Anonymous - Written evidence (IUD0001)

 

Call for Evidence (3375) Implications of the war in Ukraine for UK Defence

 

Introduction

 

I am submitting this as an IT Professional, working for the UK Defence industry, who is seriously concerned by the state of IT in the MOD.

 

This is my submission against Question 4.

 

4. What steps should the UK take to strengthen its military-industrial base and upskill the relevant workforce in light of the war in Ukraine?

 

  1. The war in Ukraine has evolved into a high technology conflict.  Underpinning it has been an ‘army’ of regular and volunteer IT professionals both supporting Ukraine’s IT infrastructure and activities and attacking Russia’s equivalent.

 

  1. The lesson for the UK is that to do this properly you need Suitably Qualified and Experienced Personnel.

 

  1. The problem for the UK Government and Defence is that it doesn’t have a professional IT stream in either it’s civil service or its military.  This isn’t an issue that just affects the UK.  In September 2021 the  departing U.S. Air Force and Space Force Chief Software Officer Nicholas Chaillan posted the following in a LinkedIn post, which sums the issue up nicely.

 

  1. “Please stop putting a Major or Lt. Col. (despite their devotion, exceptional attitude and culture) in charge of identity credentialing and access management (ICAM), zero trust or cloud for 1 to 4 million users when they have no previous experience in that field — we are setting up critical infrastructure to fail. We would not put a pilot in the cockpit without extensive flight training; why would we expect someone with no IT experience to be close to successful? 

 

  1. The UK MOD just does not appear to adequately understand the need for IT professionals.  Professions have job roles that require a certain level of education, skill, and/or training (often assured by exams or other methods of assessment).  This is universally understood in relation to accountants, lawyers, medics and engineers, for example, but for IT it isn’t.   The UK MOD may have many IT job titles and posts but if you check the CVs of the people filling those roles they tend to be generalists and their CVs do not match the experience and requirements for the roles required.  An example from not too many years ago was when Defence Digital (the MOD’s IT organisational lead) advertised for Civil Servant ‘Cloud Solution Architects’ and ‘Senior Cloud Solution Architects’ for its MOD Cloud programme.  The salaries advertised were about a third of market rates at the time and the posts were filled.  It is highly unlikely, however, that the occupants will have been Suitably Qualified and Experienced Personnel.

 

  1. UK Defence IT organisations have: 

 

    1. poorly defined IT roles, almost universally without requisite qualification and experience requirements.
    2. lower pay rates than in the private sector that reduces the quality and size of the applicant pool.
    3. No IT career track and therefore no career progressions available “in post” (requiring someone to move to an unrelated, often non-IT post to gain promotion – or to just leave the MOD). Which is very expensive to the organisation as it constantly losses its investments in time and training.
    4. Processes that mean they it is easier to accept a less skilled individual that hold out for someone suitably qualified (e.g. because a ‘gapped’ post will be taken as a ‘saving’).
    5. unqualified recruiters who often do not recognise who is and is not suitable and therefore recruit inappropriate individuals.
    6. Unqualified individuals selecting new tools and ideas that aren’t required (e.g. because tools already exist with the same functionality or just because the business requirement doesn’t justify that sort of tool).
    7. Unqualified Contract department staff who do not understand IT and cannot hold suppliers to account.  In one example the contract department deleted a business requirement for the MOD to have access to its own data within a major MOD logistics system (for use in analytics and other purposes) out of the contract terms because they just didn’t know how to manage it.  Another regular occurrence is for suppliers to provide junior ‘new graduate’ level of resources even when the Statement of Requirement specifies a higher level of experience.  They know the MOD contracting departments will not understand the difference and any dispute can just be brushed off.
    8. Very hierarchical management chains where IT becomes very political very quickly (primarily because there is little IT experience in the management chain – corporations learned may years ago to put an IT ‘geek’ on the board to get round this.  Defence is still struggling with it).

 

  1. This isn’t to say that groups of well-motivated, experienced and trained IT professionals don’t exist within the UK’s armed forces. It’s just that they are the exception not the rule. This poses a serious risk to national defence.  When medical professionals perform a complex knee surgery, we don’t allow them to use unqualified and inexperienced surgeons to perform the operation. But we tend to do the equivalent when it comes to critical infrastructure and national defence IT.

 

  1. Far more worrying is where this places the UK with respect to its prospective adversaries.  The Chinese for example take cyber resourcing very seriously.  This is an old article but sums it up well https://nationalinterest.org/blog/the-buzz/china-massively-expanding-its-cyber-capabilities-22577 .   By 2027 the Chinese military are intending to establish ‘four to six world-class cybersecurity schools in Chinese universities as training grounds for cyber-warriors’ and ‘After completing three years of coursework, the cyber-warriors will work in a corporate environment for a year of real world experience. This is called the “3+1 plan”. Outstanding graduates are fast-tracked to the Strategic Support Force, the wing of the People’s Liberation Army in charge of cyber, electronic and space warfare’ .   The UK is seriously in danger of being outclassed by the likes of China and is probably not prepared adequately for a ‘hot’ conflict like Ukraine at the moment.

 

25 March 2024