Protecting the MoDs networked information and assets is more and more critical. (MoD)

A new ‘virtual’ cyber command centre project promises to strengthen the UK military’s network defences against hackers, spies and cyber criminals. TIM ROBINSON reports.

Some 75 years ago this year – the UK faced what was the biggest aerial assault in history, when the might of Hitler’s Luftwaffe was turned against the RAF. Today, one of the threats to UK security is not waves of Heinkels but waves of increasingly sophisticated cyberwarriors. The UK armed forces, which like other advanced militaries, are now arguably dependent on IT networks to share intelligence, co-ordinate operations and command forces.

Scramble, scramble!

The Dowding System of radar, ground observers, fighters, barrage balloons and anti-aircraft guns was all co-ordinated by a network of operation centres.

However – while in 1940 the ‘Dowding System’ saw information about enemy air raids from radar stations and observers shared, disseminated and filtered to allow Fighter Command to quickly and efficiently direct RAF fighters to meet the threat, today the situation is more fragmented.

Indeed, arguably there is not yet an equivalent military ‘cyber Bentley Priory’ or ‘digital Fighter Command HQ’ to detect attacks, inform others and direct resources. Instead today, each penetration or hack on separate networks or systems is usually considered in isolation – which can deprive decision makers of the big picture (is this a lone intruder or part of a co-ordinated strike to take down certain related systems?). It also makes responses to intrusions or attacks slow. While physical individual network security operations centres (SOC) do exist, it is almost as if the RAF was trying to fight the Battle of Britain using individual Sector Control stations, rather than as a co-ordinated strategic whole (indeed as aviation historians will know, one of the key controversies of the Battle was the co-ordination (or lack thereof) between 11 and 12 Group). While national cybersecurity co-ordination centres do exist - such as CERT-UK (formed in 2014) these are usually aimed at responding to incidents involving commercial, government and public networks  - rather than the specialised, classified ISTAR and C4I networks that the MoD uses.

But today, as cyberthreats increase – from Stuxnet type viruses, to non-state hacking (witness ISIS hackers taking an entire French TV station off air) as well as the growth of ‘hybrid’ warfare; which merges deniable special forces operations, propaganda and cyberwarfare – as seen in Ukraine – getting a fast response to counter intrusions will be critical. Far from the outdated image of lone 14-year hackers breaking into classified networks for fun, there are now, as one expert noted, “significant time, money and investment” going into these ‘advanced persistent threats’

Moreover, in the future, information itself held on defence IT networks itself may not just be the target, but functions and assets themselves that rely on these data networks, such as ISTAR, UAVs, satellites or logistics. In tomorrow’s ‘hybrid’ conflicts it may be that sophisticated enemies will not even attempt to shoot down UK F-35Bs or Typhoons in the air, or even strike them on the ground with bombs and missiles, but instead seek to cripple or degrade operations by gaining access to automated logistics and support networks, rerouting spares or inserting spurious data.

Enter the VCCO

The VCCO is conceived to be a 3D 'virtual reality' space allowing geographically seperated teams to immerse themselves and co-operate. (Airbus)

However, in a £1.4m contract awarded to Airbus Group Innovation UK recently, the MoD Dstl (Defence Science and Technology Laboratory ) research lab will study a new ‘Virtual Cyber Centre of Operations’ (VCCO) – able to share and co-ordinate cybersecurity threats. This VCCO trial will last for 16 months and is part of an ongoing DSTL project on cybersecurity.

At a briefing in London earlier this year, Airbus and Dstl experts explained the challenges of these new cyber threats and the need for enhanced “cyber situational awareness” according to Dr Kevin Jones, Head of Airbus Group Innovations Cyber Operations, based in South Wales. Says Jones of the ‘very difficult’ challenge of cyber situational awareness: “In the modern era we have very complex digital systems that are interconnected.” He adds “because they are interconnected, we have to understand the whole domain and all of those assets that are interconnected and the types of attack people are going to put against those assets”.

The VCCO is intended to provide a ‘virtual’ operations centre, allowing analysts from anywhere on the globe to participate in real-time responses to cyber threats or attacks. It also merges data and information from different networks allowing specialists to spot patterns or small clues about the origin or nature of the attack. “It could be one tiny little alert buried deep in a subsystem that is the key to understanding what is going on” says Jones.

Hacking a UAV

Reaper Ground Control Station. Blinding an enemy's UAV ISTAR assets could be a key cyber target. (MoD)

A fictional but plausible scenario presented in the briefing to journalists was a hacking intrusion into a UAV C4ISTAR system. Using the information sharing tool, which combines chat, email, video and network diagnostics all in secure links – military officers and subject matter experts were able to collaborate from multiple locations, or existing security operations centres and quickly respond to the hacking attempt, while also being able to say exactly what the real-world limitations the cyber attack would have on actual UAV operations.

As in 1940 where it took 5 minutes for enemy aircraft to cross the English Channel – speed is of the essence to combatting a cyber raid effectively. In this early trial that was conducted, the collaborative VCCO was able to track and resolve the issue in two hours – compared to ‘days’ using traditional physical SOCs and legacy communications, according to Airbus DS’s Jones. A quick ‘cyber early warning’ then makes it much more likely the intruders can be stopped or the attack nullified – before major damage is done. Notes Jones: “The earlier I can detect what the attacker is trying to do, the better chance I have of protecting those assets from cyber attack”.

One interesting aspect of the VCCO is it is designed to incorporate new and emerging ‘virtual reality’ technologies such as VR goggles and cutting-edge visual data analytic tools to help teams to collaborate and understand the threats. “We need people with the right skills and right capabilities to understand what they are seeing” explains Jones. “In a complex cyber event, it will be highly unlikely that one single person will see all the pieces of the jigsaw”. The ‘centre’, then, will not just be a ‘chat room’ or online forum for tech geeks solving network IT issues – but will be a 3D ’virtual space’ where avatars can ‘walk’ around to interact with other officers or specialists, or watch large screens with data feeds, videos or other information. It, says Airbus, could also be field-deployable – potentially allowing a theatre commander or their subordinates to don headsets to immerse themselves in a cyber-attack ‘virtual meeting’ to understand how it might affect their operations in the real world, and to mitigate them

The virtual ops centre, it is worth remembering, must also cope with integrating data from different existing networks and SOCs, which also may be at different levels of classification. In that way, information flows are one-way up the network only and those ‘dialling in’ are only seeing the data on their screens, rather than having this fused information shared widely.

Finally, this high-level VCCO may also have applications in protecting networks beyond critical MoD networks and could potentially also be extended to the wider defence industry and supply chain as well as other critical government and commercial IT infrastructure, such as nuclear power, water, electricity or banking.


Early warning of attacks is vital.

This may be a small research grant, but like Great Britain’s battle-winning radar and observer network of 1940, this new VCCO, if successful, could be critical in giving the UK MoD cyber ‘early warning’ of a hostile power or group attempting to cripple the UK’s military defences through a ‘digital Pearl Harbour’ style co-ordinated attack in the future. Incidents such as Stuxnet, the Sony Pictures hacking and Estonian cyberattacks in 2007 are likely to be pointers towards the direction of a future all-arms conflict – where the ‘cyber’ domain is as important as the air, land and sea.

Spotting early signs of a sophisticated full-scale co-ordinated cyberattack will thus be key to resilience and to making sure the UK’s armed forces remain combat-effective. To paraphrase Field Marshal Montgomery’s comments about airpower in WW2, will it be a case of ‘If we lose the war in cyberspace, we lose the war and we lose it quickly” for future commanders?

29 April 2015