Cyber power needs wider discussion, says GCHQ director

The topic of cyber power needs wider discussion, says GCHQ head in a speech about the opportunities of digital innovation such as 5G, as well as the accompanying complexity and risk, with particular mention of China and Huawei

Nations worldwide are grappling with what the concept of cyber power means, what a country needs to be a cyber power, how that power should be exercised and what rules, regulations and ethics are needed to exercise power responsibly, according to Jeremy Fleming, director of GCHQ.

“We’re all contending with these questions. Our nations are breaking new ground as we develop cyber capabilities, grapple with cyber security and start to think about the skills and the rules we need for the cyber age,” he said in a speech in Singapore that is part of the Fullerton Lecture series run by the International Institute for Strategic Studies (IISS).

The way to move forward, said Fleming, is to converge on agreed definitions, regulatory frameworks, industry standards and norms of ethical behaviour.

“Frankly, we need a new lexicon – one that isn’t based on the overly military language of past power frameworks, but a language that clearly refreshes and restates for the cyber age the underlying principles that have served our democracies so well for hundreds of years,” he told leading figures from governments, think tanks, academia, industry and the military from across the South East Asian region.

“The UK – indeed, all of us – need to better understand the challenges and opportunities we face and how best to shape the debate with our partners, allies, and even our adversaries, around the world. In short, we need to pioneer a new form of security for the cyber age,” he said.

“A nation is a cyber power if it is able to direct or influence the behaviour of others in cyber space in three main ways. One, it has to be world class in safeguarding the cyber health of its citizens, businesses and institutions – it must protect the digital homeland.

“Two, it has to have the legal, ethical and regulatory regimes to foster public trust – without which we do not have a license to operate in cyber space.

“Three, when the security of its citizens are threatened it has to have the ability – in extremis and in accordance with international law – to project cyber power to disrupt, deny or even destroy.”

Securing 5G networks

Fleming then went on to describe 5G as one of the most important and impactful technologies of this or any era, adding that the technology and the role of Chinese firm Huawei is at the heart of the “most charged part” of the current global technology debate.

5G, he said, will enhance the use of the internet, be a catalyst for technological change, will change the way we think about how our data is being used and will make us more interwoven and dependent on the internet.

“Navigating this exciting, transformative technology is going to be difficult and it will be different in each country,” he said, adding that it is “essential” to understand the complexity of the technology.

In the UK, Fleming said the National Cyber Security Centre (NCSC), as part of GCHQ, is the national technical authority for cyber security. “It’s our job to bring objective, evidence-based and technically authoritative advice to the policy table,” he said.

As recently set out by NCSC head Ciaran Martin in Brussels, Fleming said the most important aspect of the UK’s approach lies in defining three pre-conditions for securing 5G networks.

“First, we must have stronger cyber security practices across the telecommunications sector. The market is configured in a way that does not incentivise good cyber security. That has to change.

“Second, telecoms networks must be more resilient. Vulnerabilities can and will be exploited, but networks should be designed in a way that cauterises the damage.

“Third, there must be sustainable diversity in the supplier market. A market consolidated to such an extent that there are only a tiny number of viable options will not make for good cyber security.

“These three conditions are objective, technical, and evidence based. I’m determined they are not lost in the speculation of recent months.”

Fleming also reiterated that the UK has not made a decision about 5G. “There is an ongoing review led by the Digital Department and its Secretary of State, which will conclude its analysis in the spring. Only when that’s complete will the government make a decision about the supply chain balance.

“GCHQ is at the heart of that work. We already have a role managing Huawei’s presence in our existing networks.

The strategic challenge of China’s place in the era of globalised technology is much bigger than just one telecommunications equipment company
Jeremy Fleming, GCHQ

“We think this is probably the toughest oversight regime for that company in the world. It’s revealed significant problems with their cyber security practices, which have caused them to commit to a multi-million pound remedial programme.

“As I’m sure you will have seen, we’ve been crystal clear that we will not compromise on the improvements we expect. But – and it’s an important but – 5G security is about more than just Huawei. That’s what the three pre-conditions for 5G security are all about.

“The final thing I’ll say here is that the strategic challenge of China’s place in the era of globalised technology is much bigger than just one telecommunications equipment company. It’s a first order strategic challenge for us all.”

Part of being a cyber power, said Fleming, is facing up to that challenge and those posed by technology more broadly.

“We have to understand the opportunities and threats from China’s technological offer. We have to understand the global nature of supply chains and service provision irrespective of the flag of the supplier.

“We have to take a clear view on the implications of China’s technological acquisition strategy in the west. And help our governments decide which parts of this expansion can be embraced, which need risk management, and which will always need a sovereign, or allied, solution.”

In conclusion, Fleming said: “Cyber power is about defending our digital homeland, having the right capabilities to actively protect our interests if we need to.

“It’s about having strong alliances, growing connections, boosting collaboration, and finding ways to encourage openness and collaboration between people and nations to rewrite the rules of engagement for our digital future and to share ideas and work together for stability and prosperity.

“Cyber power is about having the right technical expertise to use cyber power well and having the right legal and ethical base to use it wisely. It’s also about embracing the unexpected and seeing into the future.

“The UK is a global cyber power with the potential to provide leadership in this debate. GCHQ is at the heart of that and will make sure the opportunities presented by this cyber future are fully realised.”

Read more about the Huawei and 5G security

Read more on IT risk management

Data Center
Data Management