NATO is coming to terms with the challenges represented by the cyber domain, according to Jamie Shea NATO’s Deputy Assistant Secretary General charged with looking at emerging security challenges in the first of a new series of exclusive interviews of leading figures by Nick Watts for Defence Viewpoints. 

Shea who has over 30 years’ experience of working at NATO was recently involved in the working group which produced the Alliance’s Strategic Concept. He has seen how the Alliance has transformed itself from a Cold War organization, through the campaigns in the Balkans and the admission of former Warsaw Pact members, to its present state.

Adam Dempsey, Research Associate UK Defence Forum

In the aftermath of last week's Strategic Defence and Security Review (SDSR) many industry analysts were quick to paint a bleak future for the UK's defence sector. Further job losses are expected as hardware is retired, personnel numbers reduced and service contracts terminated. The global marketplace is unlikely to offer much in the way of respite. The United Kingdom joins France, the United States and others in seeking to offset shrinking domestic markets via exports. A crowded marketplace is further exacerbated by challenges from states with more 'joined-up' defence-industrial bases and emerging market entrants. The £650 million allocated to cyber security by the SDSR may provide new opportunities. Yet the specific nature of the UK's cyber security requirements remains unclear. Indeed, total clarity does not appear to be on the horizon.

What the SDSR makes very clear is that threats to national security emanating from cyber space are likely to increase over the next five to ten years. Whilst cyber attacks from hostile states cannot be ruled out, the actions of cyber terrorists and criminals are perhaps of greater concern. In 2009 alone 51% of all known malicious software threats were identified. The language of the SDSR also suggests that Government departments are not yet capable of fully addressing the threat. As a result, the £650 million allocated will support a National Cyber Security Programme that seeks to transform the Government's response in partnership with the private sector.

Greater clarity may be provided with the publication of the Defence Industrial Green Paper by the end of the year, followed by a White Paper in 2011. In advance of such publications, the increased emphasis upon cyber security has influenced a raft of recent mergers and acquisitions (M & A). During the third quarter of 2010 more than a third of all defence M & A concentrated on cyber security capabilities. The most high-profile acquisition was the EADS subsidiary Cassidian's purchase of the UK's Regency IT Consulting. According to Jane's, the purchase reflects Cassidian's overall cyber security strategy for the UK market. The purchase also suggests that defence companies are positioning themselves to ensure that they will benefit from the clarity that future Government documents may offer.

Cassidian's purchase of Regency IT Consulting also reflects the growing cyber security opportunities emerging throughout the international marketplace. As other markets – and indeed governments – seek to mitigate the threats posed by a cyber attack M & A focussed upon cyber security solutions are likely to increase. A cursory glance of Regency's website may also provide an insight into the public-private cooperation to be forged by the National Cyber Security Programme. Underpinning Regency's services is the practice of managing information-related risks with Information Assurance (IA). From the development of IT infrastructures through to the storage of information, IA seeks to ensure that authorised users only have access to privileged and confidential data.

As is to be expected Regency's website also outlines the type of services it offers. Yet if the U.S. cyber security market is anything to go by certain services offered to the Government may not make company websites. U.S. cyber security programmes have been estimated to be worth $11 billion. As these focus upon the protection of IT infrastructures, hardware and networks they also provide another indicator of possible contents for UK programmes. However estimates that approximately 75% of cyber opportunities are 'black' also suggests that aspects of the Government's programme may remain a largely grey area. Of course, the upcoming Green Paper may make the UK's cyber security strategy more clear. But if the machinery of government decides to replicate its American counterparts future documents may also make bold proclamations whilst keeping exact details to a bare minimum.

Indeed, such high levels of confidentiality make perfect sense when national security is at risk. One only need look at havoc wreaked by the Stuxnet virus on Iran's nuclear facilities at Bushehr or India's main television satellite to appreciate that a cyber attack is often against networks that societies take for granted. Giving challenges to cyber security more information on infrastructures ensures that the perpetrator maintains the upper hand. Accordingly, the specifics of national cyber security strategies – and purchases – may remain a grey area for some time to come.

The House of Commons Defence Select Committee (HCDC) published its report on the MOD’s approach to Cyber Security on 9^th January. It rightly draws attention to the extent of the UK’s defence capability’s reliance on cyber related technology. This is both an advantage and a risk. The advantage lies in the UK’s expertise in this area. The risk lies in the central nervous system of the UK’s defences becoming paralysed.

By Oliver Jones

Much has been made over recent years of the emerging threat of "cyber-attacks" on Western targets. Governments have become increasingly vocal on these threats, publishing a range of materials and proposing a number of policies. In the United States the government has taken steps which include the establishment of the US "Cyber-Command", alongside the US senate debating a so called "kill switch bill", which proposes to grant the president emergency powers over the internet. In the UK the cyber threat is also a growing concern. The recent Strategic Defence and Security Review and the UK National Security Strategy have both identified the sphere of "cyber Security" as a "Tier 1" threat or risk . Outside of government circles the issue is also becoming increasingly debated. Recently the popular periodicals "Foreign Affairs" and "The New Yorker" have both released articles detailing and debating the issue.

What however is the threat from this new "cyber domain", does it represent a new paradigm in warfare? Popular perceptions stemming from fictitious sources, such as the 2007 blockbuster Die Hard 4.0 in which the US comes under assault from "cyber-Terrorists" who target key infrastructure to cause a "fire sale" attack with potentially devastating consequences, suggest that cyber-warfare represents a devastating new strategic weapon capable of the kind of destruction only previously threatened by "WMD's". What's more the threat of cyber-attack is also characterised as being an emerging "asymmetric" threat. This idea of cyber-war is also lent credence from sources such as "Unrestricted Warfare," a proposal for Chinese military strategy, written by two Peoples Liberation Army colonels, whereby China seeks to beat a technologically and military superior opponent through the use of imaginative strategies which utilise measures that avoid direct military confrontation and instead attack their adversary through other avenues. Also adding to this perception of the cyber threat are the events like those in Estonia in 2007, where the Government and other sectors came under sustained denial of service attacks during a diplomatic spat with Russia over the relocation of "the Bronze Soldier of Tallinn". This and similar ideas certainly suggest that cyber-war does represent a threat in this way and this idea has been championed by American authorities on cyber-war. Richard A. Clarke, a former White House official with responsibility for the field, this year published "Cyberwar" a proposal for US strategy which prophesizes a particularly apocalyptic vision of a Chinese cyber-attack with mass casualties.