La guerra cibernetica

[Andrea75]

... la cyber sicurezza UK: pagina principale http://www.publications.parliament.uk/pa/cm201213/cmselect/cmdfence/106/10602.htm

 

... le minaccie http://www.publications.parliament.uk/pa/cm201213/cmselect/cmdfence/106/10604.htm#a2

 

 

The UK Cyber Security Strategy states that:

Some of the most sophisticated threats to the UK in cyberspace come from other states which seek to conduct espionage with the aim of spying on or compromising our government, military, industrial or economic assets, as well as monitoring opponents of their own regimes. 'Patriotic' hackers can act upon states' behalf, to spread disinformation, disrupt critical services or seek advantage during times of increased tension. In times of conflict, vulnerabilities in cyberspace could be exploited by an enemy to reduce our military's technological advantage, or to reach past it to attack our critical infrastructure at home.[14]

The Strategy notes that "some states regard cyberspace as providing a way to commit hostile acts 'deniably'. Alongside our existing defence and security capabilities, the UK must be capable of protecting our national interests in cyberspace."[15]

Techniques used by hostile actors in cyberspace are various: malicious software (malware), networks of 'botnets'[16] and 'logic bombs'[17] can be employed to navigate target systems, retrieve sensitive data or overrule command-and-control systems. GCHQ estimates that 80% or more of currently successful cyber attacks could be defeated by simple best practice, such as updating anti-virus software regularly.[18]

'Advanced Persistent Threat' (APT) is the term used most often to describe subtle threats that are unlikely to be deterred by simple cyber hygiene measures[19]. Traditional 'boundary' defences may not be effective against "more subtle threats like APT and social engineering techniques"[20] such as manipulating people into performing actions which lead to confidential information being divulged.

Acts of aggression or malice in cyberspace differ from those in other domains. Cyberspace is regarded as an asymmetric domain, meaning that even adversaries of limited means can pose a significant threat to military capabilities. Attribution of attacks is difficult, time-consuming and sometimes impossible, as is discerning motives (some security breaches may owe as much to intellectual curiosity as intent to do harm). The then US Deputy Secretary of Defense William J. Lynn further wrote:

In cyberspace, offence has the upper hand. The Internet was designed to be collaborative and rapidly expandable and to have low barriers to technological innovation; security and identity management were lower priorities. For these structural reasons, the US government's ability to defend its networks always lags behind its adversaries' ability to exploit US networks' weaknesses.[21]

The Intelligence and Security Committee in its Annual Report 2010-11 considered the activities of state actors in cyberspace:

Cyber space means that countries no longer have to invest in global networks and pursue complex operations with high-level agents when it comes to espionage: they can access much of the same information using relatively inexpensive cyber attacks. The Director General of the Security Service told us in February 2011 that "the barriers to entry to cyber espionage are quite low. We have found a number of […] countries taking an interest in this".[22]

In evidence provided to that Committee, GCHQ had elaborated on the source of the threat:

The greatest threat of electronic attack continues to be posed by State actors and, of those, Russia and China are [suspected of carrying out] the majority of attacks. [...]. Their targets are in Government as well as in industry. [...]. There are also a number of other states with credible electronic attack capabilities [...].[23]

We note the finding of the Intelligence and Security Committee that the main purpose of such attacks is espionage and the acquisition of information; however, there is a concern that this capability could be turned towards disruption activities - for example, interrupting supply of utility services.

 

... conclusioni e raccomandazioni http://www.publications.parliament.uk/pa/cm201213/cmselect/cmdfence/106/10603.htm

 

 

 

MoD networks, assets and capabilities

The evidence we received leaves us concerned that with the Armed Forces now so dependent on information and communications technology, should such systems suffer a sustained cyber attack, their ability to operate could be fatally compromised. Given the inevitable inadequacy of the measures available to protect against a constantly changing and evolving threat, and given the Minister for the Cabinet Office's comment, it is not enough for the Armed Forces to do their best to prevent an effective attack. In its response to this report the Government should set out details of the contingency plans it has in place should such an attack occur. If it has none, it should say so - and urgently create some. (Paragraph 28)

The MoD's most important cyber-security responsibility is to manage and protect the systems and networks on which the UK's Armed Forces depend. The Committee was impressed with the GOSCC as a model of how industry contractors with particular expertise can be integrated with MoD personnel, and reassured by the clarity with which its mission was communicated. It is clearly a world-class facility. Changes to the MoD's procurement function will also have a bearing on the responsibilities of Information Systems and Services as a whole, and we ask that the Secretary of State keep Parliament informed about the impact of such changes on ISS's cyber functions. (Paragraph 34)

The GOSCC constitutes a pool of expertise which can be drawn on to spread good 'cyber hygiene' and awareness of everyday threats throughout the Defence workforce. In its response to this report the MoD should explain how the GOSCC's capability and the experience of its staff can be linked to the responsibility of the DCOG for bringing cyber-security into the forefront of all Government does. We consider that the GOSCC should be held up as a Centre of Excellence to promote good practice within the MoD and other Government Departments. (Paragraph 35)

We appreciate the MoD witnesses' frank assessment of the work still to be done on securing its supply chain and industrial base. Despite this frankness, the witnesses gave the impression that they believed that an admission of the problem took them close to resolving the problem. It does not. It is imperative that we see evidence of more urgent and concrete action by suppliers to address this serious vulnerability, and of energy and determination on the part of the MoD to enforce this action. This evidence should include, for example, efforts to improve the technical processes involved, identification of adequate resources, and provision of training to address the human aspects of good cyber defence. (Paragraph 42)

We consider that the opportunity created by cyber tools and techniques to enhance the military capabilities of our Armed Forces should be explored thoroughly by the MoD. To this end, we support the use of National Cyber Security Programme funding for the purpose of developing such capabilities. In addition, the opportunity to draw upon capabilities from strategic partners, particularly the USA, should be fully exploited. (Paragraph 53)

Good cyber-security practice needs to permeate the whole of the MoD and the Armed Forces. It would be a cause for concern if different units were to compete for particular roles and resources, if lines of accountability were to be unclear, if they were to operate in silos that would obstruct the best use of skills across the organisation, or if policy were to become fragmented. (Paragraph 56)

The MoD's thinking on the best internal structures for cyber-security appears to us to be still developing, particularly as the Joint Forces Command becomes more established. Getting this right must be a top priority. We recommend that the MoD should report to Parliament regularly about proposed and actual changes to those structures, and improvements in delivery that come about as a result. (Paragraph 57)

At present the stated unifying role of the DCOG is more illusory than real, and among its long list of tasks are some which appear to overlap with those of the GOSCC or Information Services and Systems more generally. We urge the MoD to communicate its cyber-security structures a more comprehensible fashion, setting out strands of work and lines of accountability unambiguously. Only by doing this can we be assured that there is indeed clarity about roles and responsibilities within the MoD and the Armed Forces. We recommend, in particular, that the respective roles of the Chief Information Officer and the Joint Forces Commander are clarified in relation to cyber-security. (Paragraph 58)

Military activity in cyberspace - conceptual framework

Events in cyberspace happen at great speed. There will not be time, in the midst of a major international incident, to develop doctrine, rules of engagement or internationally-accepted norms of behaviour. There is clearly still much work to be done on determining what type or extent of cyber attack would warrant a military response. Development of capabilities needs to be accompanied by the urgent development of supporting concepts. We are concerned that the then Minister's responses to us betray complacency on this point and a failure to think through some extremely complicated and important issues. We recommend that the MoD makes development of rules of engagement for cyber operations an urgent priority, and that it should ensure that the necessary intelligence, planning and coordination functions are properly resourced. (Paragraph 67)

We recommend that the Government ensure that civil contingency plans identify the military resources that could be drawn upon in the event of a large-scale cyber attack, such as additional staff, planning resources or technical expertise. In its response to this report the Government should set out what work it is doing to identify the reliance of the Armed Forces on the integrity and resilience of the Critical National Infrastructure, the steps it has taken to ensure that the CNI will remain sufficiently robust to meet the needs of the Armed Forces and its contingency plans for the event that any relevant part of the CNI should fail. (Paragraph 69)

Relationships with allies

We welcome the Government's decision to play a more active role in the future work of the NATO Cyber-Defence Centre of Excellence. We ask that the MoD keeps Parliament fully apprised of future decisions regarding participation in this and other international co-operative arrangements. (Paragraph 74)

Resources and skills supporting military activity in cyberspace

The rapidly changing nature of the cyber threat demands that a premium be placed on research and development to enable the MoD to keep pace with, understand and anticipate that threat. We recommend that this should be addressed. The Government should also make it a priority to develop robust protocols for sharing information with industry to allow expertise to be pooled, and we recommend that the MoD set out clearly in its response to this report how it will do so. (Paragraph 81)

We recommend that the 'Cyber Future Force' work focuses on the development of career structures for MoD and Armed Forces personnel that will allow them not only to develop, but build on, their cyber skills. The MoD may not be able to compete with the private sector on salary terms, but it must be able to give staff opportunities and responsibility as well as rewarding work. (Paragraph 90)

MoD thinking about how reservists will help to deliver cyber-security is evolving, with many issues to be resolved. Although we welcome the initial steps taken by the MoD to develop the Joint Cyber Reserve it is regrettable that information about its establishment was not shared with us during our evidence taking. As a consequence, we were unable to explore with Ministers the details of this important development. (Paragraph 93)

We recommend that the MoD should build on existing strengths in the ways reservists contribute to cyber-defence and operations, and to retain the particular reserve-led command structures that facilitate those contributions. If any new reserve structure is to succeed, it is important that reservists who work in the civilian world should play a part in its design. The close relationships that have been established with contractors at the GOSCC could provide an avenue for recruiting more reservists from those companies, and we recommend that the MoD prioritise, as part of Future Reserves 2020, a strategy for recruiting personnel with specialist skills from the private sector. (Paragraph 94)

We recommend that the MoD must be rigorous in ensuring that all cyber-security activity—legacy and routine work as well as new initiatives—is fully funded. We were encouraged by the then Minister for the Armed Forces' explanation that spending on cyber would be included as a matter of course in future programme budgets. Continued investment in skills and resources is vital. We seek the MoD's assurance that this will not in practice mean cuts in other areas. Quantifying the 'right' amount to spend on cyber-security is a challenge which the MoD must not shirk; military and wider Government intelligence capability depends on it. (Paragraph 99)

It is vital not only that the MoD and the Government have ways of measuring their own progress in cyber-security, but also of communicating that progress to Parliament and the public. We are pleased that the MoD is engaging with the challenge of devising appropriate metrics and measurements for assessing progress. We acknowledge the difficulty of this task, and look forward to seeing how pan-Government, international and cross-sector thinking influences the outcomes of this work. We recommend that the MoD should provide Parliament with a report on cyber incidents and performance against metrics on at least an annual basis. (Paragraph 102)

Cyber-security across Government

It is our view that cyber-security is a sufficiently urgent, significant and complex activity to warrant increased ministerial attention. The relevant minister should have the authority to direct government departments to take action if they are not performing as required. We also consider that the National Security Council should dedicate time, with the relevant minister in attendance, to consider cyber-security matters on a more regular basis. (Paragraph 113)

The National Cyber Security Programme requires robust governance and we note that the Minister for the Cabinet Office chairs the Programme Board. However, the Programme represents only the tip of the iceberg of the necessary cyber-security activity across government. High-profile and authoritative leadership is required for all such activity. (Paragraph 114)

In a previous inquiry we expressed concern that no one government department was identified to take immediate lead responsibility should there be a severe space weather event. The machinery in the event of a cyber attack appears to be under development, with an important role being played by the Cyber Security Operations Centre. However, before a 'lead Government Department' is identified for a particular cyber incident there is a potential gap during which the Cabinet Office has a coordinating role but the location of executive authority is not clear. It is vital that clear procedures are in place, and communicated, about how ownership of incident response is escalated when necessary from individual departments to higher, central authorities. We recommend that the National Security Council review these arrangements to ensure that the UK's response to major cyber-incidents is as streamlined, rapid and effective as it can be, and that a programme of regular exercises, involving ministers as well as officials, is put in place to test the arrangements. The MoD should also conduct exercises for its own internal arrangements and their interface with the rest of government. (Paragraph 120)

Conclusion

We recommend that the MoD and the National Security Council keep under review the delineation of the military role in national cyber-security, not with a view to expanding that role unnecessarily, but to ensure that threats are dealt with in the most appropriate and effective manner, and that the MoD can focus its resources accordingly. (Paragraph 122)

The cyber threat is, like some other emerging threats, one which has the capacity to evolve with almost unimaginable speed and with serious consequences for the nation's security. The Government needs to put in place - as it has not yet done - mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyber presents. It is time the Government approached this subject with vigour. (Paragraph 123)