Good morning and thanks to the Commissioner, Sir Julian King, for an excellent opening set of remarks.
It is my honour to welcome you to the United Kingdom’s National Cyber Security Centre this morning for our seminar on electoral security, formally titled “Countering Cyber-Enabled Interference in the Electoral Process”. It is really good to be able to welcome so many of you from so many different European member states this morning. We are expecting colleagues from 20 other member states, as well as partners from the European Commission and Europol. I very much hope you have a useful day.
I want to focus briefly on three things this morning.
The first is the United Kingdom’s absolute and unconditional commitment to European security in the years ahead as we forge a new relationship outside the European Union, and our desire to make cooperation in cyber security, where we hope we have some expertise to share, a major part of that.
The second is how having a new approach to national security and a new way of working in the National Cyber Security Centre makes us better placed to deliver that, and to be a more useful partner to you.
Finally, how electoral security has emerged as one of the most important priorities for national cyber security across the nations of Europe and therefore a major focus of our own cooperation. And in doing so I will share some personal reflections of our own experience of protecting the UK’s general election in 2017.
1. The UK as a partner in Europe on cyber security
It is a particular pleasure to see colleagues from Estonia here in the room (and I look forward to their presentation later) because they have done so much, during their current EU Presidency, to promote the agenda of digital and cyber security, something the UK has been keen to support.
Last month, I visited Tallinn twice. The first was as part of the Digital Single Market event hosted by the Prime Minister where I was honoured, alongside my counterparts from France and Germany, to do a keynote. The second was alongside our Prime Minister at the Heads of Government summit where she set out unambiguously her administration’s commitment to European security. She highlighted two areas. One was military, where she, along with President Macron, visited the UK and French troops serving on the Estonia-Russia border. The other was cyber security, where the UK repeated our commitment to helping partners and encouraged EU leaders in cyber security to work with us to shape a more effective global approach to cyber security in the years ahead.
That is, I hope, a confirmation that after leaving the European Union we are planning on not just cementing but enhancing partnerships that already exist. Many of the organisations in this room are long standing partners of the United Kingdom’s National Cyber Security Centre, and its predecessor bodies, and there are people in this room who we consider personal friends.
We have already shared classified information with more than half of the EU’s member states, including, but not confined to, threats to elections. Over the past few years we have assisted other countries in the Union with the protection of electoral systems and international summits, another obvious target for hostile state interference. We have helped build capacity across the continent. Much of this has been done bilaterally, or among informal groups of nations multilaterally (though we have also cooperated with Commission colleagues, notably our friends in the excellent CERT-EU). With some of our closest European partners we are now trying to put in place the sort of infrastructure that is needed for collaboration - things like secure phone lines and the ability to share information at greater scale. That sort of informal collaboration bodes well for the future, not least because we are finding that some of the barriers one finds to other forms of security cooperation - sovereign information for example – don’t always arise in cyber security so often.
2. The UK’s National Cyber Security Centre and our strategy
It helps too, I hope, that we now have a new national strategy and new organisation from which to base our cooperation. I hope those of you who are visiting the National Cyber Security Centre for the first time are enjoying it. It is a unique facility – a mixture of highly classified working and transparent, outward facing cooperation all within two floors of the same building in central London. The room we are meeting in – a normal, central London conference room – is operationally important to us. It is where we host some of our most important operational events, whether that’s gathering together the leaders of a particular critical sector like energy to tell them about a particular threat or compromise or what to do about it, I’ll say a little more about this a little later, getting in those charged with delivering a national election to tell them how best to protect themselves against known threats. When we had a general election those in charge gathered here to disseminate secrets.
The NCSC model is to be able to turn the secret into something useable in the open. We are proudly part of GCHQ, our largest intelligence service. This gives us reach into the sort of highly valuable and classified data and capabilities that only we, under a very strict and proportionate legal framework, can have.
But of course, in cyber security having all this knowledge is of little use if you can’t act on it. So, during setting up the NCSC we made sure we had that ability to project outwards. Most of our advice involves telling people how to do the basics well, and that can and should be done in the open. It is derived from, among other things, our classified knowledge but we’ve found ways of being able to provide our advice in a way that draws on that data without compromising it.
Our job as a whole is about:
- trying to improve the way in which the UK citizen interacts with the Internet to make it intrinsically safer;
- protecting our critical national infrastructure through building resilience into our systems; and
- accepting that some attacks will get through, providing a national level incident management service for the most significant. In our first year, which we marked at the beginning of this month, we dealt with 590 such incidents. WannaCry, the global ransomware virus, was a good example of where we fused the high classification analysis with easy to follow, quickly available and highly practical guidance to our citizens about how to contain the attack.
The UK government has an ambition to make the UK the safest place to live and do business online and has charged us at the NCSC with partners in law enforcement and government with delivering it. The way the NCSC works reflects the fact that the government cares about cyber security for two reasons. The first is national security – the need to combat threats from hostile adversaries by new means and to reduce the incidence and the impact of espionage, data theft, and disruption. The second is to protect the economy and our citizens from the large-scale, low sophistication cyber attack which risks undermining the trust our citizens have in online services.
The second of these priorities, protecting our prosperity, is a long-term concern. The first, protecting our national security, is also a long-term concern but also requires us to look at protecting ourselves against significant single incidents. That could be the theft of a major dataset, the disruption of a power supply, or the disruption of a national election. Which brings me to my final point about today’s subject.
3. The importance of electoral security and what we can do about it
When a previous UK government first looked strategically (in 2009) at the national security risks associated with a cyber attack, the analysis tended, in common with most other Western countries, to be about hard infrastructure and hard power. As practitioners, we worried about power grids, electricity supplies, defence equipment, transport, water, financial systems, telecommunications networks and so on.
We were right, of course, but perhaps missed some things that were hugely important. One was personal data, in whatever shape or form it may take. A second was intellectual property. We knew big companies were already at risk, but did we really foresee some of the major attacks that would be aimed at universities to get at their research?
But perhaps a third, and crucially significant target we didn’t spot early on was what might be called ‘soft’ power: our values as a liberal democracy. Early on in my time dealing with cyber security I was struck by the prevalence of attacks on the media sector: Sony, TV5 Monde and last week it was disclosed that a small UK based media firm was targeted by a state actor. And then of course, there is elections.
Perhaps we shouldn’t have been that surprised that those who oppose our liberal and democratic values, from which the Internet sprang of course, would want to undermine those institutions and processes that are fundamental to those freedoms and which underpin them.
And that is what has happened. I don’t think I need either to reprise what has happened across European nations and North America around cyber-enabled interference in our electoral processes. Nor do I need to set out the importance of preventing and mitigating such damage: all I can say is that I was struck in our 2017 election about the unanimity and sense of purpose across the entire political spectrum here in the UK that outside interference in elections was unacceptable and everything that could be done to detect, prevent and mitigate against it should be.
So, I will finish this morning with a few reflections on our approach to defending the 2017 UK General Election. Our response has been proportionate, but hard-headed and vigorous. We already had a significant programme of work underway to protect the electoral system to a 2020 timetable when the next UK-wide election was due; when that was brought forward by a Parliamentary vote we did as much as we practically could from that plan and then we have resumed the rest since.
Our approach has been two-fold: detection on the one hand, and prevention and risk mitigation on the other.
In a forum and low classification venue like this, and in the time available, I know partners won’t mind if I don’t go into detail on what we detect and what we can then do about it. So, I will focus on prevention and risk mitigation. The key point here is the connection between the two: our risk mitigation is not just about generic best practice cut and pasted from the Internet but about specific advice to counter specific threats we worried about because we know about them through either classified intelligence or some other source. That’s the way our new NCSC model is designed to work.
As we will no doubt learn more about today, protecting electoral systems a complex task. Even though, with a few exceptions such as our Estonian friends, most voting systems are not online, much of the underlying infrastructure is digitalised.
The most striking feature of our experience was that protecting a massive national event is actually dependent not on one big process or one big organisation, but on the actions of hundreds, if not thousands of small, locally based organisations and individuals.
The UK, like many other Western countries, has a fundamentally local system of electoral administration. We have one big, national system – the Register to Vote service, and even this is simply a central conduit for locally based register to vote services; it is not a central electoral database. The core of the voting system – candidate approvals, ballot papers, lists of local electors and so on – is local. And many of our 389 local authorities in Great Britain are small. They depend on electoral software services provided by a small number of companies whose business models originally weren’t configured to withstand very sophisticated state level cyber attacks.
In addition, political parties are, whatever their national power and reach, in business terms small organisations. Then of course there are individuals themselves who may be targeted; we know from attacks in other countries that some of the most damaging parts of attacks have been through hacking into the webmails of individuals close to high profile political leaders.
So much of the defensive response is about getting the basics right. When we gathered political parties and electoral administrators in this room, many of them thought this was going to be highly classified; they were going to have their electronic devices taken away from them and told never to repeat what they’d been told in here. In fact, that was the opposite of our message. Our message was that based on what we knew, here were the simple, publicly available things they needed to do to protect themselves. They could put them on their website if that’s what they wanted. It was useful, practical stuff.
A different problem is the challenge that the democratic process is undermined by electronic ways other than cyber attack. From the adversary’s point of view, throwing a campaign of fake news into the mix is just part of the attack plan. From the point of view of us defenders in liberal democracies, it’s a different issue altogether – as security agencies it falls to us to help our countries combat cyber attacks on the electoral system but it is not for us to police content on the Internet or to vouch for whether it and all its parts, is true or not. So, this is a challenge for us collectively as societies, government and the media, to confront.
That is a hard problem. But overall, we are, I think, making some progress against this serious and real threat to our freedoms and values. Much of it is hard, painstaking defensive work – the grind of improving hundreds and thousands of systems and business processes in relatively small organisations. But it is based on a core of sophisticated knowledge about the threats and techniques used by attackers.
So it is something the UK, through the National Cyber Security Centre, is well placed to take a leading role in Europe on and it is in that spirit of unconditional cooperation that we are proud to host you today.
So thank you for coming. A particular thanks to our French, Czech and Estonian colleagues for presenting and sharing their experience. It is through cooperation such as this, now and in the future, that the fightback begins, and our values of democracy and freedom shine through and win.