The MoD has faced some criticism around securing some of its IT systems. What are some of the challenges facing the MoD when it comes to cyber risk?
Attacks by adversaries are increasing rapidly, according to the NCSC. This has only increased since the beginning of the Ukraine war. And, according the Parliamentary National Security Joint Committee, the UK is the most attacked country in the world. In Defence, where systems are traditionally in service for decades, NATO countries have been particularly vulnerable to the rapid change in technology and associated cybersecurity risks.
How can high levels of risk affect its operations or digital transformation efforts?
Risks of cyberattacks can fundamentally stop missions and objectives being met, especially in theatre. Which is why cybersecurity should be dealt with like other component parts of a programme or capability like safety, resourcing, budgets etc. Cyber needs to be considered up front and baked in throughout a programme or capabilities lifetime, including through to disposal.
What is the MoD’s Secure By Design policy about, and how did it come into being?
Secure By Design is a fundamental change to the way MOD approaches cybersecurity. It is replacing point-in-time assessments by continual, risk-based assurance. And we are replacing a centralised authority with decentralised self-assessment, where programmes are empowered take responsibility for their own security.
This is the MoD’s response to our own internal audit back in 2019 which identified that ministers could not be assured that critical systems were adequately secure to deliver the Defence purpose. We moved quickly, with the Secure By Design project starting in 2020, Alpha trials in 2021 and beta trials the following year. Following the success of these we went live with SBD on July 28, 2023. This means that all new capabilities need to comply now and that over the next few years all legacy systems will too.
How important is the industry ecosystem to Secure By Design?
The MoD relies heavily on the supply chain to support them in the delivery of solutions so it is imperative that this ecosystem are fully onboard with and adopt the new SbD approach. As we have seen in the past, cyber breaches often come from the weakest part of the supply chain, so it is imperative that this approach flows all the way down the chain.
Another big change for suppliers is that previously, an accreditation certificate was effectively a ‘get out of jail free’ card for industry partners. Once MoD issued an accreditation certificate, suppliers were not obligated to do anything further and any breach became effectively both the MoD’s problem and the MoD’s fault. Under SbD, and ISN 2023/10 that implements this, responsibility more clearly rests with the supplier and they must attest to the MoD that their system is secure rather than the other way around. This is a big change in the risk profile for many of the UK’s biggest Defence suppliers that will mean that they will have to make big changes to how they approve things internally. That is, the internal accreditation processes that many Defence suppliers currently operate will no longer adequately cover the company’s risk and they too will need to radically change their engineering processes.
If you liked this content…
What is Bee-net’s role?
At the beginning of MoD’s journey to Secure By Design, it knew that significant changes needed to be made but did not know how. Bee.net staff provided the core cybersecurity expertise that helped the MoD develop its vision for Secure By Design through to the present public roll-out. Throughout we also led the interface with real-world trials with live capabilities, including some of MoD’s most challenged programmes.
Bee-net is now taking this expertise in cybersecurity and experience of helping to change security behaviours out to the Defence ecosystem to inform, educate and support them in the adoption of SbD.
What hurdles, if any, have you encountered with the implementation of Secure By Design? E.g. technical, cultural, procedural roadblocks?
Many of the UK’s Defence contractors have a culture that is very similar to the MoD’s. That means that they share the same strengths and weaknesses and have similar problems with a legacy approach to cybersecurity. This often manifests itself as a compliance-based mindset – where the objective is to get a certificate to say it’s all ok – and a risk adverse culture that seeks external (and often false) reassurance.
This results in hidden risks and systems going into service that are much less secure than anybody wants. Moving to a modern, risk-based culture, where risks are not taken simply because security says so, but where they are mature enough to be used as actionable management information takes significant cultural change. By this we don’t just mean at the programme level, it requires change at the most senior levels of management too.
In response, what are some best practices for which you advocate when attempting to reduce cyber risk? Any first steps or advice for other government organisations looking to adopt a similar approach?
We strongly advocate starting well, laying the foundations for proper risk management. To achieve this, we take our clients through the Practical Preparation Process. This gives them a handy roadmap of activities they can do to ensure that when they do Secure By Design self-assessments, they will be able to answer well.
Bee-net is running a series of free lunch-n-learn sessions on Secure By Design, aimed at business leaders. People can register for free on its website.