| 17 November 2015
IA15: Robert Hannigan's keynote speech as delivered
Robert Hannigan, Director GCHQ, shares his strategy for supporting UK IA and Cyber Security. He outlines how the organisation is changing fundamentally to meet the evolving cyber threat and support fully the Digital Transformation programme.
Hosted by GCHQ, IA15 is HM Government’s primary platform for briefing the UK’s information security leaders. This is a full transcript of Robert's speech as delivered at the event on 10 Nov 2015.
Good morning - it’s my pleasure to welcome you here to the second day of IA15.
Having just - last week - completed my first year in the job, as you might expect I’ve been thinking hard about the sort of organisation I want to see develop in the coming years.
And in doing so, I am struck by the growing importance of what we have always called our security mission; what the world at large will know as our cyber security work.
By the time of our centenary celebrations in 2019 I expect it to be more important still.
We expect to be judged on the outcomes we deliver for the UK. And getting ahead of the cyber threat - one of the greatest challenges of our age - is now absolutely central to our mission.
We are up for this task.
We deploy some of our most sophisticated capabilities towards this goal of making the UK the safest place in the world for digital activity.
Some of our very best people devote their working lives to it. Securing the UK and our prosperity motivates our staff hugely.
I know it is what motivates so many of you in the room, whether you are in private industry, in academia, or in other parts of Government.
So in welcoming you this morning, I want to set out some thoughts on how we bring about a real step change in UK cyber security.
Our security mission
Information security is every bit as much a part of GCHQ’s DNA as intelligence gathering.
The modern GCHQ that emerged from the wartime heroics at Bletchley Park had a top end cryptographic capability to protect military and intelligence secrets. Alan Turing, whose memory we have been celebrating recently, was as much focused on securing Government information as he was on breaking codes, though I suspect IA would have made a less glamorous film.
Known as the Communications Electronic Security Group, or CESG, our information security arm was the brainchild of Sir Edward Bridges, the wartime Cabinet Secretary.
Unusually for a man of his position in that day and age, Bridges kept no papers. So history does not tell us why he was so obsessed with communications security. In fact, maybe it was because he was obsessed with information security that he kept no papers. But he pursued the subject with real tenacity and vigour to the end of his career.
This proved very useful to GCHQ in the 1950s when following a post war reorganisation Bridges became permanent secretary to the Treasury but retained personal control of CESG’s governance and funding.
In other words, the man who was in control of the nation’s purse strings was also in direct control of funding his hobby.
Sadly, for us anyway, this arrangement was reversed as soon as Bridges retired.
I doubt it’s a coincidence that the Treasury has never let such an arrangement happen again, in this or any other area.
But despite losing our patron, over time, as Government became a much bigger provider of services - and by extension a much bigger holder of information - so our role advising Government changed and we became the National Technical Authority for Information Assurance.
That role was brought into sharp focus in 2007 when the then Government had to acknowledge and deal with the largest ever public service data loss, when 25 million records of parents in receipt of child benefit went missing.
As the official responsible for the Government’s response across public services as a whole at the time, I remember very clearly two things.
First, the way in which data loss can be so corrosive to trust in public services. Government doesn’t work properly if citizens don’t trust it to keep their information safe, and we must never forget that.
Second, was the expertise put at my disposal by GCHQ’s security mission. It was absolutely vital in securing the transformation in personal data security we needed across Government, and which we broadly achieved.
Of course, no sooner had that process finished than the march of technology moved the goalposts again. The next important phase in our history came in 2010 when the Government put in place the National Cyber Security Strategy and gave GCHQ a lead role in its implementation. This completed the journey of our security mission from its narrow origins in military cryptography through to advice to the rest of Government, through being a core part of a fully national information security strategy.
As Matt Hancock said yesterday, a great deal has been achieved under this programme.
For our part, we have locked in protections into some of our most important new critical national assets, like smart-meters and universal credit, using the very best of our network architecture expertise.
We have pioneered a world leading approach to declassifying threat data and sharing it at scale with commercial partners.
We have developed a strong partnership with law enforcement here and in the US, and I pay tribute to our colleagues in the National Crime Agency and the FBI. And I want to pay tribute to Keith Bristow, the outgoing head of the NCA. He has been visionary in many areas of NCA's work, but not least in seeing and gripping the challenges of cyber crime. Together we have disrupted the operations of some of the most dangerous global cyber criminal networks operating today.
There are more success stories to tell. And there will be more. Because we are pushing ahead at all ends of our mission.
At the high end, we are working closely with the Ministry of Defence to secure the UK’s long term future as one of the world’s few truly sovereign cryptographic nations, something, as many of you will know, the Prime Minister attaches great importance to.
At the other end of the spectrum, we are today making public - and freely available - some 400 pages of expert GCHQ cyber security guidance on a new website.
This is part of our contribution to a national effort.
But I am all too aware that we can only achieve anything in partnership. Every day I am reminded of the importance of our partnerships - our contractors, who make up a third of our workforce, our suppliers, our commercial partners, those who work with us lawfully on both intelligence and cyber security, and the experts with whom we develop our knowledge and expertise.
We have an excellent, proud and long record of working with industry - back through the Second World War - to promote the highest standards of information security in the UK.
Myths and realities
That is why I feel it is important to confront head on some of the myths about these matters, some of which have surfaced again as the Government consults on proposals for new national security and law enforcement legislation.
There are three myths in particular I want to confront.
First is the myth that the Government wants to ban encryption.
We don’t. We advocate encryption. People and business in the UK should use encryption to protect themselves. If you don’t believe me, look at the website we launched today which is full of advice to use good encryption. All the Government is saying is information needed for national security and serious crime purposes should not be beyond the lawful, judicially warranted reach of the state when the need arises. That isn’t a new requirement.
The second myth is that we want to weaken security products by forcing products in the UK to have so-called backdoors.
Again, we don’t. We have never said this and we do not want this. Products should be secure. We work with companies to help make them secure. So on this I agree with Tim Cook. And I can reassure him and others that the new Bill does not seek to build in back doors.
The third myth is that we encourage vulnerabilities and leave them there. The truth is the opposite. In the last two years, GCHQ has disclosed vulnerabilities in every major mobile and desktop platform, including the big names that underpin British business. Vendors sometimes publicly credit us with finding those weaknesses. In September, Apple publicly credited us with the detection of a vulnerability in the operating system for iPhones.
So contrary to the myths that we weaken UK cyber security, no organisation does more to protect the UK in cyberspace, from active defence, through advice, to working with companies to improve the security of products.
And we need these partnerships more than ever because of the scale and diversity of the threat.
Cyberspace brings out all the very best in human nature - freedom, innovation, debate, enterprise, and we must as a nation take advantage of that. But it also means that those who want to do harm have faster, better and more remote ways of doing so.
Those charged in Government with national security have worried about the top end threats for some time. But I am struck by the increasing concerns people have in everyday life about cyber threats. Our own staff talk with their families and friends about the risks to their wellbeing from cyber attack. There is an increasingly sophisticated understanding in the public realm that cybersecurity affects everything they do. They know there is the risk both of the highest end, destructive attack, and the constant, death-by-a-thousand-cuts set of lower level attacks. And it is these attacks, as much as the prospect of a destructive attack, that risks public confidence in our digital world.
And over the past year we have seen, across the world, the full range of cyber attacks, crystallising:
We have seen the major destructive attacks on media networks like TV5 Monde in France and Sony in the United States
We have seen the bulk theft of personal data in the US, in both the corporate and government sectors, and here with thefts of data in the telecoms sector
We have begun to understand more the cumulative, pernicious impact of smaller scale attacks. PwC’s 2015 Information Breaches reported that 90 per cent of large and 74 per cent of small companies had experienced a breach, with the average cost being between £1.46 and £3.14 million per incident for larger companies and between £75,000 and £311,000 for smaller ones. And we now know that around £1m per day in the UK is lost to remote card activity, in addition to other kinds of fraud.
There are a range of threat actors out there.
There are hostile states seeking an unfair commercial advantage, or seeking to exercise raw power to intimidate us.
There are major organised crime syndicates trying to disrupt our economy.
There are terrorist groups seeking to harness the Internet for the most brutal and manipulative propaganda.
And wherever the threat is coming from, overall the number of attacks is increasing.
The sophistication of attacks is increasing.
The impact of attacks is increasing.
The diversity of attacks is increasing.
The chances of major attacks being successful are increasing.
So how do we get ahead of this threat?
As we approach the end of the final year of the national cyber security strategy, I think it’s useful to take stock of where we’ve got to and ask ourselves:
What have we been doing that has run its course?
What do we need to continue, and perhaps do more of?
What do we need to do differently?
What new, transformative ideas are out there to meet this threat?
So I would like to finish by reflecting on three themes and posing two questions.
The first theme is skills. It is clear to me that one of the biggest challenges for the UK in cyberspace in the years to come will be developing enough skilled people. As a recruiter of top cyber talent myself, I know how hard this is. Whatever else we do, we mustn’t take our eye off skills. As Microsoft’s recent report showed, the global shortage of relevant skills is set to get worse over the next twenty years unless radical action is taken.
The second theme is partnerships. There are a whole plethora of partnerships between Government, industry and academia. Cyber Security is a shared problem and no one branch of society can solve it alone. But there is a long way to go. Information sharing partnerships are essential, but progress has been patchy. There is more that can be done with academia. There is undoubtedly more we can do to cooperate on cybersecurity internationally, in the way cross-border cooperation on counter-terrorism was transformed in the aftermath of the attacks on September 11th.
The third theme is how we respond to incidents as a nation. There is no doubt - significant cyber attacks will become more common, not less in the coming period. Even with recent events, the UK has not suffered a cyber attack that has registered in the public consciousness to the same extent as has happened in close partner countries like France and the United States. Promoting public understanding of digital technology and the Internet economy, and the way in which personal data flows work, is an important long-term challenge in enabling individuals to make risk based judgments about what they do with their data. But it also helps them understand the risks they run if and when that data is exposed. And leaders - whether in Government or in business - need to understand these risks too so they can make sensible judgments in a crisis.
And building in resilience is an important part of incident management. Determined attackers can get in. They can cause damage. Can the business or public service keep going? How long before acceptable levels of service are resumed? These are really important questions and the answers to them will play a huge part in determining our success as a secure cyber nation.
The transformation we need
Skills. Partnerships. Incident response and resilience. These are all key parts of what we have been doing to date and will be important in the future. But given the scale of the threat, we need to ask ourselves the hard questions as to whether doing even more, even better, along these same lines will be enough.
What would change the game?
What would raise the cost to attackers targeting the UK to make it much less worth their while, so far fewer of them would bother?
I don’t have all the answers, and it is for elected Government Ministers to set out their policies which they will do over the coming weeks and months.
But I would leave this expert group with two points to consider, two big questions about our cybersecurity future.
One is whether there is much more we could do automatically to defend the UK against cyber attacks? As we all know, the Internet is an inherently insecure environment because it was not designed - insofar as it was designed at all - with security in mind. The digital economy works at scale through clever, automated mechanisms. If, over time, it became possible to build in structural features which would allow more automatic protections from basic attacks for those who wanted them, while preserving the free and open nature of the internet, that could have the potential to be truly transformative. That is a challenge for academia and industry, and for Governments.
The second and final point is, in my view, it is time to take a hard look at whether the international market for cyber security is working sufficiently well. In the past five years, the Government has made very significant efforts to:
Promote understanding of the threat
Educate people about how attacks happen and what they can do to stop them
Nurture a market for cyber security by accrediting companies.
At this event last year, we set out a raft of measures in response to the demands of commercial partners for greater clarity about what they could do to protect themselves and where they could go for help.
There has been some very good progress. Over 1200 companies are now registered as meeting the requirements of Cyber Essentials. Information sharing partnerships are flourishing in some sectors. Cyber risk reviews are helping transform others.
But standards are not yet as high as they need to be.
Take up of the schemes is not as high as it should be.
So something is not quite right here. The global cyber security market is not developing as it needs to: demand is patchy and it is not yet generating supply. That much is clear. Although I haven’t had a chance to study it yet, today’s report by Ernst & Young seems to underline this.
The normal drivers of change, from regulation and incentivisation through to insurance cover and legal liability, are still immature.
And what’s also clear is that we cannot as a country allow this situation to continue.
So we need, as a Government and industry dialogue, to work out:
how to make the market work better; and
how to foster a national ecosystem that promotes cyber security and the skills we need automatically.
That is our challenge for the next phase of the digital age.
It is a challenge GCHQ is ready for.
And we hope our partners, here in this conference and elsewhere, are ready for it too.
It is a challenge the country needs us to meet together, if we are to seize the opportunities of the digital age.
It is a challenge we can meet.
But as a country we will need to ask ourselves - and answer - some hard questions if we are to succeed.