UK Lords Committee On Large-Scale Cyber Attacks

Yesterday I was at the House of Lords for the European Union Sub-Committee F (Home Affairs) hearing on EU policy on protecting Europe from large-scale cyber-attacks. This is the Lords’ enquiry into EU Directive 2008/114/EC ‘on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection’. Snappy, I’m sure you’ll agree, and anyone interested can access the relevant Lords webpage here, their call for evidence here, and the EU directive here. For those of a particularly masochistic bent the video of the session is here (warning: 1h30m). Yours truly can be seen chewing gum at the back.

These sessions are always a bit of a slog, for those hearing evidence and those giving it, but they serve an important function; this committee is no different in that respect. They are soliciting evidence on the four basic themes of: Threat Analysis, International Responses, the European Network & Information Security Agency (ENISA), and Timescales. Yesterday’s session heard from Geoff Smith, Head, Communications Security, Department for Business, Innovation & Skills (BIS), and Dr Steve Marsh, Deputy Director, Office of Cyber Security (OCS) in the Cabinet Office.

We heard that BIS is undertaking a nationwide, multi-stakeholder, resilience-testing exercise next week (Operation White Noise, 11-12 November) in which they will be red-teaming a scenario in which national voice-call networks collapse. We heard about the Electronic Communications Resilience & Response Group (EC-RRG), the Technology Strategy Board and the Cyber Security Knowledge Transfer Network, with which I’ve had some peripheral contact. Botnets were mentioned, and Steve Marsh patiently explained what they were and what threat they posed and, to his credit, flagged up the important human factors in the threat environment. There was talk of how best to stimulate entrepreneurship in the cybersecurity sector. Smith talked about his role at ENISA and conceded that there are difficulties with its lowly European position and its Greek location. He opined that the UK is ahead of the curve with respect to resilience planning in general (along with France, Germany, Sweden, Netherlands) but an event tomorrow could easily prove completely the opposite.

On cyberwar, intelligence sharing is not good enough, and Marsh spoke about the problems of identifying threat vectors, threat sources, attribution, etc. He nearly got to some real meat about the problems of cyberwar, deterrence, etc, but the Committee members were beginning to leave by that point – I got the impression the session overran slightly. We also heard a bit about CERTs and WARPs (Warning, Advice and Reporting Points). Sixteen UK CERTs are members of FIRST, the Forum of Incident Response and Security Teams, and some discussion was had about how to align their interests, skills and resources.

An encouraging start to the process. I don’t know how many more hearings there will be but it sounded like the Committee are at least asking the right questions. The next session is in two weeks, so I’ll be in a better position to get an idea of where the process is going after that. Also, a little bird tells me that the OCS will be making some kind of statement next month about their activities, so watch this space…

Update: Stewart Mitchell has an honest write-up of the session at PC Pro magazine, Cyber  Warfare ‘Could Spark Military Response’.