Cyber security is an increasingly strategic issue that needs a whole nation approach, said Director GCHQ Jeremy Fleming in his 2021 Vincent Briscoe Lecture for the Institute for Security, Science and Technology, at Imperial College London. While he hailed the UK as ‘world leaders in cyber defence through the NCSC’, he warned of an ‘existential threat to our way of life as the old order is replaced by players who don’t share our values or follow the rules’.
And while he hailed the connectedness and interoperability of the digital world, that generates huge volumes of data and everyday convenience, he pointed out that adversaries ‘exploit the tools that were meant to bring society together, to instead create discord’, and ‘peddle extreme views’. He spelt out the challenge for critical national infrastructure ‘as it becomes more distributed and diffuse. It affects how we regulate, makes it harder to compel the provision of information for law enforcement or cyber security and it adds risk in the supply of products and services’. At a user level, it means phishing emails and malware; at a national level, state hackers attempt to steal coronavirus research and exploit supply chains.
He said that ransomware has become a serious threat, in scale and severity, ‘growing at an alarming rate’, for example causing losses for unprepared businesses. In line with officials in the cyber and diplomatic worlds more explicitly naming adversaries than in the 2000s, he named Russia and China as ‘of concern’. He recalled the recent SolarWinds compromise, attributed to Russia, and spoke of a pattern of malign behaviour – ‘whether in cyberspace, in election interference or in the aggressive operations of their intelligence services’ – by Russia that ‘remains the most acute threat to the UK’s national and collective security’.
As for ‘smart cities’, he aired the risk ‘that we will import technology which hardwires data collection in ways that go against the interests and values of open, democratic societies’. Even more generally speaking, as the internet was designed with access rather than security in mind, ‘the flip side is that we have built an ecosystem that is too vulnerable to compromise by criminals and states’.
He made the case for a global role for the UK; a ‘central role on the world stage as a force for good’, for example in setting international standards, and collaborating in protecting scientific research and supply chains as a ‘responsible cyber power’. He touched also on ethics, law, and research by academia; and a professional and skilled cyber workforce. Securing the digital homeland has to be a team effort, he said.
In another switch seen in recent times, he also spoke more aggressively of ‘offensive cyber’, that he described as ‘simply another lever of power that can be used to eliminate threats, amplify our values and pursue our national interest’.
Speaking from GCHQ’s head offices in Cheltenham, he began by recalling his start as DG in 2017 and how the intelligence agency has been behind the UK official National Cyber Security Centre (NCSC); and more recently has worked with the military on a ‘National Cyber Force, giving the country the capability to contest hostile states and criminals in cyberspace’. The lecture was due last year and then earlier this month, and put off due to the covid-19 pandemic and then the death of the Duke of Edinburgh.
He noted the recent UK Government Integrated Review of defence and security, and how ‘the lines between peace and conflict are blurred’. He used an analogy from Darwinian theory of evolution, where states, tech companies, individuals are competing and the ones that adapt do best.
He concluded by setting out the ‘whole of society challenge’ and the gains from getting it right, and protecting and growing the most critical technologies: ‘Government will create new markets, focusing investment on the sectors and technologies that are best for the UK. The country will support the growth of a diverse set of companies that can provide these technologies, and that continue to work in accordance with our values’.
You can read, and view, the lecture from the GCHQ website.
