EXPERT INTERVIEW — The last few months have seen a series of major cyber incidents which have frozen airports, crippled companies, compromised government systems, and stolen millions from unwitting victims. Cyber leaders are warning that the threat is being worsened as hackers leverage new technology like artificial intelligence for more potent attacks.
The Cipher Brief spoke with Robert Hannigan, who served as Director of GCHQ, the UK’s largest intelligence agency, which provides signals intelligence (SIGINT) and information assurance (IA), about the nature of the cyber threat, and why everything from supply chain security to cross-sector cooperation is needed for a strong defense. We caught up with him from Riyadh’s Global Cybersecurity Forum (GCF).
The Cipher Brief: I'm curious if you could tell us right off the top, with so many different countries represented, so many different areas of expertise, what is the buzz there, Robert? What are people really most concerned about?
Hannigan: I think the big cyber incidents happening in the Middle East and Europe in recent months, particularly ransomware as a service, so big names like Jaguar Land Rover and others, have kind of given this meeting an extra buzz just before we met. Quite a few people flew in from airports that have been affected by the supply chain attack on baggage handling software. So it was very relevant and topical.
I think that's touched on a broader theme for the last couple of days, which is about supply chain. This is a global supply chain in many cases. So how do we secure that? It's a challenge, but it's no longer enough for companies or governments to secure their own perimeters. They have to worry about the tens of thousands of suppliers and vendors attached to them, their ecosystem, if you like. So regulators are getting there, and the EU has already regulated this and said we're all responsible. Other countries like the UK are getting there. So I think supply chain has been a big theme.
Save your virtual seat now for The Cyber Initiatives Group Winter Summit on December 10 from 12p – 3p ET for more conversations on cyber, AI and the future of national security.
The Cipher Brief: Ransomware supply chain has been around forever. They're very difficult in their own right, but now we're looking at a world where AI is impacting everything. How concerned are you about that?
Hannigan: I'm really concerned that we don't repeat the mistakes of the past with AI. So as we rush to adopt AI and to use it in our applications across business and government, can we make sure we do it securely? We learned the lessons of cybersecurity because we're all paying the price in a way for 20, 30 years of building a digital economy on software, particularly, but also hardware that was not designed with security in mind. So again, regulators are getting there. They're mandating Secure by Design in most countries, but that's going to take years to follow through. So can we make sure that when we adopt AI, we're doing it safely and securely? And I think there are some big risks in AI, particularly in data poisoning.
The Cipher Brief: Sam Altman did an interview just recently saying the horse is out of the barn, so to speak. And he's not even sure where this is going when it comes to building in kind of more secure ethical processes into using AI.
You sat on a panel there talking about converging crises, the future of cyberspace and complex global dynamics. And boy, are they complex. I'm really curious to hear how all of these different countries are coming together to talk about working together in cyber when some of the countries have closer relationships to China than other countries do. How are you looking at that complex landscape for both risk and opportunity?
Hannigan: It’s a great question. I think the other theme of these last two days has been multilateralism under pressure. This is not a great time for cooperation between states. And that's a problem for cyber because as you know, from your background, cyber is a team sport. You can't do this within one country. And so we really need to approach this multilaterally. I think on our panel this morning, we weren't pessimistic. Yes, it's difficult in geopolitical terms, but actually it's in everyone's interests to try and secure cyberspace. And there are plenty of initiatives going across countries that are working. Secure by Design is one, trying to improve the standard of secure software development. Some of the security work on AI is going across countries. So I haven't given up hope on that working, but it's really essential and why it's great to have people from all over the world at this kind of meeting.
The Cipher Brief: One of the other things I always love to ask you about because it's always extremely relevant is the relationships with the private sector. As former head of GCHQ, this is something that you're very close to. You have a deep understanding of what needs to happen to make these work. How do you take private sector-government relationships in one country and then sort of scale that, if you will, with other trusted partners?
Hannigan: I think it's a great question. I think The Cipher Brief is a great example of an organization that's tried to bring together government and companies in a really effective way. I've just come from the UK where I've done lots of interviews on our recent big retail, ransomware attacks, Jaguar Land Rover and others. It's striking that people still expect government to be able to defend everybody. We all know that that's just not possible.
Government has very limited resources; it can advise, it can regulate. But actually it's up to the private sector companies to defend themselves and to prepare for resilience. And one of the frustrating things for me is that this is possible, this is an achievable goal. We hear about the failures, but actually there are thousands of companies protecting themselves very well and preparing for resilience in case there is an attack so they can contain it and get back up and running very quickly. So there are a lot of people doing the right thing, some people who aren't, and we need to help them get better.
The Cipher Brief: I think you're absolutely right in saying that some of these larger companies that really have the resources to put into cybersecurity and information sharing have a lot more responsibility on their shoulders than those medium and smaller companies which sort of have to wait to see what comes down to them.
Have you been involved in any conversations there that have surprised you or made you think differently about any part of what you focus on every day when it comes to cybersecurity and all of these complex issues?
Hannigan: I think we've had a really good conversation about the positive lessons coming out of Ukraine. And Chris Inglis, who you know very well, was talking about this on his panel. And I think it's a really good point that there are so many positive things coming out of that terrible situation in Ukraine on the cyber side. So why has Ukraine managed to keep going in cyberspace to resist this avalanche of attacks coming from Russia? It's because they've had a partnership with private sector companies, big tech and small companies, with allied countries, in Europe and the U.S. in particular, and there has been a coalition of defense. And there's something really interesting there about the model for how if you get together, private and public, across different allies, you really can defend. And as Chris and one or two others put it, defense is the new attack. It's really powerful when you do it properly.
The Cipher Brief: That was such an interesting time when the full scale invasion started because you did see it's a volunteer army of all of these companies. And the important thing I think to look at there is it was very values based. That landscape is also changing. Are you concerned at all about that in the future?
Hannigan: I think we're all concerned about polarization and some of those companies being torn between East and West and, as you say, closer to China or indeed closer to Russia. I think what's powerful though in Ukraine is they not only used companies and, as you say, volunteers, they also looked to their own citizens and they used very talented people, whatever their backgrounds, to get involved in this great effort to defend Ukraine. So you can achieve good things if you can organize people together. And it's amazing they're still up and running.
And it’s also a victory for cloud. I remember 10 years ago when governments were very nervous about putting anything in the cloud. Ukraine's a great example of where cloud has saved them essentially by putting stuff outside the country. They've managed to keep going and that's impressive and a great vote of confidence.
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
