UK defence secrets are increasingly being exposed to hostile nation states after the number of security breaches in the sector rose this year.
Heavily-redacted records obtained by Sky News show an increase in incidents reported to the Ministry of Defence (MoD) between January and October compared to the same period in 2017.
Sky News previously revealed the MoD and its partners failed to protect military and defence data in 37 incidents throughout the whole of last year, with military data exposed to nation-state level cyber risks on dozens of occasions.
These incidents included defence information being left unprotected to foreign states’ surveillance of internet traffic, and checks not being performed to spot sophisticated espionage malware on computer devices.
Similar slip-ups took place between 1 January and 10 October this year, when the MoD recorded 34 reports – compared to 33 in the same period in 2017.
However, many more of this year’s incident reports are completely redacted, suggesting they posed a more serious threat.
They are likely to refer to critical incidents, which the MoD believe would damage national security if it even acknowledged their existence.
The redactions are designed to conceal the outcomes of the incidents too, including whether they resulted in damaging information being gained by countries including Russia and China which are known to be hostile towards the UK.
According to the MoD, to publicly confirm details of the breaches beyond their existence would “provide potential adversaries with valuable intelligence on the MoD’s and our industry partners’ ability to identify incidents and react to trends”.
“Disclosure of the information would be likely to increase the risk of a cyber attack against IT capability, computer networks and communication devices,” the ministry added.
Cyber attacks reported to the MoD and the National Cyber Security Centre (NCSC) are not referred to other regulators as a matter of course.
Businesses within the defence sector that lose personal data in a cyber attack are obliged to inform the data regulator, the Information Commissioner’s Office, but this is not the case if non-personal state secrets are compromised.
Publicly listed companies are expected to inform the Financial Conduct Authority about any material incidents, including cyber attacks, whether personal data is lost or not.
Ciaran Martin, the head of the NCSC, has said it is a matter of when, rather than if, the UK is hit by a so-called category one cyber attack.
There are many possibilities that such an attack may resemble, but among the most significant was a data breach at the US Office of Personnel Management (OPM), in which the records of more than 21 million federal government staff were stolen.
Among the documents stolen from the OPM were copies of a document known as Standard Form 86, a detailed 127-page questionnaire filled out by staff seeking security clearance, detailing how they might be vulnerable to hostile spies.
It is understood that a similar bulk data theft would be recorded as a category one incident in the UK.
A spokesperson for the MoD told Sky News: “The MoD takes the security of its personnel, systems and establishments very seriously but we do not comment on specific security arrangements or procedures.”