Just over a year ago, Robert Hannigan stepped down as director of the intelligence agency GCHQ. In the time since, cyber security has dominated the British news agenda in a way it never has before. The WannaCry computer virus paralysed dozens of NHS trusts within weeks of Hannigan’s departure. Two months later, NotPetya – an even more virulent strain of malware – forced manufacturers across Europe to shut down their factories for weeks on end.
While the two viruses have since been linked to North Korea and Russia respectively, they shared a common set of code: EternalBlue, a Windows exploit that had been developed and stockpiled by the US National Security Agency. The NSA reportedly only told Microsoft about the vulnerability after it was stolen by hackers. When WannaCry started spreading, Brad Smith, the software giant’s president, compared the theft to the US military losing “some of its Tomahawk missiles”.
So does the NSA bear responsibility for the attacks? “Not really, given that the vulnerability had been patched,” says Hannigan, who now advises the private sector. Microsoft had issued security updates, but thousands of customers, including NHS hospitals, hadn’t updated their systems in time. He adds: “There is a bigger policy question around vulnerabilities; about the default position being that anything that compromises public safety should be reported.”
Given how many critical infrastructure providers rely on Windows software, doesn’t EternalBlue fall into that category? “The problem was organisations not being able to patch XP, as I understand it anyway.” Microsoft had stopped supporting the operating system, meaning some organisations were unable to protect their networks. “It’s a genuinely difficult ethical question,” he adds. “If you want agencies to do difficult things you have to have some tools to do it. But I agree that in most cases they should be reported because certainly for GCHQ, the first responsibility is the safety of the public.”
In recent weeks, the Cambridge Analytica scandal has prompted regulatory investigations, wiped billions of pounds off Facebook’s share price, and attracted the attention of policymakers on both sides of the Atlantic. But despite the elevated status of cyber security in Whitehall and Westminster, Hannigan, says he doesn’t miss working in government: “I miss GCHQ itself; I miss the people and the technology. There’s a great buzz about the place. But I did 20 years in government and that’s probably enough and I’m very happy there are other competent people doing it – people more competent than me.”
Politicians have recently faced a barrage of criticism for failing to understand the systems they are trying to regulate. During Mark Zuckerberg’s first congressional hearing last month, the Facebook CEO was quizzed about the privacy of messages “emailed” over WhatsApp, and how the social network makes money if it doesn’t run adverts. “This is a generational issue,” says Hannigan. “It’s hard to be a politician trying to regulate something that wasn’t really around when you were young. It’s moving so fast – so I have sympathy with them. Their job is to reflect voters’ feelings, not to say there’s an easy technical solution or what it is.”
One of the most pressing security issues facing the UK government today is how to protect the country’s critical systems. While the US has hardened its stance against foreign tech companies over the last few months, Theresa May has signed new deals with companies such as the Chinese telecoms giant Huawei. The firm operates a cell in Oxfordshire to combat Chinese hacking on behalf of the government. Hannigan says it’s generally regarded as having been successful in giving “a reasonable level of assurance”: “The issue is how do you scale it up for all companies and all national security issues? That’s quite a challenge.”
Hannigan led GCHQ for just two years before standing down last spring for family reasons, but he is credited with bringing the agency out of the shadows following the Snowden revelations. Having served in No 10, the Cabinet and Foreign Offices and Northern Ireland, he was unusually visible for a spy chief. He gave prominent speeches, launched the public-facing National Cyber Security Centre and attempted to forge closer working relationships with the tech giants, even if it sometimes meant singling them out for criticism.
Hannigan is still on Silicon Valley’s case. “There are so many good things that will come out of better use of data, particularly in healthcare. We don’t want a data-enabled economy to be jeopardised by tech companies doing stupid things. That’s the worrying thing for me about Facebook and Cambridge Analytica.” But Hannigan’s frustration is not reserved just for industry. “The potential of human progress through the internet is massive,” he adds. “It could be jeopardised by a failure of governments to prioritise good security and resilience.”
When it comes to cyber security, the UK and US governments have grown more vocal over the last year. Given the difficulties in attributing cyber attacks, officials tend to shy away from naming nation states. But in recent months, both governments have blamed North Korea for WannaCry and Russia for NotPetya. In April, GCHQ and the NSA also joined forces to release a joint technical alert for the first time, detailing Russia’s alleged attempts to hijack internet infrastructure. This was, Hannigan suggests, a veiled warning for Moscow: interfere with these systems and we’ll know it was you.
Deterring governments from using cyber weapons, Hannigan says, requires a different approach to conventional weaponry: “In a world where everyone denies everything, how do you have an enforceable arms control model in cyberspace?” Cyber weapons are different to conventional weapons in another important respect too: the complexities of predicting collateral damage. This makes it harder for states such as the UK to retaliate. “When you drop a bomb on something, you know what it’s going to do,” says Hannigan. The same cannot be said of cyber attacks. Once a virus has been released on to the web, it’s impossible to know where it will end up. “I can’t believe, for example, that the Russians intended to take down half the manufacturing companies in Europe,” he adds. “The important point is that they didn’t care.”
After the former British spy Sergei Skripal and his daughter Yulia were poisoned in Salisbury in March, commentators speculated that the UK government might respond by launching a cyber attack on Russia. Hannigan dismisses the idea: “Trying to find cyber responses that target those individuals who are responsible for bad things is quite difficult. Economic sanctions frankly make more sense to me very often. The impact of what the US has done around economic sanctions on those around Putin is far greater than anything else that has happened, even than the expulsion of diplomats, which was in its own way impressive.”
During a keynote speech at IP Expo Manchester last month, Hannigan warned that the Skripal poisoning indicated Russia’s intentions have dramatically evolved. “It’s not surprising that over the years, we and other countries have found Russian intelligence services on our networks,” he said. “What is worrying is the intent has clearly changed. A country that is prepared to use chemical weapons on the streets of a UK town may want to do reckless things in cyberspace.”
There is growing support for an international treaty defining and governing cyber warfare. Microsoft’s Brad Smith called for the creation of a Digital Geneva Convention last year. At the RSA security conference in San Francisco last month, Microsoft took this idea a step further, bringing together 34 tech companies to sign an accord promising to protect users and customers from cyber attacks regardless of their origin. The UN’s general secretary Antonio Guterres has also called for new rules for cyberspace.
Hannigan supports the principle of a treaty, but fears that as a starting point it may be too ambitious. He warns: “If you go immediately for the treaty, you’ll end up just endlessly talking.” Instead, he suggests the process should be divided into sectors where a consensus is likely to be reached: “Start with health, for example, and say ‘we’re going to come up with these ways of behaving with technical infrastructure for health’.”
The initiative could be industry-led, but would need the support of government: “I think it would be good for governments to engage with the tech accord, to engage with Brad Smith’s Geneva Convention idea and to say: ‘well, why don’t we sit down – government and industry – and see what might this look like?’ Make it West and East, make it non-threatening. […] It doesn’t need to be legally binding if there’s no way of enforcing it.”
It’s expected that hostilities in cyberspace will intensify in the coming years. But Hannigan is hopeful that cyber security could, ultimately, serve as a way to bring political leaders together: “That might be massively optimistic, but the internet is so obviously a shared resource and so obviously not owned by any particular government. This could be a place where there is common agreement in a geopolitical context that is otherwise pretty stormy.”