Ministry of Defence secrets were exposed in dozens of breaches of military cyber security policy last year, as hostile nations and spy agencies continue to probe the UK’s defence sector.
Heavily redacted reports obtained by Sky News have revealed that the MoD and its partners failed to protect military and defence data in 37 incidents in 2017.
At the time, warnings issued by the MoD and National Cyber Security Centre mentioned a Chinese espionage group known as APT10 hacking IT suppliers to target military and intelligence information.
Although espionage is considered an “acceptable” state behaviour and not a reasonable pretext for a forceful response, the theft of military secrets remains a serious threat to national security.
The reports of breaches of British military information were redacted to conceal the outcome of the security incidents, including whether they resulted in damaging information being gained by hostile nations.
According to the MoD, to publicly confirm details of the breaches beyond their existence would “provide potential adversaries with valuable intelligence on MoD’s and our industry partners’ ability to identify incidents and react to trends”.
“Disclosure of the information would be likely to increase the risk of a cyber attack against IT capability, computer networks and communication devices,” the ministry added.
The incidents uncovered by Sky News involved exposing data to nation-state level cyber risks, such as defence information being left unprotected to foreign states’ surveillance of internet traffic.
In other slip-ups, information with a ‘SECRET’ classification was left at risk to physical operations in which spies could have accessed restricted offices, cabinets, and protected computer hardware.
In 10 of the reports, even the incident title is redacted alongside the standard redactions of the incident description and outcome, suggesting the breaches were so severe the Ministry of Defence would regard even admitting that they happened as harming national security.
In other breaches, computer peripherals which hadn’t been checked for espionage malware were connected to classified systems, and devices, documents, and rooms were left exposed to unauthorised parties on multiple occasions.
Two incidents regard mobile phones and a laptop being taken overseas.
Long-standing vulnerabilities in cellular network protocols could allow attackers to infect mobile phones with malware or intercept their communications.
The ministry declined to confirm to Sky News whether it had been victim to successful computer network intrusions by hackers, stating:
“The MoD takes the security of its personnel and establishments very seriously but we do not comment on specific security arrangements or procedures.”