leowolfert - Fotolia

Raising cyber security grasp is biggest challenge, says GCHQ chief

Everyone has a role to play in cyber security, and the NCSC has the right pedigree to co-ordinate and balance the efforts of government, industry and academia, says GCHQ director Robert Hannigan

Getting people to understand cyber security has been the biggest challenge for outgoing GCHQ director Robert Hannigan since he took charge at the intelligence agency in 2014.

“The baseline of understanding across society and across government is still very low,” he told the CyberUK conference in Liverpool convened by the National Cyber Security Centre (NCSC).

“We need to change that, and it will take time,” he said. “But people will look back in another 10 years and ask why more wasn’t done earlier by governments to clear out all the rubbish.”

This is what the NCSC is beginning to do with its “active defence” programme, which includes blocking spam email messages that appear to come from a government department.

“I think people in the future will ask why this [government department email spoofing] was ever allowed to happen,” said Hannigan.

Everyone should do something about cyber security, but the challenge is to find the right balance between what individuals, companies and governments should do, he said.

Hannigan said he was most proud of what GCHQ had achieved in counter terrorism over the past 10 years.

Earlier, he said that when he took over as head of GCHQ, Islamic terror groups and cyber attacks were the two biggest threats facing the intelligence agency.

Considering this combination, Hannigan said one of the first things to do was to “re-legislate” and, as a result, he said the UK has the world’s most transparent legislation on interception, referring to the controversial Investigatory Powers Act, commonly referred to by its opponents as the “snoopers’ charter”.

“People may not like bits of it, but it is absolutely transparent and involves judges in a new way, which is a huge step forward,” he said, echoing the view of former GCHQ head David Ormand, who told a security conference in London last October that the UK would be the first country in Europe to bring the secret surveillance activities of the state fully under modern rule of law.

Education programme

But there is a big education programme to be done alongside this, said Hannigan, in light of the fact that the courts’ one criticism of GCHQ was that it said nothing about its interception activities.

“The courts have never criticised the way we collect data, what we do with it or the way we gather intelligence,” he said. “The one criticism has been that we didn’t say enough about it – and they were correct, so we have tried to put that right in recent years, which has been a big change.”

Hannigan, who, in an article in the Financial Times in November 2014, criticised big US tech companies for aiding terror groups by not co-operating sufficiently with intelligence agencies, said that although this continues to be a problem, things have improved.

“However, I was trying to touch on a much bigger issue, which is that the internet and these companies are relatively new and they are trying to cope with the problem of responsibility for content,” he said. “While they started by wanting to be neutral conduits of data, they have gradually realised they are responsible content, but it is a debate that is still evolving.”

Read more about cyber security

Hannigan said this reflects the fact that the internet is a relatively new creation and that it was not planned. “It is a gloriously chaotic and innovative thing and society is still trying to figure out how to cope with that, including how we do security,” he said.

Commenting on the creation of the NCSC, Hannigan said it was driven by the goal of wanting to make the UK the safest place to do business online after discussions with the then coalition government about the UK’s ambition on cyber security.

To achieve this goal, there was a need for coherence, prompting the decision to put all things cyber under a single organisation, he said.

Hannigan said that GCHQ, having been an expert consultant for decades, then made the decision to step up and lead this initiative for government, which meant “a big cultural change” for an organisation that had previously had a very low public profile.

“And having headquarters for the NCSC in London, Victoria in a public building was a deliberate choice because it had to feel that it was joined with industry and open,” he said. “Industry involvement is necessary because we need experts at the heart of this, coming up with solutions, not just ever-better processes.”

Both sides of the coin

The NCSC is the operational arm of GCHQ, said Hannigan. “It is part of us and the reason we are good at this is because we have been doing both sides of the coin [intelligence gathering and security] for nearly 100 years.

“I often use Bletchley Park as a paradigm for this because Alan Turing, for example, spent more of his career with us doing information security – secure telephony, in his case – than he did doing code breaking. That has been true of some of our best people and why we, more than other countries, are pretty good at it because we do both sides and understand both sides.”

The NCSC is designed to provide a single, central body for cyber security at a national level. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice.

The NCSC’s CyberUK conference is aimed at forging a cyber defence community in the UK by bringing together 2,500 industry experts to discuss reducing the cyber threat and deterring would-be attackers.

The conference includes a series of interactive workshops, technical challenges, and a Dragon’s Den-style event in which 12 cyber entrepreneurs will pitch their inventions to protect businesses and consumers against cyber attacks.

Read more on Hackers and cybercrime prevention