§ Lord Harris of Haringeyasked Her Majesty's Government:
Whether the Ministry of Defence, its agencies, or any of the armed services have been the victim of attacks by the MyDoom, Netsky and Sobig programs or by any other malicious programs over the last three years; and, if so:
- (a) which organisations were affected;
- (b) how many computer or communications systems were involved;
WA 57 - (c) how long it took to remove the malicious programs from the affected systems and restore them to normal operation; and
- (d) what was the resultant degradation to the United Kingdom's military readiness [HL2579]
§ Lord BachCentralised Ministry of Defence records have only been available since 3 May 2002; prior to that date, individual MoD units reported such incidents directly to the cross-government unified incident reporting and alert scheme (UNIRAS). Since 3 May 2002, a total of 71 instances have been recorded of viruses and malicious programs including two of MyDoom, five of Netsky and one of Sobig. Records show that these were detected and the infection contained within a single or closely related group of sites.
The MoD organisations affected are shown as follows:
MoD Organisation No of Incidents MoD Centre 4 Defence Procurement Agency 3 Defence Logistics Organisation 2 Permanent Joint Headquarters One standalone Internet machine Army 18 (including six standalone) Royal Navy 14 (including three standalone) Royal Air Force 19 (including six standalone) Other Agencies 10 (including five standalone) The total number of computer or communications systems involved amounted to 112.
The time taken to remove the malicious programs from the affected systems and restore them to normal operation ranged from hours to typically two to three days. In the case of the LOVGATE virus, complete restoration to normal operation, involving isolation and cleansing of the virus from over 4,000 workstations across some 30 sites, took four weeks.
There has been no recorded degradation to UK military readiness; the systems affected by the LOVGATE virus did not have a direct impact on operational networks. Analysis of the incidents recorded indicates that over one-third involved standalone computers or training systems. The MoD system and network infrastructure is continually monitored with defence in depth at key points to prevent cross-infection.