Cyberspace and the National Security of the United Kingdom
Full Title of Reference
Cyberspace and the National Security of the United Kingdom - Threats and Responses
Paul Cornish, Rex Hughes and David Livingstone, Cyberspace and the National Security of the United Kingdom - Threats and Responses , A Chatham House Report (2009). Web
Issues: Threats and Actors
Issues: Government Organization
Issues: Public-Private Cooperation
Cyberspace and the National Security of the United Kingdom provides a general overview of the problem of cybersecurity. The aim of the report is to inform debate and to make the case for a more coherent, comprehensive and anticipatory policy response, both nationally and internationally. In every area, society is becoming increasingly dependent upon information and communications technology (ICT). With dependency come exposure and vulnerability to misuse, criminality and even attack. Criminals and extremists are able to take advantage of the same ‘global technological commons’ upon which society is becoming so dependent. Cybersecurity has become a fast-moving and complex security challenge, one which requires a coordinated, agile and mutually reinforcing response from all those who benefit from the global ICT infrastructure.
After a brief introduction, Chapter 2, on cyberthreats, describes four domains of hostile activity and behaviour: state-sponsored cyberattacks, ideological and political extremism, serious and organized crime, and lowerlevel/ individual crime. These domains are inter-linked. Hacking, for example, is a relatively low-level and disorganized activity, yet it can have very high-level consequences, and it also features prominently in other threat domains. Serious and organized criminal misuse of the global information infrastructure is increasing, in both quantitative and qualitative terms, and at considerable cost to the global economy.What is more, the Internet seems to fit the requirements of ideological and political extremists particularly well. Finally, it seems that the Internet is increasingly seen by some states and governments as a strategic asset to be exploited for the purposes of national security, and perhaps even as a battlefield where strategic conflicts can be fought. The report observes that it is not simply that increasing dependence on ICT creates vulnerabilities and opportunities to be exploited by the unscrupulous, but also that ICT has an increasingly important enabling function for serious and organized crime, ideological and political extremism, and possibly even state-sponsored aggression.
As a complex security challenge, cybersecurity cannot be explained sufficiently in terms of threat. In Chapter 3, on cybersecurity practices and principles, the report argues that cybersecurity amounts to a system-level challenge to society. A system-level response will be necessary so that the activities of different agencies and bodies complement each other and are mutually reinforcing, rather than conflicting. Yet society does not respond as a coherent system; different stakeholders remain focused on their narrow interests and as a result the cybersecurity response is dispersed, uncoordinated and inefficient. Current practices (such as computer and network security, information security and assurance, and the protection of critical national infrastructure) must be informed and energized by a set of strategic and operational- level principles, including governance, inclusiveness, agility and risk management.
In Chapter 4, which looks at the challenge of building a national cybersecurity regime, the report draws on recent experience in the United Kingdomto show how a coherent framework for cybersecurity policy can be developed, in which ‘bottom-up’ and ‘top-down’ approaches can be integrated, and in which a more systemic approach to cybersecurity becomes feasible. A national cybersecurity regime should include (yet not direct) a wide variety of actors, agencies and stakeholders, and must be sufficiently agile (yet without losing focus) to meet a rapidly evolving and transforming security challenge. In summary, the reportmakes a number of observations and recommendations for further research and analysis: _ Cybersecurity is not exclusively a military problem. The language and organizing concepts of cybersecurity can often seem to be military in derivation; ‘threat’, ‘aggression’, ‘attack’, ‘defence’ being among the more familiar terms. But cybersecurity is a challenge to society as a whole and requires a broad, cooperative multi-agency response.
- Society is becoming ever more dependent on the global ICT infrastructure. With dependence comes vulnerability to those who would exploit features of this infrastructure to prey on society for their own nefarious ends.
- Yet when hackers, criminals and extremists use ICT against society, they too become ICT-dependent and therefore vulnerable to surveillance and disruption by law enforcement and other legitimate agencies.
- Business process analysis provides a basis for action against cyberdependent adversaries.
- Proportionality is essential. Cybersecurity is a serious, structural challenge. But assessment of the character and scale of cyberthreats can be exaggerated. Careful analysis of cyberthreats (ideally crossgovernmentally) is necessary in order to ensure a proportionate and cost-effective response.
- Efforts should be made to improve the relationship between the worlds of security policy and technology. Specialists in cybertechnology – the so-called ‘technorati’ – should be given a more central and formative role in policy.
- Because cybersecurity affects all sectors and levels of society, there are fundamental choices to be made as to how responsibility for it should be distributed between the private, commercial and governmental domains. In the sphere of public policy specifically, decisions must be made over which government department should be charged with developing and articulating a policy, and how different aspects of policy should be apportioned among agencies.
Additional Notes and Highlights
Published by Royal Institute of International Affairs in conjunction with Deltica, Ltd.
Dr Paul Cornish holds the Carrington Chair in International Security at Chatham House, where he directs the International Security Programme. He was educated at the University of St Andrews, the London School of Economics, the Royal Military Academy Sandhurst and the University of Cambridge. He has served in the British Army and the Foreign and Commonwealth Office, has taught at the UK Joint Staff College and at the University of Cambridge, and was previously Director of the Centre for Defence Studies at King’s College London. His research interests include European security and defence institu- tions, arms control and non-proliferation, counter- terrorism and domestic security.
Dr Rex Hughes is a Research Associate at the Cambridge- MIT Institute where he examines the global governance challenges of cybersecurity. He was educated at the Universities of Washington and Cambridge. He founded and directed the world’s first multidisciplinary Internet Studies programme at the University of Washington. Working in partnership with IBM-Lotus, Dr Hughes led the development of iEnvoy, the first secure diplomat-to- diplomat Internet communications platform deployed by the US Department of State.
David Livingstone MBE DSC is the Managing Partner of Morgan Aquila LLP, which provides consultancy in business transformation in the anti-terrorism domain, focusing on the benefits derived from multi-agency inte- gration. During 21 years in the Royal Navy he was variously a helicopter pilot, minesweeper captain and staff officer with the Flag Officer Naval Aviation. He is a graduate of the Army Staff College Camberley and a Fellow of the Royal Geographical Society. He has written a number of papers on counter-terrorism and resilience, and is a regular media commentator. Mr Livingstone is an Associate Fellow of the International Security Programme at Chatham House.