U.K. Defence Secretary Michael Fallon
U.K. Defence Secretary Michael Fallon

While the UK's defence secretary on Wednesday highlighted how “cyber” is now a big part of everything the Ministry of Defence does - including engaging in cyber-offensive actions against Daesh, reports surfaced of the MoD using the notoriously buggy Windows XP on the new £3 billion warship HM Queen Elizabeth.

Despite a spate of major ransomware attacks on UK soil, the UK's defence secretary, Michael Fallon, gave a speech yesterday at Chatham House's Cyber 2017 conference where he sought to highlight how “cyber” is now a big part of everything the Ministry of Defence does.

Describing the conference as “timely” thanks to several recent cyber-attacks, including the one on Parliament which the defence secretary described as “targeted and sustained”, Fallon informed the audience that “immediate steps have been taken to address that particular problem.”

These sorts of attacks, Fallon said, “point to our adversaries becoming more diverse, becoming better at what they do, and becoming more adept at using virtual attacks to inflict very real damage.”

“Defence, in particular,” said Fallon, “has a three-fold role to play in this national cyber-security effort.” And it's because of this that the MoD is investing a huge amount of money - “some £1.9 billion” - to boost the UK's cyber-security posture.

So what is the MoD doing?

The first is that Fallon says “we need to get our digital house in order”.

“We're not just working closely with the National Cyber Security Centre to ensure that our military and civilian systems are robust,” said Fallon, “we have networks of information risk and asset owners embedded in our organisation to properly police data and to deal with problems. We are encouraging all our staff to observe good cyber-etiquette. They must now complete mandatory information handling refresher training annually and they must take personal responsibility for their data.”

The second part, says Fallon, “is that the MOD has a key role to play in contributing to a culture of resilience.”

“That's why we set up the Defence Cyber Partnership Programme (DCPP) to ensure that companies with whom we have defence contracts are properly protecting themselves and meeting a host of cyber-security standards.”

And finally, Fallon said Britain is taking a hardline approach to deterrence of terrorism and confirmed that the MoD is now using “offensive cyber routinely in the war against Daesh, not only in Iraq but also in the campaign to liberate Raqqa and other towns on the Euphrates.”

“Offensive cyber is already beginning to have a major effect on degrading Daesh's capabilities,” said Fallon.

Also, Fallon said the MoD is open to sharing its offensive cyber-deterrent capabilities: Fallon announced that the “United Kingdom is ready to become one of the first NATO members to publicly offer such support to NATO operations as and when required.”

HM Queen Elizabeth

The Times and The Guardian all published stories yesterday which claimed the MoD's newest kinetic weapon, the HM Queen Elizabeth, could be prone to cyber-attacks as some of its systems use Windows XP.

The ship itself is the largest vessel ever built for the Royal Navy and naturally has been getting lots of attention from the press.

If the claims are true, the 280-metre, 65,000-tonne monolith of a warship could be vulnerable, as Windows XP is no longer getting updates from Microsoft. These claims are particularly pertinent as it is with these security vulnerabilities found in Windows XP through which the WannaCry and NotPetya ransomware infection managed to have such a wide-reaching effect.

In the UK, advertising Conglomerate WPP was hit by the attack, but Campaign told SC Media UK it has seen an email from its chief executive Martin Sorrell who emailed all 200,000 employees of the organisation to say “WPP is very much open for business.”

Fallon, according to the BBC, has been forced to deny such claims about the use of outdated software on the ship.

Fallon told BBC Radio 4's Today programme: "It's not the system itself, of course, that's vulnerable, it's the security that surrounds it.

"I want to reassure you about Queen Elizabeth, the security around its computer system is properly protected and we don't have any vulnerability on that particular score."

SC asked the MoD if these rumours are true, and it said it doesn't comment on specific systems used by its ships and submarines, but it has “absolute confidence in the security we have in place to keep the Royal Navy's largest and most powerful ship safe and secure.”

“We take cyber-security extremely seriously and the UK has doubled its cyber-investment to £1.9 billion.”

And it would appear, not everyone is worried. Dr Malcolm Murphy, technology director, of security firm Infoblox told SC by email that “The lifecycle of something like a warship isn't going to be in sync with the rapid rate at which the IT industry discovers vulnerabilities and issues patches.  We see the same challenges with embedded operating systems in medical devices, industrial plant and critical national infrastructure control systems, ATMs, and so on.”

Murphy adds: “The security implication is clear: you must have a robust defence-in-depth strategy which provides both protection against compromise, and the ability to indicate unusual or potentially malicious activity not just at a device level, but also at a network level.  With the increasing dependence in our daily lives on technology, it's critical that we get this right.”

Leigh-Anne Galloway, cyber-security resilience lead at Positive Technologies said in a statement: “It is true that some battle ships still use Windows versions that may look outdated. However, the Royal Navy recently adopted a specialised version of Microsoft Windows 2000 (“Windows for Warships”) for the fleet. There were also some reports saying that US Navy also uses customised and updated versions of Windows XP. The reason for this backwardness is quite common: when your OS has to deal with some unusual equipment (like ship sensors), special drivers for each type of unique hardware should be written. So, you cannot just update the Windows on such a system (as you would do on a common personal computer with common peripheral units); you have to re-write all the hardware drivers for the new OS. That's why many ATMs and other industrial systems still run on outdated operating systems like Windows XP.”

Finally, in December 2015, the Register reported that the MoD said at the time it “can confirm that Windows XP will not be used by any onboard system when the ship becomes operational,” and WIRED says the MoD affirms that its previous statement, made to The Register, is still accurate.