The UK Intelligence and Security Committee, which has oversight of the UK intelligence community, published its 2016-2017 annual report (PDF) on Wednesday. With the rider that the report was written prior to April 2017, but delayed in publication, it provides insight into the UK perspective on global cyber threats. Its discussion includes commentary on nation state adversaries, the potential impact of the Trump administration on UKUSA, and the effect of Brexit on GCHQ operations.
The primary cyber threats are perceived to come from state actors, organized criminals and terrorist groups. State actors are the most advanced, with objectives including traditional espionage, commercial secrets and geopolitical instability. Organized crime occupies the next level of sophistication, becoming increasingly competent and targeted, and concentrating on financial gain. Terrorist groups have the intent to use cyber techniques, but are currently thought to lack the requisite capabilities (although this is likely to change).
There is additional threat from hacktivists and less competent criminals. Hacktivists are often politically motivated and primarily use DDoS for publicity or to inflict reputational damage. The entry level for less-skilled criminals is lowering, and financial gain is the main motivation.
The impact from cyber threats is primarily economic, although the reports notes, “increasingly there is a risk of physical damage in the ‘real world’.” This is magnified by the growing insecure internet of things (IoT) usage within the critical infrastructure. “Manufacturers,” says the report, “are likely to side-line cyber security considerations, given their potential impact on time to market and, therefore, profits.” The Committee urges the government to work with industry internationally “to promote the use of modern and secure operating systems in all smart devices connected to the internet.”
The report describes the UK’s new (since November 2016) National Cyber Security Strategy. It revolves around ‘Defend’ (which is typical cyber security mitigation); ‘Deter’ (which includes the specific warning, “We have the means to take offensive action in cyberspace, should we choose to do so”); and ‘Develop’ (based on “an innovative, growing cyber security industry”).
GCHQ is tasked with implementing this policy; and it is leading to a change in GCHQ’s traditional posture — it is coming out of the shadows and promises to be more proactive in UK commercial cyber defense.
“We’re spending too much time shouting at users and telling them they’re too stupid to do the right thing frankly, and that hasn’t worked and we need to get away from that,” GCHQ told the Committee. The new approach has been called ‘active cyber defense’, and “includes GCHQ assisting private companies in developing automated technological solutions to operate on the underlying internet infrastructure that would prevent a large proportion of cyber attacks from ever reaching end-users.”
Part of this process can be seen in the National Cyber Security Center (NCSC) which is both GCHQ (still covert) and partly an advice center backed by the skills and knowledge of GCHQ. It’s aim, says GCHQ, is “to fuse powerful covert capabilities, accesses, data and skills to help provide cyber defense at scale to the UK.”
The Committee asked whether GCHQ should have legal cyber security enforcement powers. GCHQ welcomes the tendency for existing regulatory organizations (such as the Bank of England and the Office of the Nuclear Regulator) to consult with and take advice from the organization; but it is not a supporter of general ‘cyber regulatory legislation’. While it is a political decision, it says it is hard to do, difficult to keep up with technology, and problematic across different industry sectors.
The UK has a well-established offensive cyber capability program. GCHQ’s ultimate position on the use of offensive capabilities is clear: “International law applies to state acts in cyberspace in the same way as anywhere else.” If international law allows a response to kinetic activity, it will allow a response to cyber activity. The committee says that GCHQ’s offensive capabilities are “an effective deterrent”.
The problem remains ‘attribution‘. “Further work will be required to develop a better international consensus on the rules of engagement for offensive cyber. GCHQ told us that it supported this concept in principle, but held some concerns, for example about others’ adherence to such agreements.”
The report highlights four specific cyber adversary states: Russia, China, Iran and North Korea. Russia is the primary concern. “It is possible that Russia is ostentatiously flexing its muscles towards the West under a deliberately thin blanket of deniability, or these may simply be providing a useful public cover for the Russian agencies’ practice runs,” suggests the report.
The intelligence community is more forthright. “The [Russian] risk appetite is quite different and they are quite prepared to use the world as a range, [saying] ‘we will give it a go and see what happens’, said Defense Intelligence. “They clearly are operating to risk thresholds which are nothing like those that the West operates,” said MI5. Despite this increasing level of mistrust between Russia and the West, the Committee urges “that limited lines of communication should be maintained, although a delicate balance is needed.”
China remains a serious cyber threat, attempting to steal data for economic purposes and to acquire classified government and military data. GCHQ notes that since the UK and the U.S. both signed cyber security accords with China (where all sides agreed not to engage in commercial cyber espionage), China is taking more care to disguise attribution.
Iran gets relatively little coverage in the report. “Iranian motivations against the UK are more obscure than those of Russia and China. GCHQ has suggested that Iran is primarily attempting a show of strength.”
North Korea is different. Its ‘recklessness and unpredictability’ is difficult to defend against. “It is prepared to use its capabilities without any concern for attribution, and for ideological motives which are alien to other countries,” warns the report.
In international cyber relations, the report unsurprisingly highlights the Five Eyes (the UK, USA, Canada, Australia and New Zealand) as “the closest international intelligence partnership in the world.” Bearing in mind that much of the report was compiled either before or during the first few months of the Trump administration, it is interesting to see the extent of UK concern — even to the extent that it could upset Five Eyes relationships.
“Any significant change in US policies relating to detainee treatment,” states the Committee, “would pose very serious questions for the UK-USA intelligence relationship. The US agencies are well aware of the implications for cooperation with the UK and other allies, and the UK Agencies are monitoring the situation closely.” In fairness, neither the Committee nor the intelligence community expected this to happen.
Brexit is also a concern for international intelligence relations. While Brexit cannot affect the Five Eyes (none of which, after Brexit, will be part of the European Union), nevertheless is will affect the UK. The Director General of MI5 told the Committee that there were two sides to the problem. National security falls outside of the Lisbon Treaty (the basis of the European Union), and the UK expects to continue working with European intelligence agencies.
What’s driving this, he said, is that “Half of Europe is scared of terrorism and the other half is scared of Russia and both halves want us to help them… So that will not change with Brexit because Article 4.2 [of the Lisbon Treaty] had all of that outside scope anyway.” But he added that other parts of cyber relations do fall within Lisbon scope, “in areas like data sharing, what happens with borders… what happens with law enforcement cooperation…” All of this is far from decided yet.
GCHQ is more relaxed. Its European partnerships are bilateral, and not connected with any European institutions; “So there is no reason why it would be affected by Brexit.” GCHQ is, however, concerned about data sharing and trade with Europe. “The big companies, will need to be able to share data in a way that is legally compliant on… both sides, the UK and the EU. That’s a policy issue way beyond intelligence, actually, but it will have big implications for us, so getting that right is important.”
Asked for a formal assessment of the effect of Brexit on their operations, both GCHQ and MI5 referred the Committee to the Cabinet Office, saying it was a political matter. The Cabinet Office then declined to respond; and the report registers the Committee’s disapproval. “The decision to leave the EU clearly has direct and indirect implications for the work of the Agencies — and these are well within this Committee’s remit.”
Much of the report is necessarily concerned with budgets (usually redacted), staffing and premises. However, wherever cyber security, both offensive and defensive, is discussed, the report provides a bullish picture of improving UK capabilities.