GCHQ deals with over 200 cyber incidents every month, according to David Anderson’s report on UK Government secret services’ use of ‘bulk powers’.
The ‘four bulks’ are bulk interception, bulk acquisition, bulk equipment interference and bulk personal datasets; powers in the Investigatory Powers Bill before Parliament, for use only by the agencies MI5, MI6 and GCHQ (not covering, for example, CCTV). David Anderson’s report concluded that there is a proven operational case for three of the bulk powers, and a distinct (though not yet proven) operational case for bulk equipment interference. As the report set out, such powers are used in cyber-defence, counter-espionage and counter-terrorism to child sexual abuse and organised crime.
According to the report, GCHQ for example used bulk interception to identify malware placed on a ‘nationally important UK computer network’ by an overseas-based organised crime gang who controlled a particularly sophisticated piece of malware. Police made arrests.
In a separate case, in 2016 an unspecified European media company suffered a ‘major, destructive’ cyber-attack. By analysis of bulk interception data, GCHQ was able to link this attack to other compromises in the same sector and to explain what had happened. UK government networks were protected from the (unnamed) cyber attacker, and media companies were briefed. Without the use of bulk powers, GCHQ told the review, it would have had to place sensors on the computers of thousands of potential victims; not practical. On acquisition of data in bulk, the security service MI5 gave the example of how after the terror attacks in London and at Glasgow Airport in 2007, by using bulk acquisition data, MI5 was able to establish within hours that the same perpetrators were responsible for both attacks. Other example included the 2006 plot ‘to mount multiple and simultaneous attacks on aircraft using home-made bombs’. The review gave some hypothetical cases of use of bulk equipment interference in countering terrorism and for cyber-defence.
And on bulk personal data (BPD), during the 2012 London Olympics, interrogation of such data was used to establish whether anyone who might have had access to venues had links with subjects of intelligence interest, and might pose a threat. MI5 identified a number of such potential threats; the point of BOD was that MI5 could assess and rule out those initially thought to pose a potential threat, and focus on those of ‘greatest concern’.
A theme of the case for use of bulk powers by the agencies was that without the powers, the same work would take longer and more resources, so much so that MI5 for example ‘could not effectively process and respond to the volumes of incoming leads’. MI5 said that it receives hundreds of new leads every week. Or as the report summed up, alternative methods exist, but are ‘often less effective, more dangerous, more resource-intensive, more intrusive or slower’.
The report made one recommendation: that a ‘Technical Advisory Panel’ of independent academics and industry experts be appointed by the Investigatory Powers Commission to advise on changing technology. David Anderson wrote that the ‘pace of change is breathtaking’, and that the Government and – in particular – the new Investigatory Powers Commission need to be fully and independently informed about the latest technology.
As the report said, such a bulk power implies ‘collection and retention of large quantities of data which can subsequently be accessed by the authorities’. On cyber, the report quoted a statement from GCHQ which included: “GCHQ would not be able to identify those who wish us harm without bulk powers …Communications data obtained through bulk interception is crucial to GCHQ’s ability to protect the UK against cyber-attack from our most savvy adversaries and to track them down in the vast morass of the Internet.”
Case studies
The report included other unidentified case studies of use of bulk data; for counter-terrorism, ‘support of military operations’ in Afghanistan; and cyber.
About the reviewers
Dr Robert L Nowill was technical adviser to the review; the Director for Cyber and Assurance at BT until 2013, and before 2005, he was the Director of Technology & Engineering at GCHQ. He chairs The Cyber Security Challenge UK. And Gordon Meldrum was investigatory adviser; a former Director of Intelligence at the National Crime Agency, who retired from law enforcement in 2015 and now runs his own consultancy.
More details
For more on David Anderson visit http://www.brickcourt.co.uk/people/profile/david-anderson-qc.
For the full 204-page report visit https://terrorismlegislationreviewer.independent.gov.uk/wp-content/uploads/2016/08/Bulk-Powers-Review-final-report.pdf.
Comments
Prime Minister Theresa May said: “I am grateful to David Anderson for this report, which follows a detailed and thorough review in which the government has provided unfettered and unprecedented access to the most sensitive information about our security and intelligence agencies’ capabilities. Mr Anderson’s report demonstrates how the bulk powers contained in the Investigatory Powers Bill are of crucial importance to our security and intelligence agencies. These powers often provide the only means by which our agencies are able to protect the British public from the most serious threats that we face. It is vital that we retain them, while ensuring their use is subject to robust safeguards and world-leading oversight which are enshrined in the Investigatory Powers Bill.”
Andy Burnham, Labour’s Shadow Home Secretary, welcomed the report. He said: “When the House of Lords debates the Investigatory Powers Bill, they will now be able to consider real evidence for the use of bulk powers. It is concerning, however, that the Prime Minister, who knows this legislation well, has not accepted the report in full and in particular David Anderson’s call for a Technological Advisory Panel to ensure legislation keeps pace with changing technology.
“She and the Home Secretary must accept the report in its entirety and deliver on the separate concessions extracted by Labour in the Commons – tougher restrictions on the use of Internet Connection Records and stronger protections for journalists and lawyers.”
Jonathan Parker-Bray, Founder and CEO, Pryvate, said that it is interesting to see this report on the Investigatory Powers Bill go live, as he had been saying for quite some time that this bill requires further scrutiny. “It is also good to see the recommendation that an independent panel of technical experts be set up to advise the intelligence service on how to minimise their impact on individual privacy. However, the greatest issue with mass surveillance from a privacy perspective is that it affects innocent people more than it affects people with something to hide. The Government has repeatedly demonstrated that they would welcome a weakening of encryption – further reducing the protections available to the general population and a disregarding people’s right to have secure private communications online. It has also ignored the position of the UK cyber security industry which has repeatedly said that any moves in this direction will affect its ability to do business on a global stage, and also repeatedly asked for reassurance that the Government will not demand the impossible of them – a weakening of encryption whilst maintaining the highest standards of protection. Yet a weakening of encryption would be necessary for the level of bulk collection the intelligence services are requesting.
“The important thing to underline is that a balance needs to be struck here, the Government does need tools to fight cybercrime and criminals who use mobile devices to communicate in the digital age and normal citizens and businesses have the right to private communications. With the majority of communications happening over phones and connected devices, some steps must be taken to gain information on these interactions. There are viable alternatives to bulk data collection, access to metadata, for example, when coupled with a phone ownership registry could provide the majority of the information police and intelligence agencies seek to access, and crucially shed light on who is talking to who, without invading people’s privacy. This data, however, must be protected and subject to oversight, courts must be engaged to issue a warrant to request the logs of people’s calls and who they speak to, leads must be generated before seeking more information and mass surveillance which puts so many people’s privacy at risk cannot be an acceptable solution.”
The civil liberties campaign group Liberty came out against the review, which it called ‘evidence-light’. Bella Sankey, Policy Director for Liberty, said: “Liberty called for an impartial, independent and expert inquiry into these intrusive powers – yet sadly this rushed review failed on all three counts. The review panel consisted of former Agency staff effectively asked to mark their own homework and a Reviewer who has previously advocated in favour of bulk powers. The report provides no further information to justify the agencies’ vague and hypothetical claims and instead invites the public to ‘trust us’. Post Chilcot, this won’t wash – hard evidence is required instead.
“This was an opportunity to properly consider the range of targeted methods that could be used as effective alternatives to indiscriminate and potentially unlawful powers. That chance has been wasted.”
In its submission to Mr Anderson’s Review, Liberty believed that the security and law enforcement agencies aims are, or could be, met by targeted methods.
