Donate for the Cryptome archive of files from June 1996 to the present

20 November 2013

How the UK Developed Its Approach to Cyber

A Fierce Domain: Conflict in Cyberspace 1986 to 2012. Jason Healy, Editor. Cyber Conflict Studies Association. 2013.

[Excerpted chapter]

Unglamorous Awakenings: How the UK Developed Its Approach to Cyber

Group Captain Shaun Harvey RAF858 [Notes]

Britain is quietly proud of its heritage in cyberspace. If evidence is needed, one need only look at the billing given to the inventor of the World Wide Web, Sir Tim Berners-Lee, at the opening ceremony of the London 2012 Olympics. Since the mid-nineteenth century, in producing such British visionaries as Charles Babbage, who conceived of the first computer, or William Fothergill Cooke and Charles Wheatstone, who developed Britain’s own telegraph system, the UK has been at or close to the forefront of employing information and its supporting technologies for national ends. Today, Britain has a thriving technology sector, a population that has embraced a parallel digital existence, and even the world’s first human cyborg in the shape of Professor Kevin Warwick.859 The Nation’s military power relies heavily on Network Enabled Capability to provide the leverage and flexibility it needs to deliver its international security contribution. The UK’s diplomatic prowess is vested heavily in information, via public diplomacy and the soft power projection of national values. Moreover, 21 percent of GDP growth in the UK is attributed to Internet technologies. London is a core hub of Internet connectivity, and with an estimated 6 percent of the nation’s GDP resulting from e-commerce,860 the UK is increasingly alive to both the opportunities and vulnerabilities presented by cyberspace. Thus, Britain can still claim to be at the vanguard of the information revolution.

In 2009, the Cabinet Office produced the first UK National Cyber Strategy,861 and thereafter, the National Security Strategy in 2010 identified hostile attacks upon UK cyberspace by other states and large-scale cyber crime as a Tier 1 National Threat.862 The Strategic Defence and Security Review of 2010863 provided £650 million of investment over four years and established cyber security as a programme at the heart of government.864 This chapter will describe some of the events that have led to the gentle awakening of the UK’s cyber consciousness. It has been written primarily from a UK MOD perspective because of the size, complexity, and cyber-dependency of that organization. Nonetheless, it will be shown that at each juncture, wider issues than those first apparent were at play, forcing the view of cyberspace to become ever more holistic. The evidence presented in this chapter will show that, rather than employing a deliberate strategy, the UK government’s journey through cyber conflict has emerged from a holistic approach to information issues, operational lessons, the exigencies of government reorganization, budget cuts, and the occasional moment of serendipity. Nonetheless, the end result has allowed Britain to take its seat at the international cyber top table, at the right hand of the US.

There is very little in the public domain about UK government cyber security incidents, either concerning evidence that exposes vulnerabilities, current operational techniques, or developing capabilities. This information rightly remains classified. Indeed, the unsung heroes of UK cyber operations are, with little doubt, the men and women of the Government Communications Headquarters (GCHQ) in Cheltenham. Regrettably, recent stories of GCHQ’s exploits must remain unsung.865 However, there is much that we can learn from the approach the UK military has taken to the lower-level problems of cyberspace. These are developments that can be mapped largely to the responses of the burgeoning cyber community to even seemingly innocuous incidents and opportunities.

This chapter will describe a brief history of the UK’s involvement in cyberspace. It will chart some of the early pioneering technologies and the uses to which the UK put them, highlighting the historical importance of information to Britain’s national interests. It will then show how in the years following the end of the Cold War, Britain attacked the combined challenges of modernizing its Armed Forces and making reductions in its defense budget. Also to be examined are the topics of how this dilemma shaped the approaches of British policymakers; and how a philosophy of pragmatism, broadly inspired innovation, and the ability to “make do” have created the governance structures, practices, and institutions that constitute the UK’s response to the cyber security question. It is not yet possible to publish any details relating to major UK operational cyber activities. However, many of the events that have shaped the thinking and approaches of the small cadre of personnel involved in protecting Britain’s interests in cyberspace are explored in the chapter. It is important to acknowledge just how much progress has been made in developing a UK Cyber Strategy that is genuinely cross-governmental. This chapter describes some of its key features and alludes to some of the challenges that are most likely to be faced in the next few years.

Before It Had a Name: the Early Evolution of UK Cyber

Long before William Gibson coined the phrase ‘cyberspace’ in his novel Neuromancer,866 the UK understood the value both of information and exploiting technology to maximise its value. The entrepreneurial spirit so crucial to Britain’s success throughout the Industrial Revolution also spawned important national information capabilities in intelligence and espionage. The Zimmerman Telegram in 1917, and later the extraordinary and successful efforts to decode the German UItra ciphers at Bletchley Park, not only pioneered the new world of signals intelligence, but also gave rise to the development of one of the world’s first computers, in the form of Colossus.867 Information was established firmly as a strategic asset. Coincidentally, knowledge was (and still is) viewed as power, and with the ‘need to know’ principle in full force, the culture was set to establish stove-pipes of excellence across government.

In 1940, the early use of Radar technology and the development of a network of Royal Observer Corps aircraft spotters informing command and control at Group Headquarters were vital contributors to the success of the Royal Air Force in the Battle of Britain.868 After World War II, Flight Lieutenant Arthur C. Clarke’s discovery of geosynchronous space orbits869 made possible the global telecommunications revolution that would follow. In the years of the Cold War, Britain developed further capabilities in its military and civilian telecommunications sectors, but the greatest progress was state-led. Then with the privatization of British Telecom in 1984,870 market-driven commercial pressures were applied to the British Telecommunications industry. This also accelerated the transition to the private sector leading the public in technological development. In 1982, the UK was first surprised and then stretched to the geographical limits of its reach by the Falklands War. Britain’s victory was hard fought, but its military success was significantly aided by new “smart” weapons, such as the latest version of the US air-to-air “Sidewinder” heat-seeking missile, secure command and control enabled by military communications satellites, and the availability of space imagery intelligence from the US. These technologies were not physically networked, but the potential advantages in concentration of effort, synchronization of forces, surprise, and lethality whet the appetites of military planners. It was a valuable reminder to the British of the vital importance of information, both to conflict prevention and to the conduct of war itself.

Not a decade later in 1991, by expelling Iraqi forces from Kuwait, the US showed the world what was possible with technological superiority, driven by the microprocessor. Royal Air Force aircraft were controlled from Airborne Warning and Control System (AWACS) aircraft in the air over the Gulf and connected electronically via secure digital data links. UK Royal Navy warships were linked to their Maritime Commander in Theatre and to Headquarters back in the UK via satellite communications. The satellites themselves, the UK’s Skynet 4 constellation of three geosynchronous communication satellites, were controlled by the Royal Air Force at 1001 Signals Unit at RAF Oakhanger in Hampshire, England. One of the satellites was re-positioned in orbit to provide better coverage of the Gulf region.

The British Army headquarters in the field enjoyed ‘reach-back’ communications to the UK via satellite and was able to employ its Ptarmigan radios to deliver some data, as well as voice communications. Given the media frenzy over the technical wizardry of the Allies, one could be forgiven for thinking that in an instant, Cold-War doctrines had been abandoned and western militaries had all become post-modern manoeuvrists. Yet, as it happened, the UK military in the Gulf was able to achieve its objectives without abandoning the fundamental principles of its most classical doctrine. Continuity was shown to be as important as change. The post-war quest for improvement then centered on the need to synchronize forces electronically, to exploit information to deliver increased precision, surprise and concentration, and also to pay for the investment necessary by reductions in mass elsewhere. The seeds were sown for what became known as the UK’s “Network Enabled Capability (NEC),” which was strongly analogous to Network Centric Warfare (NCW) in the US.

British military commanders were becoming ever more reliant on connecting to secure, networked command, control, and intelligence channels. This required connectivity to information systems from the planning headquarters to the foxhole and huge increases in required bandwidth to accommodate the growth in demand for information services. But in the 1990s, the expectation of a post-Cold War peace dividend delivered its own strategic paradox.871 The goals of modernization and capability uplift would have to be accomplished under increasing pressures both on finances and the front-line strength of the British military.

In terms of conceptual development, the works of American futurists, like Alvin and Heidi Toffler’s War and Anti War,872 were studied in British Staff Colleges and assisted in a re-evaluation of how Britain’s forces were equipped, trained, and directed in battle. Yet, in typical and peculiarly British fashion, the impetus for change resulted far less from the evangelical drive of the new gurus of the information age and much more from the need to craft business cases that would pass rigorous financial scrutiny at the Ministry. Following the introduction of the New Management Strategy in the early 1990s, the government pushed new cost-cutting initiatives, known variously as “Options for Change” and “Front-Line First.”873 These ventures were, in part, designed to adapt UK forces to the needs of a post Cold-War world. They provided for delegated budgets, but also demanded significant efficiency savings including substantial manpower reductions and restructuring. Any proposed increase in capability, such as the networking of systems and functions, had to produce a net reduction in the defense budget. This meant the potential cutting of other capabilities and the challenging of traditions of the Services. Moreover, it set the conditions for every budget holder to establish and run separate, stove-piped874 information networks and systems, without any of the higher governance that would be needed to integrate their functionality.

The British involvement in the Balkans during the mid-1990s was too soon after the Gulf War for the UK to have benefited from a significant growth in its cyber capabilities. However, these operations cemented the British view of the need for expeditionary military capability, with the ability to execute complex operations using a lighter, more agile force structure. This agility and responsiveness would rely on expert intelligence and increasingly, networked command, control, and situational awareness.

Modern, Agile, Capable Forces: Organizing to Exploit Cyber

The 1998 Strategic Defence Review (SDR)875 provided the policy framework for modernization. It also provided centralization through joint organizations to fund capability from a joint budget at MOD and direct all expeditionary military operations from the new Permanent Joint Headquarters (PJHQ). In some ways, this was a mirroring of the Goldwater Nichols Act in the US (although the US retained Title 10 funding through individual Service channels). Another trans-Atlantic reflection was the creation of the Defence Communications Services Agency (DCSA) on 1 April 1998. The DCSA was very similar in character and constitution to the Defense Information Services Agency (DISA) in the US. Led by a military two-star, Major General Tony Raper, from the outset the DCSA comprised military, civil service, and contractor staff. One of its most important features was the Global Operations Security and Control Centre (GOSCC), whose mission was to direct and control end-to-end information services for defense users worldwide, 24/7.

Within the GOSCC, the Defence Computer Incident Response Team (DCIRT) was formed to execute the Computer Network Defense (CND) mission for the MOD. This joint, military-led team included engineers, computer technicians, military police, and an active duty Major exchange officer from the USAF, positioned so that the UK could maintain a strong awareness of tactical cyber developments in the US military. In the same year, the government also introduced an updated Data Protection Act,876 mandating formal governance over all personal information held on electronic systems in the UK.

Further information security support was provided by the Joint Security Co-ordination Centre (JSyCC) at MOD headquarters in London. This organization provided information security threat assessments and security incident investigations. It also established the nation’s first Warning, Advice, and Reporting Centre (WARP) structure that was later adopted across the UK to assist in the protection of the Critical National Infrastructure.877

The formation of the DCSA and creation of a central MOD Directorate for the procurement of all Information Systems created the conditions to standardize the Department’s information architecture and provide both the efficiencies and operational benefits of common service management. These benefits also included improved and more direct accountability for cyber security. Significant defense programs delivered the foundational defense cyber architecture. These comprised the Defence Information Infrastructure (DII),878 which brought nearly all MOD computer users onto a single service-managed infrastructure; Skynet 5, which provided cutting-edge military satellite capabilities under a Private Finance Initiative contract;879 and the Defence Fixed Telecommunications System (DFTS), which replaced nineteen existing telecommunications networks to provide the fixed telecommunications infrastructure.880 It was the UK MOD way of delivering the spirit of the 1996 US Clinger Cohen Act,881 but without the formality of national legislation and stringent congressional/governmental oversight.882

As the DCIRT began to assert its influence, it became clear just how many disparate information system architectures existed across the MOD and its connected civilian partners. With the growth of the public Internet and the increasing need routinely to access both webpages and commercial email from the military desktop, the military/government infosphere was extending far beyond its previous borders. It therefore became vital to fully understand the vulnerabilities presented end-to-end across the military intranet. A major initiative entitled “Establish the Baseline” was launched across the MoD to discover the configuration of defense networks and the connectivity that existed to other systems. The early results were sobering, reflecting the piecemeal development of information capabilities over nearly two decades of devolved budgetary responsibility and precious little central governance. Additionally, it highlighted the need to pay significant attention not just to external threats, but to the behaviors and practices of the MOD’s own users and service providers.

The threat posed by the product of system vulnerability and the capability and intent of adversaries at last began to appear as risks on military and government risk registers. Accordingly, this improved focus on cyber security was further enhanced by the appointment of a MOD Chief Information Officer (CIO), Mr. John Taylor, as both the Chief of Defence Staff’s Chief Information Advisor and Senior Information Risk Owner (SIRO). CIOs were created across government departments, and communities of interest were generated to share their growing knowledge and experience. These contacts also extended to the “5-eyes” military community of the US, Canada, Australia, the UK, and New Zealand, enabling improved interoperability, information sharing and the opportunity to accelerate the understanding of cyber issues.

A key issue of coordination, particularly if any nation intends to do more than just defend its networks, is cyber equities. For example, an agency wishing to exploit a vulnerability in a network to undertake intelligence operations is potentially denying the opportunity for defenders to correct vulnerabilities in their own networks. The reverse-engineering of security updates highlights vulnerabilities that may or may not have previously been understood. With this knowledge, there is a balance to be struck between securing vulnerabilities and allowing them to remain for potential exploitation. This is a problem made much more complex when making the assessment at a national level and across a broad critical national infrastructure. In 2005, the MOD set up an equities forum with GCHQ to investigate how such assessments could be made and to provide the basis for any necessary coordination. Such discussions and the development of frameworks for risk assessment would become important elements of future national and international collaboration efforts.

Shaping the Cyber Awakening - the Importance of the Most Unremarkable of Incidents!

Britain is quite happy to learn its lessons vicariously, hence the attention it pays to the pioneering efforts of its closest allies. Policymakers have closely observed events such as the Titan Rain exfiltration of data from the US NIPRNET; the GhostNet infiltrations of Western systems; Estonia in 2007 suffering Distributed Denial of Service (DDOS) attacks from Russian “patriot hackers,” Georgia in 2008, and the use of the Stuxnet Worm to attack precisely-targeted SCADA systems in Iranian nuclear facilities. These events demonstrate the increasing sophistication and depth of penetration possible with cyber attack. However, it is also becoming clear that while the character of conflict in cyberspace changes with sophistication and encourages some observers to make extraordinary claims about the catastrophic potential of cyber power, the essential nature of conflict is the same, whether it be in cyberspace or any other domain.883 A prudent response to the evolving story of cyber conflict would therefore involve critical observation, openness, and the ability to discern the new from the familiar. Nevertheless, several cyber-related incidents in the UK have pricked the consciousnesses of the policy elite, and a few of these will be discussed below.

A prescient reminder that the design and therefore vulnerabilities of the Internet are man-made came in the guise of the “Y2K bug.” As revelers celebrated the passing of the Millennium, Information and Communications Technology (ICT) providers, the UK military, and critical infrastructure providers were rather nervously attending to their networks and services, to ensure that suspected anomalies with computer clock functions did not result in embarrassing, or worse-yet, catastrophic system failures as the clocks ticked past midnight. The new Millennium passed without any of the feared issues arising,884 but several salutary lessons were learned. The first was the need for a better understanding of the physical and logical architecture of our information systems, their vulnerabilities, and how network risks manifested themselves within a system of systems. The second was the need to identify and organize business continuity efforts across the government, the military, and what became defined as the Critical National Infrastructure. Thirdly, it directed attention to the differences in age, operating systems, configuration, and patch status (and by implication, quality of husbandry) across information systems supporting key UK functions. Ironically, the Y2K experience also served to increase the skepticism of business leaders and heads of government concerning their IT departments and to increase the profile of the CIO on the governing boards of both government and industry.

In early 2003, as the Lovgate computer virus spread across the globe,885 a number of MOD systems were infected. Lovgate spread rapidly. It reproduced by sending email messages which masqueraded as a reply to the victim and by copying itself to shared network folders. MOD technicians spent more than four weeks isolating and cleaning computer systems across 30 sites. The report on the incident concluded that the worm was probably introduced onto its systems by a single user, who infected an MOD computer by inserting a floppy disc.886 The Lovgate virus presented a low-level risk and although there was no operational impact and no mission-critical systems were affected, this was the first major infection to be spotted and responded to by the DCIRT. It was a wake-up-call for the leadership. Senior officers were alarmed by the apparent vulnerability of a MOD system. But the response of the DCIRT provided the organization with added credibility. The incident also resulted in questions in Parliament and a focus on the ability of the National Infrastructure Security Co-ordination Centre to protect the Nation’s Critical National Infrastructure.

One morning in May 2005, rumors circulated within the UK Permanent Joint Headquarters that the computers in MOD HQ had crashed due to an “Amarillo Virus” spreading across its primary computer system. With Britain supporting concurrent missions in Iraq and Afghanistan, the inability to exchange data such as emails with MOD HQ was of immediate concern and prompted swift investigation. What transpired was not a virus. The mail server had crashed due to a funny video attachment to an email that was “going viral” around the staff of the HQ, as it was being sent between friends and colleagues.887 The actions of the MOD’s own staff had in-effect created a self-imposed denial of service attack on the email system. Once it was understood what was happening, it took very little time to restore the system to normal functioning, but several key lessons resulted.

The description of this incident as a virus attack implied a cyber attack. Although it clearly had nothing to do with malevolent software or an attack from an outside “threat vector,” the effect on service availability was essentially the same. The system managers blocked the video clip from email messages and moved it to an intranet website, so that users could see it without affecting the overall performance of the system. Had there had been a facility for the user to save the file as a video clip on a military website and then send a hyperlink in the email (and not the document itself), the email servers would not have been overloaded, and the incident could have been avoided. This underlined the importance of robust information management for cyber operations and the need both to provide more facilities to users and to educate them on how to avoid practices that could disrupt information services. The infamous military sense of humor was both demonstrated and tested that day: additionally, cyber incidents and information management were shown to be unusual but unavoidable bedfellows.

On 9 January 2008, a Royal Navy recruiter’s laptop was stolen from the trunk of his car parked in Birmingham, England. Though the device did not contain any classified information, it held the unencrypted personal details of more than 600,000 people. Regrettably, this was not the first embarrassing loss of UK government data. Sir Edmund Burton was commissioned to report on the circumstances surrounding the incident and to recommend appropriate action. Though the incident investigation focused on a lack of adherence to the Data Protection Act, the report criticized the MOD for failing to treat information as a strategic asset and asked probing questions about the governance of information risk.888

In January 2009 and despite the repeated issue of warnings to update system software patches, the MOD, and the RAF in particular, was hit by the Conficker virus.889 The response required the deployment of technicians from the Royal Air Force 90 Signals Unit to the affected units and the expenditure of an estimated 10,000 hours of technical effort.890 Governance systems and warning information remained up-to-date throughout, and importantly, no mission critical systems were infected. But the incident underlined the potential disruption that could result from even the most simple of infections, the importance of rigorous standards of system management, and the necessity to retain expertise in depth and to surge it to problem areas where needed.

The thread of continuity that runs through these incidents is the personnel involved. A small cadre of engineers, police, policymakers, intelligence analysts, and procurement officers were learning these lessons under the purview of an increasingly interested senior leadership team. These same personnel are now in the Cabinet Office, GOSCC, DCIRT (now called the Joint Cyber Unit (JCU) in Corsham), the Defence Cyber Operations Group in MOD HQ, exchange posts with the US Armed Forces, CIO functions, and service provider organizations across the Government.

Who is in Charge Now? Central Government Steps Up

The absence of a “cyber Pearl Harbor” in the UK may well have contributed to the relatively piecemeal development of its early capabilities and structure, but it has also allowed the dominant narrative of cyberspace in the UK to be one of economic growth and social communication (on the upside) and of organized crime (on the downside). The 2009 Cyber Security Strategy891 established the Office of Cyber Security (OCS) at the heart of the UK Government’s power (within the UK Cabinet Office).

Its early objectives were to secure the UK’s advantage in cyberspace by reducing the risks of usage, exploiting opportunities, and improving knowledge capabilities and decision making. Strategic leadership and maintaining cross-governmental coherence were the tasks of the OCS. Another organization, the Cyber Security Operations Centre (CSOC), was established to conduct national monitoring and assessment, and to provide outreach across government departments to the nine sectors defined as forming the Critical National Infrastructure (CNI), as well as more broadly to industry. A 2011 Chatham House Report on Cyber Security and the UK’s Critical National Infrastructure892 criticized the government for the lack of productive coordination that had developed between government and the elements of the CNI since the crafting of the strategy. Most worryingly, the report’s research reflected high levels of ignorance and even an unwillingness to engage, among a significant proportion of the CNI organizations canvassed. The OCS continued to take the threat seriously and in November 2011, it issued a renewed Cyber Security Strategy that went beyond the establishment of organizations to the appointing of specific lead agents and to implementing actions across government departments.893 In a perfect reflection of the awakening that occurred at the MOD, the OCS also recognized the same umbilical connection between cyber security and the strategic value of information. Hence, the OCS re-named itself the Office of Cyber Security and Information Assurance (OCSIA). Importantly, the OCSIA was appointed as the national strategy lead for cyber, and also was handed the responsibility both to understand and to balance the opportunities and threats presented by cyberspace.

The OCSIA has the task of allocating the £650 million of new money that the government has provided for the nation’s cyber security to 2015. This and a fast-track route to the agenda of the National Security Council provide it with considerable political power. It has set itself four objectives to achieve by 2015: to tackle cyber crime and for the UK to be one of the most secure places in the world to do business in cyberspace; for the UK to be more resilient to cyber attacks and better able to protect its interests in cyberspace; for the UK to have helped shape an open, stable, and vibrant cyberspace, which the UK public can use safely and that supports open societies; and for the UK to have the cross-cutting knowledge, skills, and capability it needs to underpin all of its cyber security objectives.894

The Accelerating Challenges of Future Cyberspace

With organizations, structures, and governance processes established under the apex of central government and with the cadre of UK cyber professionals improving their ability to make sense of and determine a path through the current cyber maze, Britain has established its cyber foundations. However, it has yet to have its pedigree tested by a major disruptive cyber attack. Exercises provide an opportunity to improve cross-domain collaboration. These need to be extended where possible to the CNI and beyond. The planning and execution of pivotal national events, such as the London 2012 Olympics and Paralympics have provided ideal opportunities to develop norms of behavior, set standards, and learn lessons. The knowledge gained can be shared with the CNI, industry, and the public using mechanisms such as the UK’s Cyber Security Hub.895

Meanwhile, the constitution and uses of the Internet will continue to develop at break-neck speed. Many of the future innovations of cyberspace will be unanticipated. However, it is also possible to see significant challenges looming from the developments that are already apparent, though these are in their infancy. Mobile working is likely to increase significantly over the coming years, demanding ever-more wireless connectivity and raising questions about issues such as wireless encryption, identity management, and attribution. The current trend towards cloud computing represents a potentially significant challenge in the area of data protection and integrity. What has become known in some circles as the “Internet of things” poses a number of security issues, as uses of many items in the physical domain rely on cyberspace for their core functionality. For example, the government must understand and be able to legislate over the difference between a smart meter that controls the gas and electricity in a home and the potential functionality that such a device might afford as a cross-domain weapon. New and more sophisticated computing devices and technologies, such as bio-computing and nanotechnology, might not only revolutionize existing processes and capabilities, but also spawn completely new technologies and capabilities.

One of the themes of this chapter is the broadening of skills and experience needed to craft an appropriate strategy for cyberspace. Polymath expertise may be desirable, but it is clear that the basic mix of ingredients in any cyber policy unit now includes people with engineering, police, legal, finance, and business expertise; members from academia and training experts; military strategists; and even social anthropologists. Bringing this breadth of talent to bear on the issue of cyber strategy is a challenge akin to managing the creative explosion accomplished under the Medicis in Renaissance Florence.

The legal maze surrounding cyberspace only adds to the policy maker’s woes. Legislation has tended to lag behind technology’s advancements, and the UK government has espoused an ambition to make illegal on-line what is illegal off-line. Nonetheless, the power of any nation to take action against wrongdoers has its primacy in law. Where there is a time lag between the technical opportunity presented by cyberspace technology and the legal rules with which to govern that, undesirable behavior should be expected. Careful prioritization of the legislative effort and the development of a framework that allows technological opportunity to be balanced with the need to ensure that formal justice can be applied to malevolent cyber behaviour, are likely to remain core functions of governance in cyberspace.

Meanwhile, the gaps between cyber capability and legislation, and the continued low costs of entry will mean that the threat of cyber crime is only likely to worsen in the coming years. Thus, the relative importance of organizations such as the Police Electronic Crime Unit (PECU) and the Serious Organised Crime Agency (SOCA) is sure to grow, especially regarding their ability to operate and collaborate across national borders. Progress made on security and governance within sovereign borders is only likely to be as effective as the measures that can be put into place internationally to encompass the whole domain. The UK Foreign and Commonwealth Office (FCO) has also taken steps to provide international leadership in cyber issues. In November 2011, the FCO hosted an international conference in London896 aimed at promoting and protecting the positive benefits of the Internet for all. As an originator and signatory of the Council of Europe’s Budapest Convention on Cybercrime, the FCO has been shaping the agenda for the 2012 Budapest Conference, entitled “With Trust and Security for Freedom and Prosperity.” The Convention aims to promote capacity development, security, and the free use of cyberspace through close and practical cooperation between the private sector and government, as well as through more efficient cooperation between regional organizations.897


The UK has developed a strong pedigree in cyberspace. Some of what UK experts know of this new medium, they have learned from the inventions of the Industrial Revolution and the necessities of war. Amid the rapid expansion of the Internet, international e-commerce, and cybered events beyond its borders, Britain is also learning from the experiences of others. But the nation’s long history of developing information technologies and applying them innovatively to national problems in financial austerity has shaped the attitudes and approach taken by its policymakers. The UK’s curious mix of engineering, police, military, bureaucratic, business, intelligence, legal, and political talent has wrestled against its own “stovepipes of excellence,” and has developed a vision of cyberspace that it is both absent of the rhetoric of “cybergeddon” and balanced between the perceived benefits of cyber’s use and the vulnerabilities this creates.

Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society.898

As Britain ventures increasingly into the new domain of cyberspace, another history is in the making—one that must be charted, questioned, interpreted, and assimilated. But time is the least forgiving dimension of strategy,899 and the race to a cyber future is already well underway. The nefarious users of cyberspace appear to have stolen a lead. We broadly understand who is on the same team, but struggle to understand or even to see the competition. The rules by which we play are understood, but they certainly are not followed by all. Maybe genuine proactivity is too much to ask of our governments at this stage, but working together is not. Ultimately, we need to ask what it is to “win” in cyberspace and to ensure that we act so as to remain in the race. Perfection is the enemy of “good enough.” While we may know just how far we have come, we still have to discover what “good enough” really means.

Notes [Citations in Notes: Bibliography]

858 Group Captain Shaun Harvey is a serving British Royal Air Force officer and a Chief of the Air Staff Fellow. Over his 23 year career to date, he has served as a communications engineer, satellite operator, military planner, and staff officer including an appointment in the Defence Cyber Security Programme. He has also worked as an Exchange Officer with the United States Air Force, running a Division of the Air Staff in the Pentagon. He has an MBA and an MA in Defence Studies, and has just completed an MPhil with Professor Colin Gray at Reading University, where his thesis was on the application of strategy to the issues of cyber power. The views offered in this chapter are those of the author and do not necessarily represent those of the UK Ministry of Defence or the Royal Air Force

859 The website of Professor Kevin Warwick can be accessed at

860 Cabinet Office. The UK Cyber Security Strategy.

861 Cabinet Office. Cyber Security Strategy of the United Kingdom.

862 A Strong Britain in the Age of Uncertainty: The National Security Strategy

863 Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review.

864 The UK Cyber Security Strategy.

865 For a comprehensive account of GCHQ’s history, see Aldrich, GCHQ: The Uncensored Story of Britain’s Most Secret Intelligence Agency.

866 William Gibson, Neuromancer (London: Harper Collins, 1995).

867 Colossus was built by Tommy Flowers, a brilliant Post Office engineer. It was successful in cracking the Lorenz ciphers of the Nazi High Command. Its first upgrade was working in time to help Eisenhower and Montgomery to be sure that Hitler had swallowed the bait from the deception campaigns prior to D-Day (June 6, 1944). There were eventually ten working Colossus machines at Bletchley Park. Further details can be found at: “Colossus Rebuild Project.”

868 Michell, “A History of Networks,” 11.

869 “The 1945 Proposal by Arthur C. Clarke for Geostationary Satellite Communications.”

870 “Privatisation of British Telecom (1984).”

871 For an excellent exposition on the paradoxical logic of strategy, see Edward N. Luttwack, Strategy: the Logic of War and Peace (Cambridge, MA: Harvard University Press, 1987).

872 The Tofflers were among the first to herald and examine the idea of information wars for an information age. See Toffler and Toffler, War and Anti-War.

873 For useful background on the changes in UK Government Defence Policy in the 1990s, see Taylor, “The Defence White Paper,” 7-14.

874 In this chapter, a “stove-pipe” or “stove-piping” refers to a structure, organization, or activity that is pursued in isolation from other activities that could reasonably be expected to be interconnected. This behavior often results in un-coordinated outcomes and problems with interoperability.

875 “Strategic Defence Report.”

876 An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use, or disclosure of such information - July 1998.

877 A description of the WARP and how it applies to the Critical National Infrastructure can be found at: Center for the Protection of National Infrastructure. “WARP Background.”

878 Details of the DII contract can be found at: Atlas Consortium, “About the DII Programme.”

879 Skynet 5 is contracted for availability and provides satellite services for military users world-wide. It is delivered by Paradigm Services, with deployed manpower provided by the military. Paradigm Services by Astrium, “Skynet 5 Has the World Covered with Secure, Flexible, and Pinpoint Accurate Communications.”

880 Baddeley, “DFTS: a Defence-Wide System.”

881 The Clinger-Cohen Act (CCA) of 1996, also known as the Information Technology Management Reform Act, established in law the posts of Chief Information Officers (CIOs) for all Federal Agencies. CIOs were made responsible for developing, maintaining, and implementing sound and integrated IT architectures. The CCA introduced congressional governance to the efficiency and interoperability of existing and future IT investment. “The Clinger-Cohen Act (CCA) of 1996.”

882 Government Ministers are accountable to Parliament for the performance and activities within their ministry. In addition, the National Audit Office provides financial scrutiny of MOD procurement.

883 For an excellent description of the objective nature of war, see Gray, Another Bloody Century: Future Warfare, 291-330.

884 “Y2K Bug Fails to Bite.”

885 See Symantec, Report on Lovgate.

886 “Single User Costs MoD £10 million after allowing Worm onto the Network.”

887 “Amarillo Video Crashes MoD PCs.”

888 Burton, “Report into the Loss of MOD Personal Data.”

889 Willsher, “French Fighter Planes Grounded by Computer Virus.”

890 Interview between the author and the Commanding Officer, 90 Signals Unit, RAF 23, March 2012.

891 Cabinet Office, Cyber Security Strategy of the United Kingdom.

892 Cornish, et al., Cyber Security and the UK’s Critical National Infrastructure.

893 Ibid.

894 Ibid.

895 Ibid., 28.

896 UK Foreign and Commonwealth Office, “Cyberspace: Cyber Security.”

897 “Budapest Conference on Cyberspace 2012.”

898 Cabinet Office, The UK Cyber Security Strategy: Protecting and Promoting, 8.

899 Gray, Fighting Talk: Forty Maxims on War, Peace and Strategy, 70-73.


“1945 Proposal by Arthur C. Clarke for Geostationary Satellite Communications, The.” Accessed October 11, 2012.

Aldrich, Richard. GCHQ: The Uncensored Story of Britain’s Most Secret Intelligence Agency. New York: Harpercollins, 2010. A Strong Britain in the Age of Uncertainty: The National Security Strategy. Government of the United Kingdom. London: The Stationery Office, October 2010. Accessed March 19, 2013.

Atlas Consortium “About the DII Programme.” Accessed March 19, 2013.

“’Amarillo’ Video Crashes MoD PCs.” May 17, 2005. Accessed September 5, 2012.

Baddeley, Adam. “DFTS: a Defence-Wide System.” Defence Management Journal 31 (December 2005). Accessed March 19, 2013.

“Budapest Conference on Cyberspace 2012.” Hungarian Government Ministry of Foreign Affairs. August 9, 2012. Accessed September 10, 2012.

Burton, Edmund. “Report into the Loss of MOD Personal Data.” Ministry of Defence. April 30, 2008. Accessed March 19, 2013.

Cabinet Office. Cyber Security Strategy of the United Kingdom: Safety, Security and Resilience in Cyber Space. London: The Stationery Office, 2009. Accessed March 19, 2013.

Cabinet Office. The UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World. November 2011. Accessed March 19, 2013.

Center for the Protection of National Infrastructure. “WARP Background.” Accessed March 19, 2013.

“Clinger-Cohen Act (CCA) of 1996, The.” DoD CIO Desk Reference: Volume 1 Foundation Documents. Department of Defense Chief Information Office. August 2006. Accessed March 19, 2013.

“Colossus Rebuild Project.” Accessed March 19, 2013.

Cornish, Paul, David Livingstone, David Clemente, and Claire Yorke. Cyber Security and the UK’s Critical National Infrastructure. London: Chatham House, 2011.

“Cyberspace: Cyber Security.” UK Foreign and Commonwealth Office. Accessed October 28, 2012.

Gray, Colin S. Another Bloody Century: Future Warfare. London: Phoenix, 2005.

Gray, Colin S. Fighting Talk: Forty Maxims on War, Peace and Strategy. Washington D.C: Potomac Books, 2009.

Luttwack, Edward N. Strategy: the Logic of War and Peace. Cambridge, MA: Harvard University Press, 1987.

Michell, Simon. “A History of Networks.” In NEC: Understanding Network Enabled Capability, edited by Simon Michell, 42-45. London: Newsdesk Communications, Ltd., 2009. Accessed March 27, 2013.

“Privatisation of British Telecom (1984), The.” In The “S” Factors: Lessons from IFG’s policy success reunion, edited by Jill Rutter, Edward Marshall, and Sam Sims, 45-59. Institute for Government. January 2012. Accessed October 11, 2012.

Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review. Government of the United Kingdom. London: The Stationary Office, October 2010. Accessed March 19, 2013.

“Single User Costs MoD £10 million after allowing Worm onto the Network.” Computer Weekly. June 8, 2004. Accessed May 26, 2009.

“Skynet 5 Has the World Covered with Secure, Flexible, and Pinpoint Accurate Communications.” Accessed March 19, 2013.

“Strategic Defence Report.” Presented to Parliament by the Secretary of State for Defence by Command of Her Majesty, July 1998. Accessed March 19, 2013.

Symantec, Report on Lovgate. Accessed April 24, 2013.

Taylor, Claire. “The Defence White Paper.” Research Paper 04/71. House of Commons Library. September 17, 2004. Accessed March 19, 2013.

Toffler, Alvin and Heidi Toffler. War and Anti-War: Survival at the Dawn of the 21st Century. New York: Little Brown & Co., 1993.

UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World, The. London: Cabinet Office, November 25, 2011. Accessed March 27, 2013.

“W32.HLLW.LOVEGATE.C@MM.” Updated February 13, 2007. Accessed March 19, 2013.

Willsher, Kim. “French Fighter Planes Grounded by Computer Virus.” The Telegraph, February 7, 2009. Accessed March 19, 2013.

“Y2K Bug Fails to Bite.” January 1, 2000. Accessed March 19, 2013.