Information-Sharing, Audited Compliance On MoD Agenda

Since it was set up in 2012 by the Ministry of Defence (MoD), the main purpose of the UK’s Defence Cyber Protection Partnership (DCPP) has been to establish effective mechanisms and processes to protect sensitive information as it transits the defence-equipment supply chain. Two years ago at DSEI, Malcolm Carrie – one of a number of personnel seconded to the DCPP from a day job with a defence contractor; in Carrie’s case, BAE Systems, where he is global head of strategy in the CIO’s office – announced a new stage of the ongoing initiative: this made it mandatory for every supplier and sub-supplier on new MoD-let contracts to complete a contractually binding cyber-security assessment process, in which they self-certify their compliance with basic cyber-security standards to the buyer of their product or service. This year, Carrie is back at the show to discuss the lessons that have been learned since the system was introduced.

“Our defence-sector response is not particularly mature,” he says, speaking not for BAE Systems but for and about defence as a whole. “The reason I say that is there are very, very few facts about cyber security: people don’t routinely publish that, ‘Oh, yes, [a data breach] cost me so-many-million dollars.’ And that leads to fear – a fear of reputational risk, a fear of loss of revenue, a fear of share-price impact. This creates something of a catch-22 where there’s then even less information in the wild. And we do need to fix that problem.”

“Another thing that we’ve observed is the inequality in the supply chain,” he continues. “The gap between good practice and, I’m afraid to say, the majority in the supply chain is enormous. And that is also a problem.”

Communication and data-sharing have emerged as key challenges.

“Sharing is hard,” Carrie admits. “We’ve said for years that [cyber-security] is very important and very secret and for goodness’ sake don’t tell anybody – and we’re now saying, ‘Hold up, it’s OK, go and talk to your peers in other organisations, go and talk to your customer.’ In quite a lot of organisations this is a big cultural change. One needs to go a long way to create a safe and collaborative space where one can build trust, and where I can say, ‘Yes, it happened to me,’ or, ‘I’ve seen this and I don’t understand it – can you help?’ These are difficult things to say in a competitive environment.”

One key change the DCPP is currently instituting – and which, it is hoped, may help undercut some of the concerns inherent within entities across the supply chain – is to move from a self-certification model to a fully audited system. This is not due to evidence gathered in the past two years that suggests contractors are erring when they self-certify: rather, Carrie says, some kind of oversight will increase confidence for everyone. But no process can remove every last scintilla of uncertainty.

“We started out on the basis that we, collectively, need to do something, but let’s not make it a science project; let’s not make the barriers too high,” he says of why an audit was not imposed from the outset. “The commercial terms [of the DCPP process] give the buyer rights. If I respond to a buyer saying, ‘Yes, yes, yes,’ and I have not done [the compliance], then under UK law that’s a breach of contract. I am not aware of any evidence that suppliers are saying ‘Yes, yes, yes,’ and not doing it. But at some point, one has to trust one’s suppliers – otherwise one is doing 100 per cent inspection, and none of us can afford to do that.”

Angus Batey