Source · Select Committees · Defence Committee
Recommendation 7
7
Accepted
Defence must enhance protection of reliant digital networks and secure sufficient cybersecurity skills.
Conclusion
Digital networks are only as strong and resilient to cyberattack as their weakest links, and recent attacks indicate that the Ministry of Defence must do more to help protect all those networks it relies on to fulfil its mission— not just those which it directly controls. Defence also needs the right skills, in sufficient numbers, if it is to continue building its own systems’ resilience to cyberattacks. (Conclusion, Paragraph 60)
Government Response Summary
The government agrees with the findings and is undertaking specific actions, including publishing new cyber security standards for suppliers, launching the Defence Cyber Protection Partnership, promoting NCSC's Active Cyber Defence, and implementing a 'Secure by Design' approach for all capabilities.
Government Response
Accepted
HM Government
Accepted
We acknowledge and agree with the Committee’s findings that the weakest link in Defence’s cyber protection is likely to lie in public and private organisations that support the Defence enterprise, such as industry, sub- contractors, and service providers. The MOD continues to enhance the cyber resilience of the Defence supply chain in support of the strategic aims outlined in the SDR. The SDR argues that in order to protect our national security and deliver our vision for Defence, we must accelerate these efforts as part of a whole-of-society response. We are therefore working with suppliers, upon whom we are reliant to support or deliver our critical defence capabilities, to ensure they are significantly hardened to the evolving cyber threat. Examples of this work include: • The publication of a new, robust standard3 for invocation under contract that stands to significantly enhance a supplier’s own cyber resilience as part of MOD’s Cyber Security Model.4 • Launching the Defence Cyber Certification scheme in May 2025, which provides a capability for independent third-party certification and assurance that a UK business meets the required levels set out within that standard. The MOD also works closely with the National Cyber Security Centre to further promote the uptake of their Active Cyber Defence offering.5 This means UK Defence’s most critical suppliers will be among the first to be offered access to new services as they become available. 3 Cyber security for defence suppliers (Def Stan 05–138, Issue 4) https://www.gov.uk/ government/publications/cyber-security-for-defence-suppliers-def-stan-05-138-issue-4 4 Cyber Security Model https://www.gov.uk/guidance/cyber-security-model 5 Introduction to Active Cyber Defence https://www.ncsc.gov.uk/section/active-cyber- defence/introduction In addition, the MOD has embarked on a change programme to ensure that all its capabilities are ‘Secure by Design’. This approach embeds cyber security from the outset of projects, proactively addressing risks through continuous risk assessment to strengthen resilience and security.