Cyber Attacks

[sunny]

Pentagon: foreign spy agency flash drive caused worst computer breach in 2008 in Middle East
By: Pauline Jelinek

WASHINGTON - A foreign spy agency pulled off the most serious breach of Pentagon computer networks ever by inserting a flash drive into a U.S. military laptop, a top defence official said Wednesday.

The previously classified incident, which took place in 2008 in the Middle East, was disclosed in a magazine article by Deputy Defence Secretary William J. Lynn and released by the Pentagon Wednesday.

He said a "malicious code" on the flash drive spread undetected on both classified and unclassified Pentagon systems, "establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control."

"It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary," Lynn wrote in an article for Foreign Affairs. "This ... was the most significant breach of U.S. military computers ever and it served as an important wake-up call."

The Pentagon operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in U.S. cyberdefense strategy, Lynn said.

In November 2008, the Defence Department banned the use of the small high-tech storage devices that are used to move data from one computer to another. The ban was partially lifted early this year with the approval of limited use of the devices.

Lynn did not disclose what, if any, military secrets may have been stolen in the 2008 penetration of the system, what nation orchestrated the attack, nor whether there were any other repercussions.

The article went on to warn that U.S. adversaries can threaten American military might without building stealth fighters, aircraft carriers or other expensive weapons systems.

"A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States' global logistics network, steal its operational plans, blind its intelligence capabilities, or hinder its ability to deliver weapons on target," Lynn wrote.

"Knowing this, many militaries are developing offensive capabilities in cyberspace, and more than 100 foreign intelligence organizations are trying to break into U.S. networks," he said.

Defence officials have said repeatedly that the military system of some 15,000 computer networks and seven million computers suffers millions of probes a day with threats coming from a range of attackers from routine hackers to foreign governments looking to steal sensitive information or bring down critical, life-sustaining systems.

[sunny]

Military Computer Attack Confirmed

By BRIAN KNOWLTON
Published: August 25, 2010

WASHINGTON — A top Pentagon official has confirmed a previously classified incident that he describes as “the most significant breach of U.S. military computers ever,” a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan.

Plugging the cigarette-lighter-sized flash drive into an American military laptop at a base in the Middle East amounted to “a digital beachhead, from which data could be transferred to servers under foreign control,” according to William J. Lynn 3d, deputy secretary of defense, writing in the latest issue of the journal Foreign Affairs.

“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” Mr. Lynn wrote.

The incident was first reported in November 2008 by the Danger Room blog of Wired magazine, and then in greater detail by The Los Angeles Times, which said that the matter was sufficiently grave that President George W. Bush was briefed on it. The newspaper mentioned suspicions of Russian involvement.

But Mr. Lynn’s article was the first official confirmation. He also put a name — Operation Buckshot Yankee — to the Pentagon operation to counter the attack, and said that the episode “marked a turning point in U.S. cyber-defense strategy.” In an early step, the Defense Department banned the use of portable flash drives with its computers, though it later modified the ban.

Mr. Lynn described the extraordinary difficulty of protecting military digital communications over a web of 15,000 networks and 7 million computing devices in dozens of countries against farflung adversaries who, with modest means and a reasonable degree of ingenuity, can inflict outsized damage. Traditional notions of deterrence do not apply.

“A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States’s global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target,” he wrote.

Security officials also face the problem of counterfeit hardware that may have remotely operated “kill switches” or “back doors” built in to allow manipulation from afar, as well as the problem of software with rogue code meant to cause sudden malfunctions.

Against the array of threats, Mr. Lynn said, the National Security Agency had pioneered systems — “part sensor, part sentry, part sharpshooter” — that are meant to automatically counter intrusions in real time.

His article appeared intended partly to raise awareness of the threat to United States cybersecurity — “the frequency and sophistication of intrusions into U.S. military networks have increased exponentially,” he wrote — and partly to make the case for a larger Pentagon role in cyberdefense.

Various efforts at cyberdefense by the military have been drawn under a single organization, the U.S. Cyber Command, which began operations in late May at Fort Meade, Maryland, under a four-star general, Keith B. Alexander.

But under proposed legislation, the Department of Homeland Security would take the leading role in the defense of civilian systems.

Though the Cyber Command has greater capabilities, the military operates within the United States only if ordered to do so by the president.

Another concern is whether the Pentagon, or government in general, has the nimbleness for such work. Mr. Lynn acknowledged that “it takes the Pentagon 81 months to make a new computer system operational after it is first funded.” By contrast, he noted, “the iPhone was developed in 24 months.”

[sunny]

Nation’s Nuclear Power Plants Prepare for Cyber Attacks

By Martin Matishak

Fourth in a five-part Global Security Newswire series on emerging technologies and scientific advances that might pose new proliferation risks.

WASHINGTON -- The threat to digital systems at the country's nuclear power plants is considerable, but the sector is better prepared to defend against potentially devastating cyber attacks than most other utilities, according to government and industry officials and experts.

Cyber attacks have been an increasing source of concern in recent years but the threat was highlighted last month by the first discovery of malicious code, called a worm, specifically formulated to target the systems that direct the inner operations of industrial plants. To date the malware is thought to have infected more than 15,000 computers worldwide, mostly in Iran, Indonesia and India.

The issue is critically important for new nuclear power facilities that would be built in the United States and throughout the world as control rooms would employ digital systems to operate the plants. Those state-of-the-art instruments and systems make them targets for hackers.

A U.S. Nuclear Regulatory Commission spokeswoman declined to say whether there have been any cyber strikes against the nation's nuclear power sector. Security events, including a computer-based attack at an energy facility, would be "sensitive information" and therefore not released to the public, she said.

There have been no cyber attacks to date on U.S.nuclear facilities, according to Doug Walters, vice president of regulatory affairs at the Nuclear Energy Institute, a policy organization of the nuclear power and technologies industry.

Cyber attacks are "no different from other military activities, in that power grids are a normal target for guerrillas and militaries. It's something they usually try to attack if they get into a conflict," James Lewis, a senior fellow at the Center for Strategic and International Studies, said in an interview last week.

Nuclear power plant owners and operators "have been encouraged for a long time to think about security and to put a lot more effort into it than most civilian enterprises," he told Global Security Newswire. "The question is how vulnerable are they so someone using remote access to send damaging commands and I think the answer is they're not particularly vulnerable."

Lewis said experts know other nations, possibly including China and Russia, have conducted reconnaissance for potential weak spots in the U.S. power grid and "we don't know what they left behind."

"People with nuclear power plants ought to be and thus are, more careful about this because it's easier in the imagination to envision what happens if a hacker gets into a nuclear power plant," said Martin Libicki, a senior management scientist at RAND Corp. "If I get into a coal-fired power plant, the worst I'm going to do is cause a blackout. If I get into a nuclear power plant, I can cause a Chernobyl."

"I'm not sure that's true but you can imagine how that might play in out in the media and politically," he added.

The safety and control systems that operate nuclear power plants are isolated from the Internet and are protected against outside invasion. Yet in some cases, those operating systems and other critical infrastructure are decades old and not completely separated from computer networks used to manage administrative systems. Those gaps provide potential gateways for hackers to insert viruses, malicious codes and worms.

As much as 85 percent of the nation's critical infrastructure is owned and operated by private companies, ranging from nuclear power plants to transportation and manufacturing systems. Atomic energy facilities are a tantalizing target for digital sabotage because a meltdown could result in a major radiological event.

In all, the nuclear industry has spent roughly $2.2 billion over the last decade on enhancements to prevent physical or cyber breaches, according to Walters. Those funds paid for security upgrades to meet U.S. Nuclear Regulatory Commission requirements, including vehicle barriers, cameras, bullet resistant enclosures and other new technologies, he said.

That figure also included expenditures for additional security officers, the number of which has increased by about 60 percent "across the fleet."

Shortly after the Sept. 11 terrorist attacks, the regulatory commission, the agency with oversight of the country's atomic energy plants, put out a series of orders requiring its 104 licensees to enhance their overall security efforts, including physical protection, personnel reliability and cyber defense, Walters said. A year later the commission for the first time ordered that cyber attacks be added to the list of threats sites must be able to defend against.

In March 2009 the commission unveiled a new rule that required power plants to complete cyber security plans that would protect against a "design basis threat," according to Rich Correia, who head of the agency's Security Policy Division. The plans would be amendments to the utility licenses to operate the reactors.

Design basis threat is "pretty much what the commission has determined what a private security force should be able to defend against," Correia said this week. "Since power plants are run by private entities, we couldn't expect them to defend against, say, a nation-state."

The directive describes what actions site operators must take to identify and protect "critical digital assets," computer systems and components key to the protection of the plant that, if harmed, could produce a radiological incident, he added. A critical system is identified as any that performs or is relied on for plant safety, security and emergency preparedness; provides a pathway to a system that could be used to compromise, attack, or degrade those functions; supports systems that if compromised could adversely impact those defenses; or protects against any of those cyber attacks.

"In essence, we're making sure that we have a shield up around the plant beyond normal firewalls that would protect against a cyber attack," Walters said last week.

Licensees submitted their cyber security blueprints for the country's 65 nuclear power plants for commission review last November, Correia told GSN. The agency hopes to have all the plans approved by next spring.

Power plant operators would then implement the programs and the regulatory commission's four regional offices would begin inspections to verify they were being used as designed, he said.

Correia said his division is in continuous contact with the commission's threat assessment branch, which evaluates intelligence information from various government agencies, to make any changes to the perceived cyber danger.

The commission has also put together a "mock adversary force" to test power plants' digital preparedness as part of the overall NRC site inspection process, he added. The agency conducts "force on force" exercises at facilities to challenge their physical security assets. The mock enemy's mission might include action against digital systems and components.

The U.S. nuclear power industry is also well positioned to address the evolving threat because of its size, according to Lewis. The sector only has 104 reactors at 65 plants, compared to thousands of electrical utilities. Those companies are often too small to spend money to examine the cyber security or so large that it is glossed over, he said.

"Does it mean [the atomic energy sector is] totally invulnerable? No," Lewis told GSN. "But if you're an opponent you're going to ask yourself, 'Gosh, there's so many easy targets, why should I go after hard targets when I can pretty much get the same bang for the buck with a lot less effort?'"

Walters said the industry has been "fairly proactive" on the issue even without the NRC orders, noting the Nuclear Energy Institute formed a task force in 2002 to develop cyber security guidelines, which received the regulatory agency's blessing. That guidance delineated cyber security protection memsureas that should be installed on certain plant systems.

The institute has also established a nuclear sector council that meets with Homeland Security Department officials on a quarterly basis to address potential security concerns, he said.

"With the requirements we have in place and with licensees knowing what they need to do in terms of security controls ... we are in very good shape in terms of protecting against cyber attacks," according to Walters.

[sunny]

(Aug. 27) - The Indian Point nuclear power plant in New York state. The U.S. nuclear industry has spent more than $2 billion in the last decade to defend itself against cyber attacks and other security threats (Stephen Chernin/Getty Images).

[sunny]

The Future of Cyber Security

Officials and experts agreed the country has begun to pay more attention to cyber security over the last several years. However, more could be done to counter the ever-evolving threat to the nation's power grid, including nuclear reactors.

"If it was up to me, I would mandate that the electrical generation and distribution be provably disconnected from the [Internet]," Libicki said. He predicted that entities would argue that such a move would prove too costly.

Walters said nuclear plants are different from other utilities because many of their safety systems are already detached from the Web.

"For a nuclear plant, when you're talking about controls and the systems for safety, those things are really confined to the sites and there's no output to the Internet. There are inherent safeguards that exist," he told GSN.

Lewis predicted it would take time to secure some of the nation's power networks because "they were never designed to be secure."

"We will just have to think; we can't afford to replace everything at once," he added.

Correia described cyber security in the nuclear realm as an "ongoing process" that would require continuous observation of what is happening within cyber space so that facilities could respond to developing threats.

"Licensees have to be able to react to it quickly, to adjust their cyber plans ... to defend against it if there's an attack," he said.

[sunny]

Experts: Computer attacks on industrial facilities created by well-funded group or nation

WASHINGTON - A cyber worm burrowing into computers linked to Iran's nuclear program has yet to trigger any signs of major damage, but it was likely spawned either by a government or a well-funded private group, according to a new analysis.

The malicious Stuxnet computer code was apparently constructed by a small team of as many as five to 10 highly educated and well-funded hackers, said an official with the web security firm Symantec Corp. U.S. government experts and outside analysts say they have not been able to determine who developed the malware, short for malicious software, or why.

Stuxnet, which is attacking industrial facilities around the world, was designed to go after several "high-value targets," said Liam O Murchu, manager of security response operations at Symantec. But both O Murchu and U.S. government experts say there's no proof it was specifically developed to target nuclear plants in Iran, despite recent speculation from some researchers.

A number of governments with sophisticated computer skills would have the ability to create such a code. They include China, Russia, Israel, Britain, Germany and the United States. But O Murchu said no clues have been found within the code to point to a country of origin.

The Stuxnet worm infected the personal computers of staff working at Iran's first nuclear power station just weeks before the facility is to go online, the official Iranian news agency reported Sunday.

The project manager at the Bushehr nuclear plant, Mahmoud Jafari, said a team is trying to remove the malware from several affected computers, though it "has not caused any damage to major systems of the plant," the IRNA news agency reported.

It was the first clear sign that the malicious computer code, dubbed Stuxnet, which has spread to many industries in Iran, has affected equipment linked to the country's controversial nuclear program. The U.S. has been pressing international partners to threaten stiff financial sanctions against Tehran goes ahead with its nuclear program.

Symantec's analysis of the Stuxnet code, O Murchu said, shows that nearly 60 per cent of the computers infected are in Iran. An additional 18 per cent are in Indonesia. Less than 2 per cent are in the U.S.

"This would not be easy for a normal group to put together," said O Murchu. He said "it was either a well-funded private entity" or it "was a government agency or state sponsored project" created by people familiar with industrial control systems.

The malware has infected as many as 45,000 computer systems around the world. Siemens AG, the company that designed the system targeted by the worm, said Stuxnet has infected 15 of the industrial control plants it was apparently intended to infiltrate. It's not clear what sites were infected, but they could include water filtration, oil delivery, electrical and nuclear plants.

Alexander Machowetz, a spokesman for Siemens' corporate industry business, said Monday that the company is "not involved in Iran's nuclear program either directly or indirectly" and that the Siemens ended all business relations with civilian companies in Iran in January.

The software is available and is bought and sold by resellers, so it could be in use at the plant in Iran.

Machowetz also said that the worm has been cleaned off all 15 of the infected plants, and none of those infections adversely affected the industrial systems.

U.S. officials said last month that the Stuxnet was the first malicious computer code specifically created to take over systems that control the inner workings of industrial plants.

The Energy Department has warned that a successful attack against critical control systems "may result in catastrophic physical or property damage and loss."

German security researcher Ralph Langner told a computer conference in Maryland this month that his theory is that Stuxnet was created to go after the nuclear program in Iran. He acknowledged, though, that the idea is "completely speculative."

O Murchu said there are a number of other possibilities for targets, including oil pipelines. He said Symantec soon will release details of its study in the hope that industrial companies or experts will recognize the specific system configuration being targeted by the code and know what type of plant uses it.

Machowetz said none of the 15 infected plants had the system configuration the worm was seeking, so they have not been able to tell yet exactly what the worm is designed to do.

Experts in Germany discovered the worm, and German officials transmitted the malware to the U.S. through a secure network. The two computer servers controlling the malware were in Malaysia and Denmark, O Murchu said, but both were shut down after they were discovered by computer security experts earlier this summer.

Unlike a virus, which is created to attack computer code, a worm is designed to take over systems, such as those that open doors or turn physical processes on or off.

[sunny]

Iran Detains "Nuclear Spies" for Plotting Cyber Attacks

Iran announced Saturday it had detained multiple individuals accused of pursuing computer-based assaults on the nation's nuclear program, Agence France-Presse reported (see GSN, Oct. 1; Agence France-Presse I/Yahoo!News, Oct. 2).

The announcement followed statements by Iranian officials that "Stuxnet," a computer worm designed to target industrial control systems, had infected personal computers but not critical systems at the country's Bushehr nuclear power plant, Reuters reported. Washington and other governments suspect the Middle Eastern nation's nuclear program is geared toward bomb development, a contention Tehran has consistently denied (Robin Pomeroy, Reuters, Oct. 4).

Iran has "prevented the enemies' destructive activity," state media quoted Iranian Intelligence Minister Heydar Moslehi as saying.

Iranian intelligence officials have learned of "destructive activities of the arrogance (Western powers) in cyberspace, and different ways to confront them have been designed and implemented," Moslehi said. "I assure all citizens that the intelligence apparatus currently has complete supervision on cyberspace and will not allow any leak or destruction of our country's nuclear activities."

The Intelligence Ministry identified actions being carried out by "enemies' spy services," the official stressed.

"We have always faced the destructive action of these (spy) services and a number of nuclear spies have been arrested," Moslehi said (AFP I).

Security analysts have suggested the worm could be the work of a government, with Israel and the United States as the leading candidates, Reuters reported. Western powers as well as Israel considered clandestine interference to be an option for undermining Iran's atomic advancement, diplomats and security specialists said.

Still, Tehran asserted the worm had no role in postponing the Bushehr plant's opening until 2011, instead blaming escaped material for the delay.

"A small leak was observed in a pool next to the reactor and was curbed," Iranian Atomic Energy Organization head Ali Akbar Salehi said today, according to state media. "This leak caused the activities to be delayed for a few days. The leak has been fixed and the core of the reactor is working properly."

Salehi could have been describing a leak in a cooling pond for holding the site's spent nuclear fuel, an issue that would not be "very serious," former State Department nonproliferation analyst Mark Fitzpatrick said.

"Typically Iran exaggerates everything about their nuclear program in a positive way," he said. "It could be more serious trouble than he has stated" (Pomeroy, Reuters).

The Iranian intelligence minister on Saturday said his nation had devised a means of countering the Stuxnet worm, the Associated Press reported (Associated Press/Globe and Mail, Oct. 3). On Sunday, another official reported wiping the worm from Iranian systems, AFP reported.

"The industrial computers infected by the Stuxnet virus have been cleaned," state media quoted Iranian Deputy Industry Minister Mohsen Hatam as saying. "All platforms have been cleaned and delivered to the industrial units."

"The virus infected these computers because they lacked high security firewalls," he said, adding that the worm had been "designed and dispatched about a year ago to gather information from industrial computers" (Agence France-Presse II/Spacewar.com, Oct. 3).

Some experts suggested the United States could be intentionally limiting its efforts to counter the worm, the Christian Science Monitor reported.

Technical assessments of the malicious software by the U.S. Industrial Control Systems Cyber Emergency Response Team have generally only recounted findings by independent security firms days after the information's release, according to industrial security system security specialists.

“Name me one new or helpful piece of information that ICS-CERT provided to the community on Stuxnet? Or any other helpful contribution on the biggest control system security event to date,” Dale Peterson, head of the control systems security company Digital Bond, wrote in a blog post. “It seems to me to have been a delayed clipping service.”

“They had the expertise, the relationship with vendors, the equipment in their labs and the ability to analyze Stuxnet,” Peterson told the Monitor. “But those bulletins they put out were missing key data or late. Getting this information out quickly was their sole mission, and they failed.”

"We took a broad all-hazards approach to the (Stuxnet) malcode,” countered Sean McGurk, head of the Homeland Security Department's Control System Security Program. “We immediately began to analyze it and produce information to get into the hands of the community so they could begin taking protective measures."

“We were able to reverse engineer the (Stuxnet) code and monitor how it works,” McGurk said. “There have been individuals speculating on attribution and intent. ... Our main focus has been on understanding the malware and putting mitigation in place -- how to prevent the spread and how to protect the physical infrastructure.”

One computer security specialist, though, speculated the United States was withholding information on the worm to hinder its removal from Iranian systems.

“Did the U.S. government know Stuxnet’s target and say, ‘No, no, no -- we don’t want this information (about how to defang Stuxnet) out there. It’s highly plausible that people knew Iran was the target and didn’t want all the details about how to fix Stuxnet to get out right away,” the expert said.

Still, the difficulty of tracing such software to its author makes it difficult to assert the worm was specifically aimed at Iran, said Scott Borg, head of the independent U.S. Cyber Consequences Unit (Mark Clayton, Christian Science Monitor, Oct. 3).

Meanwhile, Indonesia on Friday reaffirmed its backing of Iran's civilian nuclear efforts, the Jakarta Post reported.

“Iran believes Indonesia has a very independent view on Iran’s nuclear issue, and expects that the latest developments will encourage Indonesia to keep playing a constructive role,” Indonesian Foreign Minister Marty Natalegawa said following talks between Indonesian President Susilo Bambang Yudhoyono and Alaeddin Boroujerdi, chairman of the Iranian parliament's national security and foreign policy committee.

The Indonesian president "has affirmed that the Indonesian government will always be ready to contribute to the settlement of the issue,” Natalegawa said, referring to the dispute over Iran's nuclear program. “The president also said Iran and Indonesia were opposed to the proliferation of nuclear weapons,” he said (Erwida Maulia, Jakarta Post, Oct. 2).

[sunny]

Cyber attack tops Britain's list of defense priorities

Britain's strategy for national security, released today, tips resources toward new threats like a cyber attack. The shifting priorities come on the eve of a review that will outline cuts to the defense budget.

A police boat patrols on the River Thames near the building of British Secret Intelligence Service,
SIS, also known as MI6, in London, on Oct. 18. A cyber attack capable of devastating
Britain's economy and infrastructure was elevated to the very top of a list of threats
facing the UK today in a long awaited strategy for national security.
Lennart Preiss/AP

London - A cyber attack capable of devastating Britain's economy and infrastructure was elevated to the very top of a list of threats facing the UK today in a long awaited strategy for national security. It was published on the eve of what are expected to be stringent cuts to the defense budget.

Natural hazards such as pandemic flu and the persistent shadow of Irish Republican and international terrorism were also listed in the top tier of risks in a long-awaited strategy paper, along with an international military crisis involving unnamed countries, but assumed to refer to a war involving Iran, Israel, and the United States.

However, the elevation of the threat posed by hackers acting on the orders of a hostile state or terrorist group into the same bracket of dangers was greeted as a marker of shifting priorities in a changing world and in an age of austerity.

“The size and range of cyber threats has increased a lot in the last two to three years,” says Malcolm Chalmers of Britain’s Royal United Services (RUSI) defense think tank.

“But it’s also about setting the government up for announcing increased money for cyber [defense]," Professor Chalmers says. "One thing that the government is anxious about in this spending review process is that the whole focus will be on cuts, and they will want to give a sense of increasing spending in some areas, alongside some reductions in others.”

'Traditional' areas take a hit

While more "traditional" aspects of defense – such as spending on tanks and fighter jets – will be hit, a further £500m is to be diverted into bolstering cyber security for key infrastructure and defense assets, while counterterrorism will also benefit from increased funding.

Britain’s dire financial straits form the broader backdrop to Tuesday’s Strategic Defense and Security Review, which will detail areas of cuts to achieve up to 8 percent savings.

On Wednesday, overall spending cuts will be unveiled. Government ministries are likely to see budgets reduced by up to 25 percent over four years — Britain’s greatest such austerity drive since World War II.

In the run-up to this juncture, the debate within government and Britain’s armed services about what share of the pain should be shared by the military became increasingly bitter.

It was only finally settled on Friday after a personal intervention by Prime Minister David Cameron, who ordered Britain’s Treasury to soften cuts aimed at the armed forces – leaving civilian sectors to shoulder a greater burden.

Mr. Cameron and his deputy, Nick Clegg, sought to underline the complexity of Britain’s security and defense needs in a foreword to today’s National Security Strategy.

"We are entering an age of uncertainty," they warn. "This strategy is about gearing Britain up for this new age ... weighing up the threats we face and preparing to deal with them.”

The government added that the strategy specified, for the first time, the gravest threats to the UK’s security.

After the "tier one" threats – which included terrorism and the UK being sucked into a conflict between countries like Iran and the US – "tier two" scenarios included an attack on the UK using weapons of mass destruction and a significant rise in organized crime.

Less likely dangers, ranked in "tier three," included a conventional large-scale attack on Britain, as well as disruption to energy supplies.

However, the rushed nature of the review – it was prepared in six months – and the impact of the drive for austerity concerned many.

Bernard Jenkin, an MP in David Cameron’s own Conservative Party and the chairman of an influential parliamentary spending watchdog, told the BBC that it was difficult to see how an effective National Security Strategy could be developed against the backdrop of cuts.

"We seem to be operating under the imperative of deficit reduction," he said. "But, there's very little in what's being done now that reflects deep and sustained analysis about what sort of country we want to be in 10 or 20 years' time."