Show Hide image

Inside the National Cyber Security Centre

The new chief executive of the National Cyber Security Centre, Ciaran Martin, and other senior members of NCSC staff give their take on a more open, more outgoing arm of GCHQ.

The GCHQ base in Cheltenham is a building the size of Wembley stadium, bristling with security cameras, patrolled by armed guards and surrounded by tall fences that are topped with razor wire. The organisation’s new London headquarters, however – the National Cyber Security Centre – occupies two floors of a glass-walled office building in Victoria. It’s a very smart, new office building, but there is a distinct lack of razor wire, and none of the receptionists appear to be carrying automatic weapons.

The NCSC’s open environment is illustrative of its approach, particularly where businesses are concerned. While much of its operational work will remain classified, the NCSC will invite people from the private sector to train within its walls. Following an official opening by the Queen, Philip Hammond delivers a speech in which the digital economy is mentioned before national security, and in more detail.

“The private sector is piling in extensively here today,” agrees Ciaran Martin, the NCSC’s chief executive. “We’re getting 100 private sector people in to work here,” he adds, referring to the Industry 100 initiative, which will “embed” 100 workers from across the private sector in the NCSC to share expertise. “It’s not one of those areas where the private sector is telling the government to back off – they’re asking to work with us, and we’ve got plenty to learn from them.”

The NCSC will also be heavily involved in securing the public sector, too, helping to co-ordinate cyber defences across bodies from the MoD to the smallest local council. “Local government is a major concern for the NCSC,” says Martin, “but let me be nice to local government. They are under significant financial pressure, they’ve got all sorts of obligations, and this can be quite complex stuff. There are 380-odd local authorities in Great Britain. Some of them, like Birmingham, are the size of decent-sized companies, and some of them are very small. If you’re a small local authority, I think that in the past, organisations like mine have been slightly too lecturing towards you about what you’re not doing right, and not sympathetic enough to the fact that if you’re trying run, for example, a small rural local authority, you’ve got lots of citizen data but you’ve got lots of other responsibilities, and it’s quite hard to get the right people and the right tools in place. It’s quite hard to even know where you can look for help.”

Martin aims to change that by introducing simple, effective tools that will help public bodies of all sizes secure themselves. “One of the things that we’re proudest of, which we’ll be rolling out later this year – and which has been exhibited in front of the Queen today – is WebCHeck. What WebCHeck does is, it scans websites for vulnerabilities and it says “here’s where you’re good, here’s where you’re bad, here’s where your certificates are out of date.” It gives you a report that’s automatically generated, and it tells you how to fix it. We’re giving that to local government for free.”

These NCSC-developed tools will also become available to small businesses, too. The centre recently built a tool to eliminate spoof emails that appeared to be from HMRC; “The code that we used to stop HMRC spoofing, we’re making freely available today. That means that if you run a small business with an internet domain address, you can work out who, if anybody, is spoofing you and what you might be able to do to thwart them. We’re trying to do things that make it that little bit simpler for people who may not have the resources and time of a larger government or private sector organisation, just to make it a little bit easier to take sensible, risk-based decisions and make the improvements that will help. Because every little helps, in cyberspace – if you raise the bar a little bit, attackers can go elsewhere.”

The NCSC’s technical director, Dr Ian Levy, says blunt instruments are still too effective in cyberspace. “It’s important to differentiate the sophistication of the attack with the level of the impact. The two are not correlated; you can have a really, really simple attack that causes a lot of national impact. Take TalkTalk as an example – a very, very simple attack had a huge effect across a large number of people. Whether it should have done is another discussion, but it did. It changed the public consciousness; a lot of the very sophisticated attacks don’t have that same sort of impact on a large number of people. Some of them are not about disclosing large amounts of personal data, or stealing, or making money – they’re about traditional statecraft, and that has a much lower impact on your average population. It can have a national security impact, but one of the things we need to change the narrative of is the difference between the sophistication of an attack and the impact of that attack.”

State-level attacks

While much of the NCSC’s work will be in making the UK a “hard target”, as Martin describes it, for cybercriminals of all kinds, the centre remains a part of GCHQ. Its work will also encompass the new possibilities digital technology has opened up for espionage, diplomacy and war. At the centre of one of the exhibits shown to the Queen and other visitors on the opening day is a grey box, about the size of a biscuit tin, a few lights blinking on its front. Easily ignored by the passing dignitaries, this box is of particular significance in security circles. It is a programmable logic controller, or PLC. These controllers are found everywhere moving parts need to be automated and controlled – in factories, power stations, aeroplanes, trains, and automatic doors. In 2010, a mysterious and highly sophisticated piece of malware appeared that targeted one specific model of PLC, in a very specific configuration, and caused it to malfunction, causing serious damage to the equipment it controlled. The equipment it targeted was later identified as the enrichment technology used in the Iranian nuclear programme.

The display also contains a laptop. Tap a button, execute a command through the malware on it, and a light on the PLC changes from green to amber. In December 2015, an unknown hacker tapped just such a button. Moments later, the lights in 230,000 Ukrainian homes went off.

A member of NCSC staff who declined to be named said that his greatest worry with regard to this type of attack was that it could be used on the gas grid. “If the gas network was depressurised,” he told me, “it could take up to a year to get it back.” These are the more worrying scenarios the NCSC must imagine and plan for; a winter without central heating would bring the NHS to its knees, at the very least.

Jacqui Chard, the NCSC’s Deputy Director for Defence and National Security, says that a national security level cyber incident could take many forms. “It’s about the impact across government or across citizens,” she explains, adding that at the most serious level, the NCSC helps to plan against and prevent attacks that would cause “serious damage, loss or disruption of critical services or systems for the nation – which could be critical national infrastructure, the parliamentary system, defence, our finance institutions, or our transport system.”

“From a defence point of view,” Chard says, the most serious type of cyberattack would be one that looks like an enemy preparing the battlefield, that “impacts on the strategic planning for our military forces. Or, if we were subject to attacks on our soil, how we’re going to co-ordinate – so, if communications between government at the highest level were affected. That’s where we’re focusing for the biggest risks for the country at the moment.”

While attacks of this type are fortunately still mostly theoretical, it does look increasingly as if cyberweapons are capable of causing loss of life on a similar scale to the kinds of weapons that are bound by international treaties. Steps in this direction were taken in 2015, when the Chinese government agreed with the US and UK “not to conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information” (in the words of the China-UK statement). Asked why she thinks this statement did not include a statement on national security, Chard replies that “The business agreements that we’ve made are a matter of national security. They’re for our prosperity as a country, so we absolutely see those as part of that.”

The new diplomacy

With the growing power of cyberattacks to cause devastating consequences across borders comes the thorny issue of determining where an attack has originated, who ordered it, and if a government was involved. It is likely that the difficulty of attribution will have profound effects on diplomacy in the future, and a key role for the NCSC will be to provide evidence of the involvement of other nation states.

Both Ciaran Martin and Michael Fallon have spoken publicly about a “step change” in Russian cyber aggression, but Martin says certainty is still hard to come by. “Attribution can be very difficult, and a lot of the detection work on state attacks is in the classified area of where we work, even though we work a lot in the open. But in general terms, in my three years of looking at these [incidents], sometimes you have direct evidence of named individuals with pictures, and sometimes you have very little clue as to even what country an attack might be coming from.” Furthermore, “attacks could be coming from within a particular country, but that’s not necessarily the same thing as being sponsored by that country, or even tolerated by the government of that country.”

What makes international relations even more complex is that increasingly, and especially with regard to Russia, technology allows other “actors” to expose secrets and disseminate lies at scale. This is particularly effective when it comes to elections. The extent to which Russia may have been able to influence the US presidential election is the subject of furious debate, but the UK’s political system is not immune to intervention either. Last year, GCHQ revealed that it had tracked and thwarted what Martin calls “activity” with regard to Whitehall servers. “There was activity we noticed,” he says, “because we notice activity all the time, that was in and around institutions that may or may not be related to the possibility of an attack on the election.”

Governments and political parties are going to have to recognise the threat this “activity” represents. Martin says no formal requests have been made by specific parties for help, but that he expects these requests to be made.

Ultimately, he advises that to safeguard British politics, “you need to look at the system as a whole, all the way through from government institutions to parliament, to institutions that are influential in political life, like the media, like think tanks – way beyond political parties, even to high-profile individuals whose views are of interest. It’s about the totality of that. So we’ll publish data and recommendations about how to mitigate these sorts of attacks, and we’ll look at the most aggressive actors and try to find out what they’re targeting. That’s probably better than trying to predict the precise route of attack on the British political system.”

Will Dunn is the New Statesman's Special Projects Editor. 

Show Hide image

China’s strategy to become the world’s strongest cyber power

Nigel Inkster, former operations and intelligence director of MI6, analyses China’s efforts to impose order on its vast online community.

When just over two years ago I began researching a book on China’s cyber power, mainstream western media were full of stories about China’s alleged programme of state-sponsored cyber industrial espionage directed against US and other western corporations. Following an agreement between Presidents Xi Jinping and Barack Obama in December 2015 that “that neither the US nor the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage” that story dropped out of the headlines. But the importance of China as a cyber power has not diminished and understanding China’s capabilities and objectives in the cyber domain has become a key element in understanding its global strategic objectives. It is also an important prism through which to understand China’s long struggle to achieve modernisation whilst retaining its cultural and political self-esteem.

China came out of the Cultural Revolution in a state of economic and technological backwardness that demanded urgent attention. Its new leadership was seized of the important role modern ICT would play. Although the internet did not become accessible to ordinary Chinese citizens until 1996, the subsequent take-up has been dramatic. China has over 700 million “netizens”, the majority of whom access online service through smartphones. In 2015, the total value of online sales was $581bn, making China the world’s largest digital marketplace. The Chinese government has ambitious plans to switch from an export-dominated economic model to one based on domestic consumption; and to move up the value chain to break free of a middle-income trap. A key enabler will be an Internet Plus strategy that aims to integrate the real-world and digital economies.

In pursuing this, China’s government had to confront two vulnerabilities. The first is the potential of the internet to serve as a vector for subversive influences that challenge the Communist Party’s legitimacy. The second is a high level of dependence on western – largely US – technologies and software, seen as a security threat. From the outset China’s authorities sought to control online content through a combination of firewalls to filter externally generated content, regulation of service providers and censorship; the latter becoming ever more technologically enabled but still reliant on large numbers of censors and pro-government activists who promote and defend official views on social media sites such as Weibo.  

The result has been a cat-and-mouse game in which China’s netizens have sought to bypass censorship by relying on the infinite capacity of the Chinese language to generate homonyms for terms which are banned, giving rise to a rich lexicography of online dissidence. But it is a game the authorities are winning thanks to technology dominance and the huge manpower resources devoted to an issue seen by the leadership as existential. This is not to say that the Chinese internet is characterised by an atmosphere of sterile ideological conformity; in many respects it is more vibrant and anarchic than its western equivalent and has been used to good effect by its citizenry to hold officialdom to account. But first under Hu Jintao and ever more under Xi Jinping a climate of greater political and cultural conformity has led to popular bloggers –so-called Big Vs – being shut down. And China is unapologetic about asserting an approach to the internet based on the concept of cyber sovereignty, in effect its right to determine what its citizenry can access.     

Meanwhile, China is pursuing a policy of indigenous innovation to reduce dependence on western technologies. Dependence on western ICT is such that when in 2014 Microsoft announced that it would cease supporting Windows XP it subsequently had to make an exception for China, such was its reliance on that system. That dependence will take time to erode. But there is a growing number of indigenous Chinese software companies, Chinese smartphones and other devices are increasingly competitive with western equivalents and Chinese entrepreneurs have shown considerable ingenuity in developing and marketing a range of online services. As the Chinese state seeks to impose greater order on what to date has been an anarchic and insecure Chinese cyber environment, new laws have imposed greater demands on western companies such as the provision of source code. China is seeking to leapfrog the west in key areas of ICT including artificial intelligence (AI), quantum encryption and quantum computing. And the Chinese government is facilitating the purchase by Chinese companies of western technology start-ups. In 2014, $22bn had been spent on such deals, which have significant medium-term implications for the competitiveness of advanced industrial economies including the UK, France and Germany.

The global outlook of China’s leadership is dominated by the so-called Century of Humiliation covering the period from the mid-19th century up to the founding of the People’s Republic in 1949 during which China was virtually colonised by the west. The determination not to repeat this experience has translated into a transformation of China’s defence posture from a land-based, low-tech, mass-mobilisation force to one that is increasingly based on a capacity for naval force projection with a view to securing China’s supply lines and protecting its growing range of overseas interests. Digitisation is seen as critical for China’s efforts to develop armed forces on a par with its only real comparator, the United States. This is exemplified by an ambitious reorganisation at the end of 2015 which led to the creation of a new Strategic Support Force that combines signals intelligence, electronic warfare and information warfare capabilities within a single organisation that also has responsibilities for space-based activities. After a long period of coyness PLA officers now talk openly of China developing offensive cyber capabilities albeit at a “moderate rate” and in response to the activities of states such as the US.

This posture also translates into a more assertive foreign policy, no longer merely concerned as until recently with ensuring peace and stability to permit economic development. China probably does not aspire to replace the US as, in their words, “global hegemony”.  But it does wish to move from a global governance system dominated by the US and its allies to a world that is multi-polar and which respects different political and cultural systems. And to transition to a “new security concept” which while broadly respectful of international institutions like the United Nations, also subordinates customary international law to the interests of major powers. Here too the cyber domain plays a major role with China championing its vision of a global cyber governance and security order where the USA is no longer predominant. This vision enjoys some support in the developing world, not least due to the activities of national champions such as Huawei and ZTE who are building and operating core backbone IT infrastructure systems in countries that would otherwise remain on the wrong side of the digital divide.

To revert to cyber espionage, it is now clear that US threats of financial sanctions against Chinese companies deemed to have benefited from the theft of US intellectual property (IP) persuaded China’s leaders that this particular game was no longer worth the candle. The “noisy” reduplicative exploits that characterised so many cyber-attacks emanating from China are now much less in evidence. But cyber capabilities have become a major enabler of Chinese statecraft and are inter alia reducing the space within which overseas-based opponents of the regime can operate. For better or worse China is transitioning from becoming a large cyber power to a strong cyber power and can be expected to play an increasingly prominent role in this space.

The west will have to get used to living in a world in which it no longer enjoys the unquestioned technology dominance to which it has long been accustomed.