Major General Jonathan Shaw says ‘it was a surprise to people quite how vulnerable we are’
Computer hackers have managed to breach some of the top secret systems within the Ministry of Defence, the military’s head of cyber-security has revealed.
Major General Jonathan Shaw told the Guardian the number of successful attacks was hard to quantify but they had added urgency to efforts to beef up protection around the MoD’s networks.
“The number of serious incidents is quite small, but it is there,” he said. “And those are the ones we know about. The likelihood is there are problems in there we don’t know about.”
Government computer systems come under daily attack, but though Shaw would not say how or by whom, this is the first admission that the MoD’s own systems have been breached.
The Serious Organised Crime Agency, took its website offline on Wednesday night after becoming the target of a cyber-attack. A spokesman said the attack did not pose a security risk to the organisation.
Shaw, a veteran of the Falklands and Iraq wars, also said the MoD had to be prepared to embrace unconventional and “whacky” ideas if the military wanted to catch up with, and then stay ahead of, rivals in the cybersphere. Getting “kids on the street” to help the military was vital, he said.
“My generation … we are far too old for this; it is not what we have grown up with. Our natural recourse is to reach for a pen and paper. And although we can set up structures, we really need to be on listening mode for this one.”
He added: “If we want to work the response, if we want to know really what is happening, we really have to listen to the young kids out in the street. They are telling us what is happening out there.
“That will pose a real challenge to us. This thing is moving too fast. The only people who spot what is happening are people at the coal face and that is the young kids. We have to listen to them and they have to talk to us.”
A former director of UK special forces, Shaw, 54, said he thought the military could learn a trick or two from firms such as Facebook.
The company has a “white hat” programme in which hackers are paid rewards for informing them when they have found a security vulnerability.
Nine people in the UK have been paid a total of $11,000 (£6,785) for working with Facebook. Shaw said this was the kind of “whacky idea we need to bring in”.
Shaw has spent the last year reviewing the MoD’s approach to cyber-security, and the kind of cyber-capability the military will need in the future.
He says next year’s MoD budget is expected to include new money for cyber-defence – an acknowledgment that even during a time of redundancies and squeezed budgets, this is now a priority.
The general said the MoD wasn’t “doing badly … but we could do a hell of a lot better. We will get there, but we will have to do it fast. I think it was a surprise to people this year quite how vulnerable we are, which is why the measures have survived so long in the [budget] because people have become aware of the vulnerabilities and are taking them seriously.”
China and Russia have been accused of being behind most of the sophisticated cyber-attacks, with state-sponsored hackers targeting military secrets from western governments, or intellectual property from British and American defence firms.
Shaw refused to point the finger at any nation, but admitted the UK was “trying to engage the Chinese on rules of the road in cyberspace”, pressing the argument that new international treaties are not necessary to stop this kind of theft and espionage.
Shaw said the number of attacks was “still on an upward curve … and the pace of change is unrelenting”.
In his last interview before retiring, Shaw said the UK had to develop an array of its own cyber-weapons because it was impossible to create entirely secure computer systems.
“It is quite right to say that pure defence, building firewalls, will not keep the enemy out. They might be inside already … there is no such thing as total security. You have to learn to live with certain insecurities.
“One needs to engage in internal defence and be quite aggressive about it. And if you are going to manoeuvre in cyberspace, that is something that obviously involves action across the spectrum.”
Shaw said he intended to “mainstream” cyber-capabilities across the MoD by 2015. This included ensuring military commanders had a range of cyber-options to use from a “golf bag” of weapons systems.
But he thought cyber-weapons would complement rather than replace more conventional weapons.
“As new capabilities come on the block, you reassess whether you need the old ones, whether they are complimentary or duplicatory.
“People have asked me whether cyber-weapons will make conventional weapons redundant. Absolutely not. A hard bomb is actually quite a good cyber-weapon because it can take out a broadcasting station, take out a server.”
The military top brass, he said, had been the “hardest to convince” about the cyber-threat, because high-ranking officers tend to be set in their ways. “We are the wrong guys to deal with this.”
Shaw said it still surprised him that the MoD’s headquarters in Whitehall “is the only building, main defence security establishment, where you don’t leave your mobile phones and Ipad in a box outside your office … people’s personal behaviours are not good enough. When we look at cyber-security in the MoD, we are looking at preserving intellectual property and our networks and stopping people spying on us.
“The real challenge is how we secure our supply chains. We are dependent on industry for our technological edge … and preserving that intellectual property is absolutely vital.”
He added: “Cyber implies something technical. To the average person in the street, cyber means it is someone else’s problem. But it is everyone’s problem. We can’t just leave it to the techies.”
An MoD spokesman said: “The MoD takes all possible precautions to defend our system from attack from both unsolicited, for example ‘spam’ email, and targeted sources. It would be both misleading and naïve to assume that any system is 100% secure against all possible threats which is why we take additional steps to detect suspicious activity within our own systems.
“We also ensure that our most sensitive networks are not connected to the internet and have additional physical and technical measures in place to defend them.”