The UK government has announced that it is to form a cybersecurity agency, one of whose functions will be to develop a cyberattack capability.
The Office of Cyber Security (OCS), dedicated to protecting Britain's IT infrastructure, will be created in line with a model proposed — and in part practised by — the US, the Cabinet Office said on Thursday. The OCS will have charge of a cross-government programme of work, while a multi-agency Cyber Security Operations Centre (CSOC), based at GCHQ in Cheltenham, will coordinate the protection of critical IT systems.
As well as cyber-defence and cyberattack coordination, the OCS will act as a conduit for information security collaboration between government and industry experts. Robert Hannigan, the prime minister's security adviser, told ZDNet UK that the OCS would be about "drawing together what people are already doing in the Ministry of Defence, the intelligence services and the police".
The government has never admitted that it has the systems and personnel to launch a cyberattack. However, according to a senior government official, who wished not to be named, the OCS will have a role in coordinating cyber-offense capabilities that will build on the resources the government currently has.
In extreme cases, the government will launch a cyberattack in response to intrusions into the UK's own systems. "Yes, we will do things proactively," the Whitehall official said at a Cabinet Office press briefing. "Information assurance has been about building stronger walls, but there's only so much you can do. You come to a point when you are allowing criminals and others a low risk in continuing to attack, and there comes a time when that has to change. This is the first time we are saying publically we are not going to sit back."
The government will develop information systems to allow it to launch denial-of-service attacks and to spy on chosen targets, said the official. "We will have a whole range of offensive capabilities, including distributed denial-of-service," said the official. "DDoS is not a first response — we definitely need graduated responses."
"Aggressive attacks are pretty far up the scale, and we want to avoid collateral damage as far as possible. It's a fine line. We don't want to get into cyber-warfare, but it's not reasonable to sit back," the official added.
The Cabinet Office official said the government would try to respond to attacks on UK systems by recourse to the law: "Whenever we can, we will pursue criminals through legal frameworks, but that only works in some countries. Clearly, in other areas of the world, people are acting with impunity."
The threat of cyber-warfare among countries was highlighted by the May 2007 attacks on the Estonian national infrastructure. Further attacks, on countries such as Georgia, have strengthened the government's resolve to address IT security issues.
The model for the OCS is similar to that in the US, which plans to quadruple the number of security experts defending against cyberattack, while cyber-offense capabilities are currently under the aegis of the US Air Force. The Pentagon will create a cyber-command to oversee US cyber-military efforts.
The OCS will come under protection of the Cabinet Office and will report to the National Security Secretariat in that office. No director has been named for the department.
The office will pool intelligence capabilities from MI5, MI6, the Ministry of Defence, the Metropolitan Police e-Crime Unit, and the Serious and Organised Crime Agency (Soca). Other government agencies involved include the Department of Business, Innovation and Skills (BIS); the Central Sponsor for Information Assurance (CSIA); CESG, the information-assurance arm of GCHC; and the Centre for the Protection of National Infrastructure (CPNI).
The OCS will launch with a staff of 16 to 20, while the CSOC in Cheltenham will have 20 to 25. "We will start small and learn from initial US attempts [to build a cyber-security department]," said a Cabinet Office official. "We want to establish a core team."
The government will also reach out to industry to create a pool of IT security expertise, given the scale of the task of securing UK public and private sector IT infrastructure. A key priority for implementing the strategy will be to develop a cyber-industry with "opportunities for high-tech businesses in the UK", according to a government statement.
In addition, the OCS plans to launch a cyber-skills strategy to address skills gaps in government and industry, and work with other countries to develop international law in that area.
The OCS will seek to strengthen links with countries, such as the US, and develop links with other European partners like Germany and France. Hannigan said cybersecurity collaboration with Nato is in the early stages, but that work is planned to build channels of communication with the European Network Security Agency (Enisa).
On Thursday, prime minister Gordon Brown announced the OCS as part of the government's 2009 National Security Strategy, which for the first time includes an IT security component called the Cyber Security Strategy 2009.
In a statement, Brown said securing cyberspace was necessary to give people confidence in the security of web transactions.
"Just as in the 19th century we had to secure the seas for our national safety and prosperity, and in the 20th century we had to secure the air, in the 21st century we also have to secure our position in cyberspace in order to give people and businesses the confidence they need to operate safely there," said Brown.