The rate and scale of cyber attacks GCHQ sees on a daily basis should help focus the thinking of all UK organisations.
So said Ciaran Martin, director general of cyber security at GCHQ.
“We have been genuinely surprised by the extent and variety of UK organisations subject to intrusions,” he told the opening session of Infosecurity Europe 2015 in London.
Martin said that, while some attacks have a “scatter gun” and opportunistic approach, others are much more targeted and capable.
Given this state of affairs, Martin said thinking about the motive of attackers and what sort of risk organisations might be running is a useful way of identifying how to implement effective cyber security.
He said it important for organisations to move beyond focusing only on preventing cyber attacks, to include strategies for reducing the impact of attacks – which is now at the core of GCHQ’s approach.
“Nowadays it is not always about stopping attacks always and everywhere. There are too many of them and some will get through,” he said.
“The objective and focus of information security professionals should be to render those attacks as irrelevant as possible to the organisations and their employees."
Protect what matters most
This is the thrust of the government’s publication – entitled Ten steps to cyber security – which encourages organisations to reduce their vulnerabilities and make it harder for attackers to get in.
He encouraged organisations to recognise that determined attackers will always have a decent chance of getting in, so it is important to identify what matters most and ensure that is well protected.
“I have lost count of the number of times we have gone into organisations at their request and had to advise them to work out what matters to them the most,” said Martin.
“This generally has a huge and helpful impact, and it is a challenge we at GCHQ have had to apply to ourselves."
For example, he said GHCQ’s website has often been the target of distributed denial of service (DDoS) attacks and, while the agency defends against those attacks as best it can, he said the public website is not an “existential security risk” for the organisation: “We had had to work out what we want to defend the most and behave accordingly.”
Read more about surveillance
- The rapporteur for the European parliament’s inquiry on electronic mass surveillance of EU citizens has called for stronger democratic oversight of intelligence activities.
- Mass surveillance of UK citizens' internet communications by the UK intelligence services was unlawful until the end of last year, according to Britain’s top security court.
Organisations are also encouraged to test the assurances they have been given, said Martin: “Test, test, test and then challenge, challenge, challenge.” This is the only way to build assurance, he said.
According to Martin, GCHQ is rarely surprised in the positive way when it is asked to look in depth at organisations’ information security at their request. “It happens, but it is rare. It is more common to find that some basics are not being done.”
Returning to an earlier point, Martin said organisations need to know how to clean up if they are attacked, how to keep the business going – or where to get help to do these things.
Next, he said it is important for organisations to recognise that people are as much part of the problem as they are essential to the answer. “You can’t work out what you care about most and you can’t mitigate the risk without getting the people seriously engaged in that discussion,” he said.
Turning to GCHQ’s role in advising on cryptography and information assurance for government, Martin said its role only works because GCHQ has a world-class intelligence capability.
“If we want to protect the UK from the darker aspects of cyberspace, we have to be able to understand how it works,” he said.
GCHQ and privacy concerns
Martin acknowledged that GCHQ’s intelligence role had been the source of controversy around privacy, but said he could not and would not talk about that in any detail. He also dodged questions on the topic after his presentation.
He said the recent Queen’s Speech set out a process for considering legislation on the “proper powers” for national security and law enforcement bodies in this area, and that it was for ministers to propose what those should be and for parliament to debate.
“All I will say is that everyone in GCHQ is acutely conscious that we are entrusted with very significant powers under the law, and we use those powers extremely carefully,” he said.
Martin also quoted a report, compiled over a year ago by the Interception Commissioner Anthony May, that answered with an emphatic “no” the question of whether GCHQ engages in the random mass intrusion into the private lives of law-abiding citizens.
Just as GCHQ does not have enough resources to engage in unlawful mass intrusion, he said the agency is not big enough to “put a big cyber security umbrella over the whole of the UK”.
“Therefore direct role has to be focused on the high-end threats and attacks that the secret state is best-placed to detect and frame a response to, such as risks to national infrastructure,” said Martin.
However, as the lead public authority on cyber security, he said GCHQ is doing much to promote better general standards of cyber security publishing guidance and involvement in initiatives setting up business-sector information-sharing partnerships and licensing cyber security providers.