rules with which to govern that, undesirable behavior should be expected.
Careful prioritization of the legislative effort and the development of a
framework that allows technological opportunity to be balanced with the need
to ensure that formal justice can be applied to malevolent cyber behaviour,
are likely to remain core functions of governance in cyberspace.
Meanwhile, the gaps between cyber capability and legislation, and the continued
low costs of entry will mean that the threat of cyber crime is only likely
to worsen in the coming years. Thus, the relative importance of organizations
such as the Police Electronic Crime Unit (PECU) and the Serious Organised
Crime Agency (SOCA) is sure to grow, especially regarding their ability to
operate and collaborate across national borders. Progress made on security
and governance within sovereign borders is only likely to be as effective
as the measures that can be put into place internationally to encompass the
whole domain. The UK Foreign and Commonwealth Office (FCO) has also taken
steps to provide international leadership in cyber issues. In November 2011,
the FCO hosted an international conference in London896 aimed at promoting
and protecting the positive benefits of the Internet for all. As an originator
and signatory of the Council of Europes Budapest Convention on Cybercrime,
the FCO has been shaping the agenda for the 2012 Budapest Conference, entitled
With Trust and Security for Freedom and Prosperity. The Convention
aims to promote capacity development, security, and the free use of cyberspace
through close and practical cooperation between the private sector and
government, as well as through more efficient cooperation between regional
The UK has developed a strong pedigree in cyberspace. Some of what UK experts
know of this new medium, they have learned from the inventions of the Industrial
Revolution and the necessities of war. Amid the rapid expansion of the Internet,
international e-commerce, and cybered events beyond its borders, Britain
is also learning from the experiences of others. But the nations long
history of developing information technologies and applying them innovatively
to national problems in financial austerity has shaped the attitudes and
approach taken by its policymakers. The UKs curious mix of engineering,
police, military, bureaucratic, business, intelligence, legal, and political
talent has wrestled against its own stovepipes of excellence,
and has developed a vision of cyberspace that it is both absent of the rhetoric
of cybergeddon and balanced between the perceived benefits of
cybers use and the vulnerabilities this creates.
Our vision is for the UK in 2015 to derive huge economic and social value
from a vibrant, resilient and secure cyberspace, where our actions, guided
by our core values of liberty, fairness, transparency and the rule of law,
enhance prosperity, national security and a strong society.898
As Britain ventures increasingly into the new domain of cyberspace, another
history is in the makingone that must be charted, questioned, interpreted,
and assimilated. But time is the least forgiving dimension of strategy,899
and the race to a cyber future is already well underway. The nefarious users
of cyberspace appear to have stolen a lead. We broadly understand who is
on the same team, but struggle to understand or even to see the competition.
The rules by which we play are understood, but they certainly are not followed
by all. Maybe genuine proactivity is too much to ask of our governments at
this stage, but working together is not. Ultimately, we need to ask what
it is to win in cyberspace and to ensure that we act so as to
remain in the race. Perfection is the enemy of good enough. While
we may know just how far we have come, we still have to discover what good
enough really means.
Notes [Citations in Notes:
858 Group Captain Shaun Harvey is a serving British Royal Air Force officer
and a Chief of the Air Staff Fellow. Over his 23 year career to date, he
has served as a communications engineer, satellite operator, military planner,
and staff officer including an appointment in the Defence Cyber Security
Programme. He has also worked as an Exchange Officer with the United States
Air Force, running a Division of the Air Staff in the Pentagon. He has an
MBA and an MA in Defence Studies, and has just completed an MPhil with Professor
Colin Gray at Reading University, where his thesis was on the application
of strategy to the issues of cyber power. The views offered in this chapter
are those of the author and do not necessarily represent those of the UK
Ministry of Defence or the Royal Air Force
859 The website of Professor Kevin Warwick can be accessed at
860 Cabinet Office. The UK Cyber Security Strategy.
861 Cabinet Office. Cyber Security Strategy of the United Kingdom.
862 A Strong Britain in the Age of Uncertainty: The National Security Strategy
863 Securing Britain in an Age of Uncertainty: The Strategic Defence and
864 The UK Cyber Security Strategy.
865 For a comprehensive account of GCHQs history, see Aldrich, GCHQ:
The Uncensored Story of Britains Most Secret Intelligence Agency.
866 William Gibson, Neuromancer (London: Harper Collins, 1995).
867 Colossus was built by Tommy Flowers, a brilliant Post Office engineer.
It was successful in cracking the Lorenz ciphers of the Nazi High Command.
Its first upgrade was working in time to help Eisenhower and Montgomery to
be sure that Hitler had swallowed the bait from the deception campaigns prior
to D-Day (June 6, 1944). There were eventually ten working Colossus machines
at Bletchley Park. Further details can be found at: Colossus Rebuild
868 Michell, A History of Networks, 11.
869 The 1945 Proposal by Arthur C. Clarke for Geostationary Satellite
870 Privatisation of British Telecom (1984).
871 For an excellent exposition on the paradoxical logic of strategy, see
Edward N. Luttwack, Strategy: the Logic of War and Peace (Cambridge, MA:
Harvard University Press, 1987).
872 The Tofflers were among the first to herald and examine the idea of
information wars for an information age. See Toffler and Toffler, War and
873 For useful background on the changes in UK Government Defence Policy
in the 1990s, see Taylor, The Defence White Paper, 7-14.
874 In this chapter, a stove-pipe or stove-piping
refers to a structure, organization, or activity that is pursued in isolation
from other activities that could reasonably be expected to be interconnected.
This behavior often results in un-coordinated outcomes and problems with
875 Strategic Defence Report.
876 An Act to make new provision for the regulation of the processing of
information relating to individuals, including the obtaining, holding, use,
or disclosure of such information - July 1998.
877 A description of the WARP and how it applies to the Critical National
Infrastructure can be found at: Center for the Protection of National
Infrastructure. WARP Background.
878 Details of the DII contract can be found at: Atlas Consortium, About
the DII Programme.
879 Skynet 5 is contracted for availability and provides satellite services
for military users world-wide. It is delivered by Paradigm Services, with
deployed manpower provided by the military. Paradigm Services by Astrium,
Skynet 5 Has the World Covered with Secure, Flexible, and Pinpoint
880 Baddeley, DFTS: a Defence-Wide System.
881 The Clinger-Cohen Act (CCA) of 1996, also known as the Information Technology
Management Reform Act, established in law the posts of Chief Information
Officers (CIOs) for all Federal Agencies. CIOs were made responsible for
developing, maintaining, and implementing sound and integrated IT architectures.
The CCA introduced congressional governance to the efficiency and
interoperability of existing and future IT investment. The Clinger-Cohen
Act (CCA) of 1996.
882 Government Ministers are accountable to Parliament for the performance
and activities within their ministry. In addition, the National Audit Office
provides financial scrutiny of MOD procurement.
883 For an excellent description of the objective nature of war, see Gray,
Another Bloody Century: Future Warfare, 291-330.
884 Y2K Bug Fails to Bite.
885 See Symantec, Report on Lovgate.
886 Single User Costs MoD £10 million after allowing Worm onto
887 Amarillo Video Crashes MoD PCs.
888 Burton, Report into the Loss of MOD Personal Data.
889 Willsher, French Fighter Planes Grounded by Computer Virus.
890 Interview between the author and the Commanding Officer, 90 Signals Unit,
RAF 23, March 2012.
891 Cabinet Office, Cyber Security Strategy of the United Kingdom.
892 Cornish, et al., Cyber Security and the UKs Critical National
895 Ibid., 28.
896 UK Foreign and Commonwealth Office, Cyberspace: Cyber Security.
897 Budapest Conference on Cyberspace 2012.
898 Cabinet Office, The UK Cyber Security Strategy: Protecting and Promoting,
899 Gray, Fighting Talk: Forty Maxims on War, Peace and Strategy, 70-73.
1945 Proposal by Arthur C. Clarke for Geostationary Satellite
Communications, The. Lakdiva.org. Accessed October 11, 2012.
Aldrich, Richard. GCHQ: The Uncensored Story of Britains Most
Secret Intelligence Agency. New York: Harpercollins, 2010. A Strong
Britain in the Age of Uncertainty: The National Security Strategy. Government
of the United Kingdom. London: The Stationery Office, October 2010. Accessed
March 19, 2013.
Atlas Consortium About the DII Programme. Accessed March 19,
Amarillo Video Crashes MoD PCs. BBC.co.uk. May 17,
2005. Accessed September 5, 2012.
Baddeley, Adam. DFTS: a Defence-Wide System. Defence Management
Journal 31 (December 2005). Accessed March 19, 2013.
Budapest Conference on Cyberspace 2012. Hungarian Government
Ministry of Foreign Affairs. August 9, 2012. Accessed September 10, 2012.
Burton, Edmund. Report into the Loss of MOD Personal Data. Ministry
of Defence. April 30, 2008. Accessed March 19, 2013.
Cabinet Office. Cyber Security Strategy of the United Kingdom: Safety, Security
and Resilience in Cyber Space. London: The Stationery Office, 2009. Accessed
March 19, 2013.
Cabinet Office. The UK Cyber Security Strategy: Protecting and Promoting
the UK in a Digital World. November 2011. Accessed March 19, 2013.
Center for the Protection of National Infrastructure. WARP
Background. Warp.gov.uk. Accessed March 19, 2013.
Clinger-Cohen Act (CCA) of 1996, The. DoD CIO Desk Reference:
Volume 1 Foundation Documents. Department of Defense Chief Information Office.
August 2006. Accessed March 19, 2013.
Colossus Rebuild Project. Bletchlypark.org. Accessed March 19,
Cornish, Paul, David Livingstone, David Clemente, and Claire Yorke. Cyber
Security and the UKs Critical National Infrastructure. London: Chatham
Cyberspace: Cyber Security. UK Foreign and Commonwealth Office.
Accessed October 28, 2012.
Gray, Colin S. Another Bloody Century: Future Warfare. London: Phoenix, 2005.
Gray, Colin S. Fighting Talk: Forty Maxims on War, Peace and Strategy. Washington
D.C: Potomac Books, 2009.
Luttwack, Edward N. Strategy: the Logic of War and Peace. Cambridge, MA:
Harvard University Press, 1987.
Michell, Simon. A History of Networks. In NEC: Understanding
Network Enabled Capability, edited by Simon Michell, 42-45. London: Newsdesk
Communications, Ltd., 2009. Accessed March 27, 2013.
Privatisation of British Telecom (1984), The. In The S
Factors: Lessons from IFGs policy success reunion, edited by Jill Rutter,
Edward Marshall, and Sam Sims, 45-59. Institute for Government. January 2012.
Accessed October 11, 2012.
Securing Britain in an Age of Uncertainty: The Strategic Defence and Security
Review. Government of the United Kingdom. London: The Stationary Office,
October 2010. Accessed March 19, 2013.
Single User Costs MoD £10 million after allowing Worm onto the
Network. Computer Weekly. June 8, 2004. Accessed May 26, 2009.
Skynet 5 Has the World Covered with Secure, Flexible, and Pinpoint
Accurate Communications. Paradigmsecure.com. Accessed March 19, 2013.
Strategic Defence Report. Presented to Parliament by the Secretary
of State for Defence by Command of Her Majesty, July 1998. Accessed March
Symantec, Report on Lovgate. Accessed April 24, 2013.
Taylor, Claire. The Defence White Paper. Research Paper 04/71.
House of Commons Library. September 17, 2004. Accessed March 19, 2013.
Toffler, Alvin and Heidi Toffler. War and Anti-War: Survival at the Dawn
of the 21st Century. New York: Little Brown & Co., 1993.
UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital
World, The. London: Cabinet Office, November 25, 2011. Accessed March 27,
W32.HLLW.LOVEGATE.C@MM. Symantec.com. Updated February 13, 2007.
Accessed March 19, 2013.
Willsher, Kim. French Fighter Planes Grounded by Computer Virus.
The Telegraph, February 7, 2009. Accessed March 19, 2013.
Y2K Bug Fails to Bite. BBC.co.uk. January 1, 2000. Accessed March