NCSC Chief Executive Ciaran Martin sets out the UK’s new approach to cyber security at the Billington Cyber Security Summit in Washington DC.
Yesterday, Ciaran Martin, the current Director-General Cyber at GCHQ and the first Chief Executive of the new National Cyber Security Centre (NCSC), spoke at the Billington Cyber Security Summit in Washington DC.
As one of the keynote speakers, the NCSC’s Chief Executive set out how the new organisation will adopt a more active posture in defending the UK from the range of cyber threats the UK currently faces, as well as the need for government, industry and law enforcement to work in even closer partnership.
A full transcript of the speech as delivered is given below.
Speech by Ciaran Martin, Director-General Cyber GCHQ, given at the Billington Cyber Security Summit on 13 September 2016.
Thank you very much Rick for those kind words, for your partnership and friendship, for your lunch and for your good wishes. I will do my best to deliver on those expectations you've set for me.
Tom, thank you for the invitation to this wonderful conference.
I want to begin with a profound and heartfelt word of thanks to the United States, to its people and its Government. You are our most important and enduring security partner. So I'm particularly honoured to share a place on the speaker list with Admiral Michael S. Rogers, head of Cyber Command and Director of the National Security Agency.
The partnership between my parent organisation, GCHQ, the UK’s signals intelligence and cyber security agency, and the NSA and its precursors dates back more than seven decades. There's no closer, more important, or more successful partnership anywhere in global security. It's a partnership based on trust. On friendship. On mutual benefit that’s clear to both of us. It's a partnership based on staying the course together when things are tough.
I pay the warmest of tributes to the professionalism, dedication, courage and skill of colleagues in the NSA, and the wider US national security community. And I'd also like to extend my thanks to our range of US commercial partners and friends, the tech and telecoms companies and the cyber security players who, in our increasingly internationalised arena, work with us to build the capabilities that we all need to protect our citizens.
We and the NSA are primarily known as intelligence agencies. But we have a long and proud history of protecting information too. On our side, Alan Turing, the Enigma codebreaker, spent more of his career with us building secure communications for the UK than he did cracking other peoples’ codes. Our museum in Cheltenham contains the first ever White House to Downing Street secure telephone used by President Kennedy to talk to Prime Minister Harold Macmillan during the Cuban Missile Crisis. And it's red - as you would expect.
And so as the world faces many uncertainties, our transatlantic alliance is as important as ever. So I'm here today to talk about an exciting new phase in our security partnership from the UK’s perspective. I want to explain how we see the cyber security problem, what we’ve experienced, and how that’s shaped our thinking. Then I want to explore how that experience and thinking has shaped the decision to establish a new National Cyber Security Centre as part of GCHQ, for which I have the enormous privilege to serve as its first Chief Executive.
And finally, I want to expand on what the NCSC is here to do. It’s not just a building. It's not just there to coordinate, it's there to deliver an ambitious strategy that our Government is preparing. And that strategy is about tackling the most capable threats and protecting our most important national systems - of course it is. But it's also a significant shift in thinking towards looking – at a national level – at how we use technology to improve cyber security everywhere in the UK.
Now why? Well of course we have to defend the nation against the gravest, sophisticated threats we face - we're a national security organistion. But the majority of successful cyber attacks are not sophisticated. They can be defended against, but they're doing serious damage and we're not yet doing as well as we want.
If we’re going to retain confidence in our increasingly digitized economy, we have to make sure that everyone – our private citizens, our small businesses, our not-for-profits, as well as our largest and most pivotal public and private institutions – can do business in a digital environment that is fundamentally safer than it is now. And to do that means using technology to automate our defences against these unsophisticated but prolific attacks.
This really matters for the UK. The Government I work for is charged with helping to protect a highly digitalised economy, which by some measures is the most digitally advanced, and therefore dependent, in the world.
In July of this year, Britons spent an estimated £10.7 billion shopping online – that's roughly US$220 per person in one month. One eighth of the UK’s GDP comes from the digital economy, that's the highest currently in the G20. UK digital industries grew two and a half times more quickly than the economy as a whole between 2003 and 2013.
We have the highest percentage of individual internet usage of any G7 economy. We're among the world leaders in Digital Government. Digital is a big and growing employer and these are good jobs: the average advertised salary is 36% higher than the national average.
Our critical systems are going increasingly digital too. Of course systems like the power grid have long had significant computer networks and we've worked with those providers on security issues for a very long time. Previously manual systems, like the meters used for measuring gas and electric usage, are going digital too. This Smart Meter technology will keep costs down and improve the environment, but it'll also mean a box connected to the Internet in every home and business in our country.
Similarly, we've moved all our working-age benefits - our social security payments - into a single system, called Universal Credit. When it's fully operational, 90% of our claims will be done online. So this one system will pay out 7% of our GDP.
And this is all a success story but we know that with new opportunities come new vulnerabilities. So alongside the ability to transact, process and store data on an unprecedented mind scale so comes the risk of being compromised on an unprecedented scale.
Security officials – or securocrats as we’re sometimes pejoratively called on the other side of the Atlantic – we're sometimes accused of wishing this new world away and seeking to thwart or slow the onset of the technology that underpins this revolution. I emphatically reject this. We want this digital revolution to succeed. Our job is to help make the digital economy and digital Government work, by making it safer. So let’s start by focusing in on the type of threats we face and why we face them.
In previous public remarks that I've made in the UK, I’ve focused on the three main motivations for systematic cyber attack that we see. I'm going to introduce you to some very high tech new concepts.
One is power: the traditional ‘statecraft’ just playing out in the digital age. Countries and rogue actors seeking to gain advantage by stealing secrets, or by pre-positioning for a destructive attack in a time of tension. Another one's money: anything from the sophisticated theft of intellectual property to the simple theft of cash from a bank account. Another is propaganda: where the global platform that the Internet gives anyone and everyone is misused to make a point, attract attention or to instil fear and intimidate.
Money, power and propaganda. Hardly new concepts for humanity. The Internet may have transformed the way we live, but it hasn’t completely changed our nature fostered over thousands of years. And nor are the groups who pose us harm particularly new.
We've got hostile states. Some of them are great powers, using cyber attacks to spy, gain major commercial and economic advantage or to pre-position for destructive attack. Others are smaller states, looking to exploit the relatively immature rules of the road in cyberspace to tweak the nose of those they see as bigger powers in a way they would and could never contemplate by traditional military means.
They include criminal gangs. Some of these operate under the protection or tolerance of uncooperative states, and this is something new about cyber because it makes it much harder to bring them to justice because they don’t need to set foot in our jurisdictions or those of our allies to harm us. Some of these gangs are extraordinarily sophisticated. We've seen some of the most MBA-grade management information systems that tell them, in great detail, which lines of attack are profitable and which are not. But not all that much of the crime we see is MBA-grade and too much of it gets through, and that's a key theme that I want to return to today.
We also see terrorists, hacktivists and lone operators many of them operating in the propaganda space. And we are conscious, as so-called securocrats, of the risk of being seen to overstate a threat. So we've been clear in the UK on terrorism – that as yet we assess that the world’s major terrorist groups have the intent, but not the capability, to launch a destructive cyber attack. Now, that might change. And in the meantime we have to face and respond to the horrific misuse of the Internet by terrorists across the globe for the purposes of propaganda and radicalisation.
These threats and their pursuant patterns are ones I hope will be recognised by American colleagues. And I’d like to say a little bit about our experience of how it’s played out in the UK. So in the UK we've faced and continue to face, some very serious cyber attacks. Unlike some of our allies, there has not yet been a single stand-out incident of hostile foreign cyber attack that's resonated as a first-order national crisis with the public and media.
But I expect – frankly I know – that we will face one, and we prepare on that basis. And behind the necessarily closed doors of our cyber defence operations centre, last year we detected twice as many national security level cyber incidents – 200 per month – than we did the year before.
This is core national security business for us; it always has been, it always will be. And these attackers are the people the cyber security industry and others like to call advanced persistent threats, or APTs. They threaten our public services, they threaten our infrastructure, they threaten our research, they threaten our innovation and much else.
It’s hard to do what they do and we invest heavily in our cyber defences and our cyber resilience to stop them. l'll say a little more about how we do that shortly. But then there's everything else. States, criminals and others attack in all sorts of ways, and not just in the sensational ways that push the buttons of editors and filmmakers.
So let me make a point we believe to be fundamentally true, and therefore critical to our strategy. The great majority of cyber attacks are not terribly sophisticated. They can be defended against. And even if they get through, their impact can be contained.
But far too many of these basic attacks are getting through. And they are doing far too much damage. They're damaging our major institutions. A British telco hit the headlines last year and the initial speculation was around a highly sophisticated attack but it is now believed to have been an SQL injection, a basic technique dating from the end of the last century.
65% of all large UK companies reported a breach in the last year. And our local media in the UK is full of painful stories of small businesses, lovingly built up, struggling to survive and maintain the confidence of their customers after a ransomware attack. Now these attacks aren't carried out by APTs. My Technical Director, Dr Ian Levy, who's an expert of global standing with a fine turn of phrase, he likes to call them APTs, but he also likes to call them something else: Adequate, Pernicious Toerags.
But whatever term we use for them, they're doing a lot of harm and in terms of defending against them we are not, yet, good enough. But is any of this the Government’s concern? Isn’t this for organisations to sort out for themselves? I’d make two points in response.
First, if one survey is to be believed, 77% of Britons are not fully confident in buying things online. That matters hugely to such a heavily digitalised economy as the UK.
Second, something is not quite working yet in the marketplace for cyber security. There are great companies, great people and great innovation. Barriers to information sharing are being broken down. But let's take an honest look at ourselves collectively; certainly in the UK given the record of the past few years it's hard to say and we don't say that we’ve got ahead of the totality of the threat. And if we’re to maintain confidence in the digital economy, we’ve got to tackle this end of the problem too, the majority of the problem.
There's a legitimate role for the Government in taking a lead, at least temporarily, and that is the thinking behind our strategy. Tackling low-grade, high-volume cyber attacks is a vital part of this three-pronged approach that our Government agreed last year as part of its post-election Strategic Defence and Security Review.
The first prong is organisational coherence with our new National Cyber Security Centre or NCSC. The second is defending against the most serious threats. And the third is about improving our digital security ecosystem to tackle those unsophisticated, prolific threats. I'll talk a little about each in turn.
First, the NCSC. There are a number of reasons for it such as organisational coherence, but cyber cuts across lots of different public authorities and we're designed to bring together various sources of expertise into a single organisation. So we will include some of the best protective security experts in the world in our domestic security service, MI5, we'll include our CERT, we'll include GCHQs long-established expertise in information security. And we'll have formalised and integrated operational partnerships with law enforcement, defence and private industry.
We'll take legal form next month and will complete our move into central London headquarters shortly afterwards. But I just want to just dwell on what makes the NCSC unique. Most importantly, we are proudly and openly an integral part of GCHQ, our national signals intelligence organisation. And this is a deliberate choice by our Government. And that's because our interventions and our advice only count because they are backed by the hard data and unrivalled expertise a dual-facing mission gives us.
The people within GCHQ – the most amazing colleagues I've ever had the privilege of working with – fully buy into this dual mission. They know better than any that the value we give to the country is only because we have access to data, capabilities, skills and partnerships, particularly the transatlantic partnership, that we might not have outside the intelligence community. It’s a phenomenon Turing would have recognised.
All that said, being part of the intelligence community poses challenges for us. One of our core functions is incident management so we’re looking with interest at what's happening with PPD41. Another is the improvement of cyber security in critical sectors of the economy. And the third is providing general advice, guidance and active interventions to improve cyber security in the country as a whole.
Now all three of these core functions require a more public-facing approach than ever before. For an organisation whose history, custom and practice originate in the secret world this is not always comfortable, but we accept it's necessary, because cyber's a team sport. That’s the thinking behind the NCSC.
A second, absolutely essential part of the strategy is about our core national defensive cyber capabilities to tackle those who genuinely merit the description APT. There are various aspects to this. One is the maintenance of the UK’s status as one of the few sovereign cryptographic nations for our most sensitive secrets. Another is our development of lawful and carefully governed offensive cyber capabilities to combat and deter the most aggressive threats. Here we work very closely with United States colleagues and only last week the Secretary of Defense and our Secretary of State for Defence signed a Memorandum of Understanding to investigate jointly the advancement of both offensive and defensive cyber capabilities. And I'm pleased to say GCHQ will be at the heart of this work.
But you will understand, I hope, why I can’t go into too much further detail on either of those subjects. So instead I’d like to talk about our approach to critical national infrastructure, which, in both our countries, is held in a mixture of private and public hands.
In so many of the major cyber incidents across our network of allies the difficulty of securing long-standing ‘legacy’ systems is a common problem. We're all indebted to our predecessors in both a positive and negative sense and whatever other ‘legacies’ our recent predecessors left us, secure IT systems were not among them. We can and are doing our best to mitigate the risks, but the strategic solution can only come when they are replaced.
In the UK, two well-known examples stand out and I’ve mentioned both already. One is Universal Credit, our working-age benefits system. Fraud is a major problem in all developed welfare systems so our approach here is to help the department design a system where fraud doesn’t scale and automated fraud won’t work. It's not fraud proof, but automated fraud shouldn't work.
The other is Smart Meters. As an example of our commitment to engaging transparently in debate, Dr Levy has published a blog about how the security mitigations in smart metering work. I can’t do it justice here, but to summarise it relies on a sophisticated trust model and on a doctrine that it takes more than one major compromise or error to disrupt the system as a whole.
So our approach is about designing and implementing systems that are far harder to disrupt than their predecessors and crucially are blind to the identity or motive of the actor. And all of this, alongside our classified data and capabilities as part of GCHQ, and our enhanced incident management function, means we're hopeful that this approach will significantly help to bolster our national defences in the long term.
Finally, to what I view as the most exciting and innovative part of the plan: what we call active cyber defence. Now this term is used a little differently in the US but what we mean in addition to disruptive and potentially lawfully governed defensive capabilities is a bit broader. It's where the Government takes specific action with industry to address large-scale, non-sophisticated attacks that are doing so much damage.
Having accepted there is a role, at least in the short term, for Government, we were asked to think radically about what has and hasn’t worked in the past and what could work in the future. In terms of the recent past, we came up against some hard problems. One is the extent to which all defences remain vulnerable to human error. Anything that relies on every single end user doing the right thing is going to be troubled from the outset. Another is what I would suggest, perhaps controversially, is the weight of expectation placed on information-sharing initiatives.
Don't misunderstand me: these are essential, and are potentially transformative, and at their best are absolutely brilliant – we're really pleased in the UK by the progress made by our finance sector in this area. And there's definitely much more benefit to come from this area. But they are not, and can never be, a comprehensive strategic solution to the challenge of cyber security, though we talk sometimes as if they are.
So our approach has been to expand on this progress but also to look beyond that at what a more activist and automated approach could achieve. Because we know automated defences work on the Internet. It's possible to filter unwanted content or spam. It's possible to filter offensive content. It's possible to block malicious content. So why aren't we doing more of it?
Well, in the UK now, we're really trying. We're working on two areas where we have really high levels of ambition. First, we are looking at using a series of automated measures aimed at making UK Government networks the most secure in the world. If some of them work, we hope others will adopt them.
Here’s an example. We need to make sure UK Government email is trusted, so we need to stop people spoofing our .gov.uk domain. To do that we’ve set a DMARC policy as a trial to stop emails from the wrong IP sets, or with the wrong key, from being delivered purporting to come from .gov.uk. Well they do get delivered, but they get delivered to us, not the recipient - usually members of the public. And when we first trialled it, whoever was sending 58,000 malicious emails per day from the delightfully named firstname.lastname@example.org isn’t doing it anymore.
Here’s another example. We're piloting ways of tackling commodity attacks, so we're sending automated takedown requests to hosters, registrars and others. And we're starting to see real, measurable results: looking at phishing attacks against UK government brands, the median time the phishing site is up has dropped from 49 hours to 5 hours. A clear, verifiable improvement.
And we can take concepts of automated defences beyond Government on a voluntary basis. We're currently working with the UK telecommunications industry to stop the well-known abuse of the BGP and SS7 protocols to reroute traffic. If we’re right, this will mean it’s much much more difficult for UK machines to participate in a DDOS attack. And if we’re right then everyone else can do it.
Finally, we're exploring a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses? Now it's crucial that all of these economy-wide initiatives are private sector led. The Government does not own or operate the Internet. Consumers must have a choice. Any DNS filtering would have to be opt out based. So addressing privacy concerns and citizen choice is hardwired into our programme.
These initiatives complement what we’ve long been doing in cyber security. In the UK, we have our Secure by Default initiative, developing secure hardware, software and digital services, including the proper role of strong encryption. And we'll continue to work with our private sector partners to find and fix vulnerabilities; so far this year we’ve been credited publicly with identifying 20 major vulnerabilities, by Apple and other major providers.
And we want to be judged on results. Hard data and hard, credible evidence has been scarce in cyber security thus far. Part of the agenda will be the publication of data and evidence about what is and isn't working, and metrics about the outcomes achieved. If we succeed, we want to be able to prove it, not just assert it. If we fail, we don't expect to be able to hide.
So this is an upbeat and optimistic agenda to get ahead of a serious and persistent threat which puts at risk national security and national wellbeing. We don’t claim to have all the answers. Much as my boss, GCHQ Director Robert Hannigan, said at MIT in March when talking about national security and encryption: no single person, organisation, group or sector has all the answers, but collectively they’re bound to be out there and what's needed is creativity and goodwill. And exactly the same is true in cyber security.
There are other issues we don't have time to address today. We need to address our skills shortage. In the UK we've so much to learn from the US from the remarkable and imaginative approach to statecraft, using law enforcement and diplomacy as a tool of cyber security. So in addition to paying tribute to the NSA, I must also call out to colleagues in the FBI, DoJ, DHS, State Department, the White House and elsewhere for this imaginative and brave work - the US is well served by outstanding public servants.
That sense of mission for public protection – both within Government and in our private sector partners – is very much evident in the UK too. So faced with a problem of this importance and this scale, we believe it's worth trying something new, unleashing innovation in the hope and expectation we can achieve a very significant breakthrough in the coming years.
Not all of our ideas will work. But it is my passionate belief that by unleashing the power of our technology and technologists, by liberating them from some of the traditional constraints of Government but backing them to the hilt, we can achieve something truly special.