The United Kingdom has revamped the way its intelligence agencies collaborate with private industry by establishing a new National Cyber Security Centre that leans towards more open and meaningful exchanges to help secure the country against malicious cyber attacks. The Cipher Brief’s Levi Maxey spoke with Sir David Omand, the former director of the Government Communications Headquarters (GCHQ) and the first UK Security and Intelligence Coordinator, about how this novel model of private-public collaboration is seeking to bridge the gaps between government and private industry when it comes to sharing information on cybersecurity threats.
The Cipher Brief: How has the UK traditionally collaborated with the private sector in areas such as threat intelligence sharing?
David Omand: The starting point for a discussion of these issues has to be the experience, driven sadly by the past terrorist threat from the Provisional IRA, that the UK security authorities have built up while working with the private sector over many years. The owners and operators of the critical national infrastructure in particular are not fazed by working with the Centre for the Protection of National Infrastructure, a part of MI5, the UK’s counterpart to the FBI, giving and receiving sensitive information about vulnerabilities.
Specialist advice on protective security and sharing of intelligence-based threat warnings and assessments became normal business practice and developed mutual confidence based on the shared goal of public protection. Now those relationships of trust between government and industry are being transferred into the cyber domain through the new National Cyber Security Centre (NCSC) a part of Government Communications Headquarters (GCHQ), the UK signals intelligence agency and partner of the U.S. National Security Agency, to face the new threats from criminal and state hackers.
TCB: Could you explain what the purpose of the National Cyber Security Centre is and how the model is different than models in other countries, such as the United States?
Omand: The basic purpose is best expressed by the stated vision of the NCSC: to help make the UK the safest place to live and do business online. An example of a national government accepting it has an essential strategic role in helping to protect critical services – such as power grids, telecommunication networks, health, finance and so on – on which the normal life of the nation depends. There are steps that only government can effectively organize, such as improving the underlying security of the UK internet (such as the .uk domain) and directing the strategic response to major incidents through the national Computer Emergency Readiness Team (CERT), which is now part of the NCSC.
There are other steps where government has a policy-initiating role in developing national capacity in cybersecurity through education and training. And there is sensitive information and specialist technical advice that the NCSC can provide to private sector companies given that it is part of GCHQ, itself a world-leading gatherer of digital intelligence.
This is the application of the poacher-turned-gamekeeper principle.
It is difficult to see how the best responses against the most advanced persistent threats can be judged, and how such attacks can be reliably attributed to those responsible, without entering “the intelligence space.”
TCB: Fair enough, but does that not lead to real tensions with the Internet companies over issues such as cyber vulnerability disclosures?
The security arm of GCHQ – now the NCSC – has a good record of disclosing vulnerabilities and even being publicly credited by the companies themselves. Each case has to be examined carefully on its merits – similar to the U.S. Vulnerabilities Equities Process – that involves examining both a full risk analysis and an assessment of the potential value of a “zero day” exploit against the highest priority threats. The national cyber priority for the UK is a safe and secure internet and that guides the process here. But government cannot also ignore its primary duty to safeguard the public from hostile states, terrorism, and serious crime, for which secret intelligence collection is essential.
Last year, the British parliament passed a major new law regulating all forms of digital intelligence gathering including the use of equipment interference – also known as hacking – that may involve exploiting vulnerabilities in systems used by suspects. The law builds-in enhanced authorization processes with judicial involvement. It also requires demonstrating necessity and proportionality at every stage, meaning, for example, that an equities process would have to show that it really is necessary to meet high-priority requirements to retain a detected vulnerability. It also requires showing that so doing does not involve a disproportionate risk, for example, that others may discover and exploit the vulnerability in ways that might compromise the integrity of systems on which the internet relies.
TCB: How does the new model incorporate the private sector in the equities process over decisions of whether to disclosure security vulnerabilities or classify them for exploitation?
Omand: The equities process has to be an in-house one. It would not be reasonable to invite the company concerned to join a discussion of a detected vulnerability and then, if the process showed that it should be retained for intelligence exploitation, to expect the company not to patch the systems they support where issues of legal liability might well arise. But the advantage of having a National Cyber Security Centre in very close technical contact with the private sector companies is that decisions can be informed by those exchanges.
TCB: What are the benefits of having the default of unclassified intelligence, rather than the U.S. system of default classification, where information must go through a rigorous process to be declassified?
Omand: By working closely with trusted industry contacts, such as company Chief Information Officers (CIOs), the NCSC can provide a flow of information to help ensure security arrangements are adequate and remedial action is taken when breaches occur. The UK system allows in such circumstances senior officers to authorize briefings to be given that contain classified information without undue bureaucracy. Where there is to be regular access to highly classified information, then of course, the requirement for authorized vetting arises, and there are of course many individuals in the private cyber sector who have such credentials.
TCB: What potential downsides do you see from the collaborative model built into the National Cyber Security Centre? Is there a greater threat of exposure or loss of critical intelligence capabilities?
Omand: A collaborative model is the only way to go. Government cannot provide protection for the private sector on its own. And the risk of unauthorized disclosures has always existed and needs to be managed carefully, for example, by the briefing of staff who are handling sensitive information about cyber threats and who are managing the response. Long experience with the collaborative model in relation to physical protection from terrorist attacks is that people are responsible in handling sensitive threat information. It is of course not always obvious where the greatest sensitivities lie in any particular area, and staff may need to have that explained. It is often possible to pass on intelligence in ways that provide the key information on which action needs to be taken while holding back the most sensitive aspects. It is also the case that the collaborative model for cybersecurity will involve the NCSC receiving information from companies about cyber attacks that may be very market sensitive, so trust has to run both ways.