“GCHQ has provided information that has definitively saved the lives of those engaged in incredibly difficult frontline action”
Director of GCHQ at the LCCI Annual Defence Dinner last year.
Transcript of speech given by Director GCHQ at the London Chamber of Commerce and Industry Annual Defence Dinner.
Introduction
Mr Chairman, Admiral Richards, Ladies and Gentlemen, so many familiar faces. Some friendly. Putting to one side the thought that the only link between the Tower of London and the Intelligence Services is that this is traditionally where spies were executed, I want to start by noting that the year – 2014 – will be rich in anniversaries resonating with many of us here. The 700th anniversary of Bannockburn. The Bicentenary of the end of the Peninsular War, CDI’s first campaign medal and the 150th anniversary of the fall of Atlanta in the American Civil War. My personal professional reflection is that the centenary of the start of World War One is the centenary of the start of British Signals Intelligence, And, of course, we will commemorate the 70th anniversary of the Normandy landings. Those heroic military feats represent a prime example of the truth that the protection of sensitive information - the location of the invasion - can be every bit as important as the acquisition of secret intelligence. I’ll return to D-Day as there are more echoes of that in what we do today than you might imagine.
Supporting the Military: 1914-2013
But let me begin by tracing the journey we’ve been on with the Military since the birth of British signals intelligence in 1914. From the very start, our predecessors had to get to grips with all of the different means the enemy was using to communicate, and to sift out those which contained intelligence of value to the service chiefs and their political masters. Already in 1915, what we would now describe as “an Integrated Air Defence System” was using Sigint information to combat in real time the air threat to the UK.
In 1919, after Sigint’s wartime successes, GCHQ was founded, though under a different name. We became GCHQ in 1946 when it was realised that our earlier name – the Government Code and Cypher School – kinda gave the game away about what we were for.
The period we spent in Bletchley Park in World War Two showcases the successes possible when a technological and innovative mindset is allied to an in-depth understanding of the communications environment in which our targets operated. Some of the best minds in Britain were brought in: not just the mathematicians turned cryptanalysts like Alan Turing whom you all know about, but engineers and linguists, librarians and indexers. Valuing diversity isn’t about political correctness: it’s about making sure you can get the very best talent there is without imposing some arbitrary stereotype of what a “normal” employee looks like.
And so to D-Day: you might think that our contribution was to locate the enemy forces which allied troops would encounter. That was indeed part of it: out of the tens of thousands of messages intercepted each day, those related to the dispositions of defending forces had to be isolated and processed first, and the intelligence from them had to be disseminated to where it was needed. But we had other critical responsibilities as well:
- we had to make sure that our own communications were secure, and that the Axis powers were not doing to us what we were doing to them.
- We had to develop the communications plan they would expect to be able to monitor for a phantom army: the First US Army Group in Kent was in reality a couple of hundred wireless sets working to a script, but because the script was so good, the enemy believed that the main thrust of the invasion would be against Calais, and they still believed that a week after D-Day itself.
- We had to monitor intelligence to find out whether the different elements of the deception plan were in fact deceiving them about Allied intentions.
- And we had to assess, not just from the messages we intercepted but also from our understanding of the way the enemy used communications to support organisational structures and operations, just how they thought that the allies would invade Europe.
- And as a bonus, on D-Day itself, well before long haul communications could be set up, intercepts of Axis reporting on Allied successes were being reported to General Eisenhower so that he could measure the progress of his troops.
That comprehensive approach was adopted during the Cold War in our work against the Soviet target. Thankfully, the Cold War never turned hot, but you can see in the intelligence reports we have begun to release to The National Archives the breadth and depth of our coverage of the Soviet Armed Forces. GCHQ’s job was to understand the way the Soviets communicated sufficiently to be able to say “they’re not planning to start World War Three”. I’m making it sound trite, but imagine how that sort of intelligence feeds into strategic Defence planning, and even macroeconomic planning.
Since the end of the Cold War, UK forces have not gone into conflict without support from GCHQ, and that support, where appropriate, has also been in the field. Our engagement with the military has changed: our challenge hasn’t been to produce Indicators and Warnings about the dispositions and intentions of large-scale conventional forces, but to support small scale operations with high strategic impact. To do this successfully, we had to be able to integrate fully with those planning and carrying out the operations, and the military had to trust a profoundly civilian organisation to produce what those going on operations needed.
***GCHQ has provided information that has definitively saved the lives of those engaged in incredibly difficult frontline action. It is a source of enormous pride that we have worked to keep our troops as safe as we can, and a matter of great personal pride that 87 members of GCHQ have received a campaign medal for service in Iraq, and, so far, 136 for service in Afghanistan. Due to the nature of the work, they serve discreetly and with little wider recognition.
Supporting the Military:The Future
As we approach drawdown from enduring commitments, we look to the future of the relationship between GCHQ and the defence community. One key challenge will be uncertainty. For GCHQ, this means a refocusing of the machine – maintaining our agility to respond to whatever occurs. This was tested recently with the major requirement for defence and intelligence effort on Libya, effectively from a cold start as events quickly escalated. Our joint successes in that operation present a way of working together which will serve us well in future countering whatever might threaten the defence and security of Britain.
I therefore value the fact that this tactical collaboration is now reflected at the most strategic level, in that we now sit together as part of the National Security Council. The last Strategic Defence and Security Review, in 2010, identified cyber as one of just four Tier One national security risks. One aspect of that is having the right doctrine and investment for an age when adversaries are building military cyber capabilities. You will have heard the announcements of the Defence Secretary about developing a capability to counter-attack and, if necessary, to strike in cyber-space as part of our full-spectrum military capability. You wouldn’t expect me to comment on the role of the intelligence agencies, but we look forward to playing our part.
So let me speak a little about...
The Cyber Threat to the Defence Industry
There is a fundamental reason why cyber is such a national security priority. It is simply that the internet underpins every aspect of our lives, whether military, industrial, governmental, academic, or as individual citizens. Critically, the UK is increasingly a knowledge and information economy, and our intellectual property and other sensitive information is stored on, and communicated over, the internet.
This year marks 200 years since industrial employment overtook agricultural employment in England for the first time. But Britain’s leading role in the industrial revolution, a springboard for global leadership and influence in so many other ways, derived from us developing and exploiting our technological advances before our rivals. Today, that kind of sensitive information is being stolen from Britain, including from the defence industry, on a massive scale. And it’s no exaggeration to say that this represents a major threat to the competitiveness of our economy.
The range of targets is also increasing well beyond the companies that operate the critical national infrastructure. Few sectors are untouched: evidence is mounting that even professional services firms, who do not themselves own the data but which handle it on behalf of their clients, are being targeted.
As well as this increasing volume, the threat is evolving in terms of intent: attacks like those suffered by the US financial system, and by Saudi and Qatari energy firms, suggest we may be entering a time when we can expect more direct, more hostile cyber activity from state or state affiliated actors. And there are remarkable developments in the sophistication of our adversaries’ capability too. In some cases, it’s the speed at which they can move from initial reconnaissance of a system to carrying out disruptive activity. In others, a combination of specialisation and collaboration enables far more complex and adaptable operations than would be achievable by a hacker working alone.
This developing landscape is particularly concerning given that the UK’s military capability is now entwined with the defence industry. How exactly might adversaries get hold of such information? Rather than conceive of cyber as a separate phenomenon, consider how it affects the risks in each everyday business function. Just two examples:
- When engaging in bidding and other forms of negotiation, a company might limit which employees have knowledge of positions, but if a hostile actor has gained access to the system, it’s the equivalent of allowing unknown persons to walk in to the company headquarters and look through the filing cabinets at leisure.
- If a firm is acquiring another company, it may be doing its due diligence on the governance and finances of the new asset, but how about the state of its network? How about its connections, including to its supply chain?
I could cite several real cases where data has been taken this way, but the crux is that information security is not a separate subject for technical specialists; it’s a cross-cutting risk that demands the attention of the Board.
What are the consequences if this information is stolen? I could dwell on the clean-up costs, the reputational loss, possible litigation, the reactions of stakeholders, but let’s instead focus on some military ramifications:
- First, we might see a reduction in the strategic advantage of advanced weapons: the type of information stolen from the defence industry could help adversaries to understand system capabilities and limits, in a real war.
- Second, by accessing the logistics chain, adversaries could acquire pre-warning of scale and type of any planned operations.
- Third, they could undermine the integrity of military systems: clean-up isn't just about the malware and impact assessment of what has been stolen, but may also be about what data has been altered in order to disrupt.
GCHQ therefore assists industry and the military to protect the machinery and structure of defence. But we continue to supply strategic intelligence too. We work with Defence Intelligence colleagues, for instance, to ensure we provide the right information about the potential threats from weapons systems. Defence Procurement can then invest in the right capabilities for British forces of the future, so they can master those of their potential adversaries.
Partnering with the Defence Industry
What does this mean for the day-to-day practicalities of our partnership with the defence industry? I’ve already spoken about the rich legacy of Bletchley Park for GCHQ: just as the work at Bletchley involved exploiting the adversary’s information risk whilst minimising our own, today’s internet provides a virtual battlespace for a similar struggle. But I am mindful that one of the key roles in the successes of that time was played, not by a cryptanalyst or an intelligence officer but by an engineer, who came from the Post Office. Tommy Flowers’ work on the design and build of Colossus – the world’s first semi-programmable computer - was as fundamental as the mathematical theory underpinning modern information technology. Engineers and technologists from many of the businesses represented here tonight are a key part of GCHQ’s work – we simply could not operate without that broader partnership with the defence sector in its widest definition.
Just as the relationship between defence and industry, and between defence and ourselves, has moved away from the transactional, we seek ever more integrated relationships with partners from across industry:
- Part of that is enabling industry to adopt more of what has previously been core GCHQ work, such as penetration testing and cyber incident response.
- Part of that is much closer information sharing between Government and Industry on the defence supply chain: the Defence Cyber Protection Partnership is now established and will advance that goal.
- And part of that is about firms working more effectively with each other. We therefore piloted the arrangement which was formally launched earlier this year as the Cyber Security Information Sharing Partnership. It includes a secure virtual ‘collaboration environment’ where information on threats and vulnerabilities is exchanged between companies, as well as with Government participants, in real time.
- Building on that initiative, plans to establish a UK national Computer Emergency Response Team – or CERT - are progressing well, and “CERT-UK” will be launched in early 2014. It will act as a focal point for international collaboration, further improve national co-ordination of cyber incidents, and extend support and guidance to areas of the wider UK economy.
In all of this, GCHQ is just one player in a pan-Government team, playing position with colleagues in Defence, in BIS, in CPNI and in Cabinet Office to shape Government’s contribution to a game where the commercial and academic worlds have as much to offer, and where the whole is far greater than the sum of the parts.
This is the bit where I might have talked about the Snowden revelations. Actually I’ve got a very private discussion with my Parliamentary Committee tomorrow and I rather think I should give them the first taste.
But I would like to say a few words about the men and women at GCHQ, successors to those who served unsung for so many decades at Bletchley Park. I’m fiercely proud of GCHQ’s people, past and present:
- Their strong ethical sense.
- Their dedication – lifelong in many cases – to public service.
- Their professional expertise, ingenuity and week-in, week-out willingness to go the extra mile.
As then, these individuals are linguists and cryptanalysts, engineers and security experts, analysts and admin staff. They’re public servants who spend their lives protecting the security of Britain and its allies and the safety of British citizens at home and abroad. And wherever British forces are engaged in combat, or wherever there is that prospect, there you will find men and women from GCHQ, seeking to protect and support them.
Conclusion
GCHQ’s role has become increasingly, our role is about securing the UK’s own critical information, a challenge made urgent by the importance of the defence industry to our military capability.
The Normandy landings are a distinctive, vivid symbol of why securing information is so important to military advantage. Today’s information security challenge is at first glance very different – it’s long-term and it’s often invisible. So there is a real risk that we miss the connection. Over the coming week, we shall reflect on Remembrance Day, on the sacrifices our armed forces have made for our freedom, and on their startling record of military successes over the years. We might also give some thought to the need for new levels of partnership in protecting and defending the networks and data of national importance which lie at the heart of our entwined world-class government, military and industrial capabilities, and which give Britain the edge in a cyber world.
And let me leave you with 3 hard-learned very current lessons, which we need to learn among all of us if we are to be world-leading:
- Doing just a few of the prescribed ’10 Steps to Cyber Security’ doesn’t make you a competent organisation. I’m afraid you have to be good at all of them.
- You can’t simply out-source this problem. The Board can’t delegate leadership. More than that, complex IT and Cyber Security outsourcing arrangements weaken any solution: if you give the job to lots of organisations, there’s more scope for the key things to fall between the cracks
- Cyber Security’s for life, not just for Christmas. This is not a journey we ever complete.
Thank You.