Some leading cyber experts in the U.S. have advocated for years for a new government entity modeled after the UK’s Government Communications Headquarters, more commonly referred to as ‘GCHQ’.
GCHQ works with both the Secret Intelligence Service (MI6) and the domestic intelligence service (MI5) toward a single mission: to keep the UK safe. The U.S. has been working closely with the UK for years, and GCHQ’s current director, Jeremy Fleming, made his first public appearance in the U.S. last month at the Billington Cyber Security Summit in Washington D.C. where he spoke publicly about his Agency’s close relationship with the NSA.
Former GCHQ Director and Cipher Brief Expert Robert Hannigan sat down with Cipher Brief CEO Suzanne Kelly to talk about today’s threats, how the UK thinks about them differently than the U.S. in some ways, and the critical need for fresh, innovative thinking to stay ahead of them.
The Cipher Brief: What are some of the emerging trends in cyber that concern you the most today?
Hannigan: Two overarching trends are the rising volume and the rising sophistication of attacks. I saw that in government, but it has continued. I think a couple of alarming trends are also that criminal groups are getting much more sophisticated, they are scanning for vulnerabilities and the new way that they are overlapping with states is quite alarming. So state expertise is spilling into organized crime groups. That was always the case up to a point but it's an increasing trend. States of course, are behaving in a more reckless way, the international order is more fragile. So you'd expect that. But we're certainly seeing it.
Robert Hannigan, Former Director, GCHQ
Former Director, GCHQ
"Big worries for the future are based on the fact that the attack surface is expanding, as we all know, through IoT and through everybody moving into the cloud. But more worrying is the supply chain itself, the IT supply chain that we all depend on is becoming a vector for attack. So most people who are well defended are worried about their vendors, their customers and deep supply chain attacks on hardware and software. So those are the things I’m most worried about in the future."
The Cipher Brief: In the U.S., we've seen attacks like Sony happen, we've seen hacks of government agencies where a lot of valuable security information was stolen. What we haven’t seen, and what we tend not to see, is what is done to deter future attacks, because the government often won't come out and say what they're doing. How does the public know if anything's being done and if it's adequate?
Hannigan: It's a good question and every time something happens in cyber space particularly from a state, there's a big noise in the media to say ‘we must hit back’. And I think most Western governments, certainly the U.S. and the UK, are developing offensive cyber and putting a lot more money into it. But I don't think it's really a technical problem, it's a policy and a political problem. The truth is that we play by different rules. We're not going to do in Russia, the kinds of things they've done in cyberspace to others.
The Cipher Brief: You don't want to let them get away with it either.
Hannigan: No, so I think that's the real challenge. How do you raise the cost for them? Put down the red lines and say some things are unacceptable without doing things which we would find legally and ethically unacceptable? We're not going to switch off the domestic power in Moscow in the way that they did in Ukraine just because they've done something in cyber space. So very often, the best answer will not be cyber at all. The best answer will be economic sanctions or diplomatic action of some sort. And that's worked pretty well in the case of Russia.
The Cipher Brief: Let's talk about cyber strategy in the UK because the U.S. has often looked to the UK in terms of your cyber security center here in GCHQ, and I know Chris Inglis has been a big advocate of adopting certain parts of U.K. thinking on cyber into the U.S. though there are obvious challenges there simply because of size. Help walk me through that.
Hannigan: People have said very kind things about the UK; we tried something new, and the core of it is to take cyber out of the secret world, but use the skills and data of the secret world, and put it alongside industry skills or resources. That's been the basic principle. And creating a national cyber security center owned by GCHQ (equivalent to NSA), is a way of doing that. And the experiment so far has been successful, but I don't suggest it's the answer for everybody. As you say, the U.S. scale is so much larger, you've got so many agencies and it isn't straightforward just to take one model, and ours isn't perfect.
Robert Hannigan, Former Director, GCHQ
Former Director, GCHQ
"Our biggest challenge is capacity. So we just can't get enough people, enough skills, quickly enough to scale this up, and the ambition has never been to cover the whole of the defense of the economy in the UK We've got to be really focused about what government's role is, and it's quite limited. It is about picking those bits of the economy that are most critical to national security, critical national infrastructure."
It's about giving coherent, consistent advice from one place in government rather than lots of places, which has been the case in the past here. And then helping to manage major incidents, both tier one instances, as we would call them, which we haven't really had one yet, and the rising tide of very serious tier two, tier three instances.
The Cipher Brief: The new Department of Defense Cyber Strategy just came out in the U.S.. It emphasizes that the military is now going to be engaged in day-to-day competition in cyber space with a particular focus on China and Russia. Are these the right priorities and how does that align with the UK’s approach?
Hannigan: It sounds consistent with what we're doing here. We have been investing in offensive cyber for a long time and working closely with the U.S. and with Cyber Command on this and GCHQ and the NSA, it’s sort of a ‘quad’ if you like, working together. I think the government is going to formalize what we have, which is an offensive cyber program, and turn it into some kind of military-civilian force. It will be different from the U.S. in that we're not going to create two separate things- a Cyber Command equivalent and GCHQ. It will be integrated and that's partly about cost. We can't really as a country of this size, afford to build this twice and partly because we think the integrated model of military and civilian works better for us. So it will achieve the same things, it will work very closely with U.S. counterparts, but it's going to be structured slightly differently. But we're all looking at this for obvious reasons that countries are behaving badly in cyber space and the West needs to have the right kind of defenses and some of that is deterrence.
The Cipher Brief: The U.S. and the UK have treated the supply chain conversation, overall, pretty differently. The U.S. has several bans proposed, while the UK is taking more of a ‘risk management’ approach to this. Where do you see this going and how will the dynamic with Chinese tech companies evolve over time?
Hannigan: I think that this is, for me, one of the biggest questions of the next 10 to 20 years. How do we manage the supply chain, particularly the hardware and software supply chains that are increasingly moving to the east? So China already manufactures most of the world's hardware, whatever the label on it, and is increasingly at the forefront of lots of the world's leading technologies like artificial intelligence. Look at what they're investing in, AI, and they will be world leaders in aspects of that, not everything, but in some aspects, by 2030. And we've got a choice in the West, do we just cut ourselves off from some of this, or do we find a way of managing the risk?
Robert Hannigan, Former Director, GCHQ
Former Director, GCHQ
"I think the obvious answer is that we've got to find a way to manage the risk and that means national security working with the technology companies to see what we can do to assure ourselves of what is the appropriate level of exposure for buying, or acquiring, or using, or connecting, to anything. I don’t think that it's viable simply to ban stuff because it's made in a particular country. It doesn't seem realistic."
It's easier for the U.S. because the scale again means you do have some domestic alternatives in some cases, but even then, there are some people who are experts in telecom, who tell me that the best 5G solutions are mostly Chinese. And it's not just because they’re the cheapest, they are genuinely in some cases, the best. So if that's true and it will be true in the future for lots of other technologies, we can't just say we're not going to touch that, we've got to find a way of managing it.
But it's not easy and our experiment here hasn't been a total success. I think we've learned, the great thing about the Huawei cell which we set up; they're funded by Huawei, staffed by Huawei, but vetted by UK and overseen by GCHQ, and are looking at all the hardware and software pushed into UK networks. The positive thing is that we have developed whole new approaches and I think, world-leading approaches, to scanning essentially for problems. Some of that may be poor engineering, some of that may be potentially malicious. But the problem is that you can't scan your way out of this, partly because you can't see every potential threat and partly because you can't scale that up for every company in every country. You're not going to be able to create these cells, so it isn't the answer itself, but some kind of risk management model has to be.
The Cipher Brief: We haven't yet cracked the code for achieving a stable environment in cyber space, clearly. What’s one area where you think we really need some fresh thinking?
Hannigan: I think there are lots of areas where we need fresh thinking. I mean, clearly in the norms of behavior, that's ground to a halt, and maybe we should park it for a while now isn't a good time for any kind of international agreement because things are so fractured intellectually in every area. But the areas where I think we do really fresh technical thinking are our supply chain and the IT supply chain in particular. What are we going to do in 10,15, 20 years time as things move east? That's the biggest challenge.
The Cipher Brief: Any projections on those norms of responsible behavior in cyber space? You mentioned parking them for the moment. But should we expect them to be invigorated and what would your message be to perhaps some U.N. body or someone else to say hey let's give this another go?
Hannigan: Talking about it is never a bad thing, but it was always going to be a struggle, given the complexity of this and the difficulties of attribution, to get an agreement that is far more complex than say, the law of the sea, which took 30 years. But the problem is that the international atmosphere is now so fractured and poisonous, it's really difficult to see any agreement being reached and particularly in an area as complex as this. So I think a better way forward is probably to look at sectoral agreements. You could probably come to some kind of more informal, non-treaty sectoral arrangements around critical infrastructure, maybe around health, possibly in financial services. Try to identify things that are in everyone's interests to agree rather than do a global treaty, which frankly isn’t going to go anywhere.
The Cipher Brief: You work with private sector companies both in the U.S. and in the UK Do you see any vast differences in the way that they work with government?
Hannigan: I think in general the private sector in the U.S. is further ahead than in Europe in terms of readiness, and in terms of the money they’re spending on it too. So the picture is better in the U.S., I think. In terms of relations with government, I'm struck that people persistently complain in U.S. boardrooms, that they can't find the right way to interact with government. And that's partly because the scale of government and the number of agencies, and that's a difficult one to crack. That's the thing I hear most consistently. I think finding a single place in which to share data and work together is tougher I think in the States, because it’s just so big and government is so multiagency.
The Cipher Brief: There are so many cyber events these days, yet it seems like every time I attend these events, I hear the same advice, which is ‘change your password’. How do we get beyond that and when do you see some sort of opportunity for us to educate more of the general public on how they can do their part to make the internet a safer place to do business and to interact?
Hannigan: Well I agree there are so many of these events, and I think if you're a buyer, if you're a CISO in a big company, you're just swamped with vendors at the moment. And the complaint I hear is just a kind of weariness fatigue. At the same time, if you're a really good CISO, you need to be innovating and thinking about the next threat, not fighting the last war. So it's really important that there should be events with new companies coming through against new threats and problems. But I completely agree with you that the fundamentals of cyber security haven't changed much. You know the basic ways of attack are the same, the basic mistakes people make are the same. So if you can get your authentication right, password stuff, you get your network configuration right, and the right accesses, the right privileges, if you're patching and upgrading basic, basic stuff, you're going to seal off 80%, maybe, of attacks. But getting that through to people is still tough.
On awareness, the UK’s National Cyber Security Centre (NCSC) recently came up with five questions boards should ask their CISOs - so trying to distill this down to a few things, whether they always understand the answer is the problem, so there's an education component. But personally, I think our strategy in the UK has changed quite radically in the last five years. We put this into the creation of the NCSC. We used to take the view that everybody must get better, including every member of the public. We spent our time telling people they weren't good enough and telling government that, too. I think all of that still needs doing; people do need to get better, but it's completely unreasonable to expect a security model to work if it depends on every person in every company doing the right thing all the time. You wouldn't do that in car safety, for example. You build it in, you regulate it, you get the insurance industry to regulate it. So we've got to get to that point for cyber security and the internet.
Robert Hannigan, Former Director, GCHQ
Former Director, GCHQ
"We’ve got to get to the point where a lot of this is done for people and I think the most interesting solutions out there are around that, and there are things that government could do to try to make sure that people can't pose as things they’re not, that most spear phishing emails could get filtered out actually before they ever arrive, some basic stuff. We should not expect individuals to have to make all those choices. But we are a long way from achieving that."
The Cipher Brief: What advice do you give your friends at dinner parties?
Hannigan: I think one of the things we've missed in cyber security is just the basic help that people often need, and we provide very complex technical answers. We don't always just give people the kind of clear simple directions, as you say, things about passwords, that actually could make their lives much safer.
The Cipher Brief: I know personally that I try to imagine every conversation as if I'm explaining it to my mother. We want to keep our parents safe on the internet and you have to boil it down to something.
Hannigan: I think that's a great example, because my dad was renewing his antivirus the other day and asking me what he should use and at what level should he upgrade? It's ridiculous that he should have to make those choices. He doesn’t ask, how many airbags should I have in the car? What grade of steel should I have? That stuff is regulated; it's mandated by insurance companies, it's part of the automotive industry. We'll get there on the Internet, too, I think. It's just that we're still in a slightly crazy world where everybody has to design their own safety.
The Cipher Brief: Is there anything I haven't asked you that you think is important to add?
Hannigan: I think you're on to a really interesting point on these events, as to whether it's different in different parts of the world. There is a kind of fatigue setting in. People just feel this is too big a problem. We don't know who to buy from. We've got too many companies. It’s really difficult. There will have to be a consolidation in the cyber security industry in the next 10 years. No question, I think.
The Cipher Brief: What do you think that will look like?
Hannigan: I'm finding particularly large companies, but not the largest enterprises, are increasingly feeling that they want somebody just to manage their services for them, because it's too complicated, particularly complicated, to have lots of vendors. So I think there'll be consolidation there at the highest end. The really big companies’ enterprises - I think they will want vendors in specific areas - but they’ll want slightly less of them. They'll want people who have a proven track record and they can afford it, they've got the infrastructure to bear it. For most other companies, they can't spend that kind of money and they can't employ those people. Skills is a common problem for everybody, government, industry, everybody is struggling to fill these positions.
The Cipher Brief: You’ve said recently that you don’t need to be looking for the traditional skills sets as well when you’re hiring talent to put against evolving cyber threats. You’ve put more of an emphasis on needing to be creative and inquisitive and willing to learn.
Hannigan: It’s aptitude really. Most of the big tech companies are now recruiting on aptitude, Google for example. At GCHQ we started doing that and looking at we call ‘boot camps’ for arts graduates and people who are outside the STEM disciplines. We get great people that way, people who love this field and have that sort of problem-solving approach and can be trained really quickly. We've got to be more creative, more flexible, a bit more like the criminal groups who are attacking us, actually, who don't care about qualifications; they pull in skills for particular jobs.
The Cipher Brief: That's a very good point. Robert, thank you so much for taking time to speak with us today.
