Cyber security breaches have risen to unprecedented levels across the British defence industry over the last year, according to a heavily redacted government document obtained by Sky News.
Sky News previously revealed the MoD and its partners failed to protect military and defence data in 37 incidents throughout the whole of 2017, with military data exposed to state-level cyber risks on dozens of occasions.
These incidents included defence information being left unprotected to foreign states’ surveillance of internet traffic, and checks not being performed to spot sophisticated espionage malware on computer devices, according to government documents.
Similar slip-ups took place between 1 January and 10 October in 2018, when the MoD recorded 34 reports compared with 33 in the same period in 2017.
However, the flurry of reports recorded in a MoD initial actions document – covering all breaches and contraventions of security policy made to the Defence Industry Warning, Advice and Reporting Point (WARP) between 11 October 2018 and 21 October 2019 – has soared to 64.
Half a dozen of the partially redacted incidents relate to cabinets, doors or computer server racks being left unlocked, but the vast majority of the incident reports have been completely redacted by Ministry of Defence (MoD) lawyers.
Explaining the redactions, the lawyers told Sky News that details about these incidents were exempt from being released as they “would be likely to increase the risk of a cyber attack” against the MoD.
The lawyers added that even explaining what harm had come from the impact of previous incidents was exempt from release because it could harm the commercial interests of contractors.
Even the date of one incident recorded in the documents has been redacted, although the item itself lies between the beginning of June and end of May.
A spokesperson for the Ministry of Defence told Sky News: “The MoD takes the security of its personnel, systems and establishments very seriously but we do not comment on specific security arrangements or procedures.”
Cyber attacks reported to the MoD and the UK’s National Cyber Security Centre (NCSC) are not referred to other regulators as a matter of course.
Businesses within the defence sector that lose personal data in a cyber attack are obliged to inform the data regulator, the Information Commissioner’s Office, but this is not the case if non-personal state secrets are compromised.
Publicly listed companies are expected to inform the Financial Conduct Authority about any material incidents, including cyber attacks, whether personal data is lost or not.
Ciaran Martin, the head of the NCSC, has said it is a matter of when, rather than if, the UK is hit by a so-called category one cyber attack.
There are many possibilities that such an attack may resemble, but among the most significant was a data breach at the US Office of Personnel Management (OPM), in which the records of more than 21 million federal government staff were stolen.
Among the documents stolen from the OPM were copies of a document known as Standard Form 86, a detailed 127-page questionnaire filled out by staff seeking security clearance, detailing how they might be vulnerable to hostile spies.
It is understood that a similar bulk data theft would be recorded as a category one incident in the UK.
If you have additional information regarding cyber security incidents impacting the UK, please contact Alexander Martin via firstname.lastname@example.org or securely on mobile using the private messaging app Signal on +44 (0)7970 376 704.