Could a cyber-attack “fatally compromise” the UK military?

The House of Commons Defence Committee has published a report on Defence and Cyber-Security, which concludes:

The evidence we received leaves us concerned that with the Armed Forces now so dependent on information and communications technology, should such systems suffer a sustained cyber attack, their ability to operate could be fatally compromised… The cyber threat is, like some other emerging threats, one which has the capacity to evolve with almost unimaginable speed and with serious consequences for the nation’s security. The Government needs to put in place – as it has not yet done – mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyber presents. It is time the Government approached this subject with vigour.

I think this conclusion may be overstated. In a time of serious budgetary cutbacks, the government has committed serious new money — £650m — to cybersecurity activities (although this may have been concentrated too heavily at GCHQ). A small amount of that is going towards Academic Centres of Excellence in Cybersecurity Research, one of which is at Oxford. The report fails to draw an adequate distinction between risks to defence systems and broader national security. And while information security is not developing nearly quickly enough in critical national infrastructure, we are not yet at the point at which likely adversaries would have the motivation and capability to cause serious damage to property or loss of life via these vulnerabilities.

The conclusions Peter Sommer and I reached last year for the OECD in our report on global systemic cybersecurity risk still hold: this is a long-term planning concern for government, not a short-term panic. I’ve made these points in interviews this afternoon for the World Service and BBC Scotland.