Following GCHQ’s plans to create a protective British Firewall, Counter Terror Business asks whether sharing cyber strength is a weakness waiting to be exploited?
The 2015 National Security Strategy (NSS) reaffirmed cyber threat as one of the most significant risks to UK interests. The NSS set out the Government’s determination to address cyber threats and put in place tough and innovative measures as a world leader in cyber security.
Part of GCHQ, the newly formed National Cyber Security Centre (NCSC) became operational on 3 October after first being brought to public attention by George Osborne in November last year. Speaking to thee Billington Cyber Security Summit in Washington DC, Ciaran Martin, director general of cyber at GCHQ and head of the newly formed NCSC, announced a proposal to create a British firewall offering protection against malicious hackers.
GCHQ maintains a mission statement to protect government sites and industries regarded as central to national security from cyber related threats. The new proposal, although still largely in the thought process, would see the agency widen its reach to include major private companies, such as internet providers BT, Sky and Virgin. Likely to be disputable anyway, it would be interesting to hear Martin’s thoughts when a few weeks later it was revealed that telecommunications company and internet provider TalkTalk has been fined a record £400,000 for poor website security which led to the theft of the personal data of nearly 157,000 customers.
Dubbed by many as the UK’s answer to ‘the Great Firewall of china, the ‘flagship project’ will centre on the controversial topic of domain name system (DNS) filtering. Writing in the Guardian, Heather Brooke, author of The Revolution Will be Digitised, claims that this creates a ‘dangerous norm’ that would see the government have control over the information that citizens can access and view online. A centralised system would likely fuel calls for banned or suspected sites to be publicly listed - an issue that the UK based Internet Watch Foundation has faced. So is it a good idea?
Privacy versus protection
There is no doubt that the vulnerability of the UK must be protected, and most agree that such vulnerability lies in the digital space where criminal can gather information that should be unavailable to them. Attacks in the last few years - Talk Talk, Ashley Maddison, the White House and even the UK rail network - demonstrate that vulnerabilities exist, meaning that signals intelligence largely contributes to national security. Martin estimates that there are approximately 200 cyber security incidents recorded every month, and predicts that that number will grow faster than the increase seen in incidents over the last year, where figures have doubled.
The exposure disseminated by Edward Snowden in 2013, however, led to revelations and reservations over the scope of the government’s intelligence reach. Snowden, a National Security Agency (NSA) whistleblower, revealed that the UK and US governments were engaging in the mass surveillance of their citizens, making public the existence of a range of programmes that were gathering and analysing our private communications. The bulk collection of communication data relating to everyone’s online activities is a topic that not only aggravates public opinion, but divides parliamentary discussion. In her remit of Home Secretary, Theresa May had to strongly defend the surveillance powers announced in the government’s Investigatory Powers Bill, which will force the storage of internet browsing records for 12 months and authorise the bulk collection of personal data. The Bill is still, slowly, contentiously passing its way through the House of Lord’s, following a long drawn out struggle between MPs in the House of Commons.
Outside of Westminster, campaign groups such as the Don’t Spy On Us coalition, argue for transparent laws regarding surveillance, a secure web for all, and judicial not political authorisation over the topic. Their view of the need to reject authority over democracy remains the largest obstacle to government.
Force behind the firewall
Firewalls are standard tools for computer defence, controlling what traffic enters and leaves a network. They can, when activated to do so, reject particular traffic on the grounds that is potentially harmful to the network - whether that be a untrustworthy connection request, a suspicious file or the transfer of potential viruses. Most workplaces and domestic internet connections will have this in place, with an IT manager of internet service provider managing the permissions and restrictions.
The proposal put forward by Martin and the NCSC would see organisations considered central to Britain’s national security operate behind this firewall, whereby GCHQ manages what can and can’t interact with the network. There would also be the option for other large and small organisations to opt in. Importantly, the mentioning of such a plan, so far, has indicated that the choice to enter a relationship with GCHQ would be open and unconditional. There is little argument, as of yet, from those in the security industry that questions whether such a move would increase security. But the grumbles of trust, or lack of in regards to company privacy, leaves the debate open to contention and opposition.
GCHQ, and the new NCSC within it, employ specialists to ensure that cyber expertise runs throughout the organisation. Close relationships with industry, academia and international partners enable the agency to amplify the intelligence it gathers from cyber incidents, and share with those who need it. As things stand, and with the little information that has been vocalised, the idea of a national firewall seems rational - and the government-company relationship worth attempting. However, internet governance will always be a topic that distorts rationality, and personal privacy quite regularly overpowers protection.
What cannot be contended is the priority that UK government is putting on cyber security and digital intelligence. MI6, the UK’s overseas intelligence agency, currently employs 2,500 people to deal with intelligence-gathering and operations abroad. The intelligence branch has recently, and publicly, revealed that it is to recruit hundreds more staff over the next four years in response to the pace of change in digital technology.
Following announcements in 2015 that the government would provide the security services with 1,900 additional staff, it appears that MI6 will be the main beneficiary as the government responds to the increasing change afoot in intelligence operations.
While many associate MI6 with James Bond like secret agents (see David Mitchell’s 25 September Guardian article Why do our spies keep telling us everything?), the truth of the matter is that agents, as we know them, are of less importance nowadays than those who lead internet intelligence and access. Access to information, hacking and tracking are all tools that MI6 operate, but are also threats that can readily be used against them. To be ahead of the game, you certainly must first have a strong presence in the game.
Alex Younger, the head of MI6, acknowledged this point by admitting that opponents who are ‘unconstrained by conditions of lawfulness’ are leaving the agency with no option but to ‘change the way that we do stuff’.
Speaking at the same Washington conference, Younger said: “The information revolution fundamentally changes our operating environment. In five years’ time there will be two sorts of intelligence services: those that understand this fact and have prospered, and those that don’t and haven’t. And I’m determined that MI6 will be in the former category.
“The third and most important part of British intelligence is the surveillance agency GCHQ, which in partnership with the US National Security Agency, is responsible for scooping up most of the intelligence through tracking phone calls, emails, chat lines and other communications.”
Firewall or no firewall, the UK is rightly acting to make sure that it’s digital defence is as robust as need be. Central surveillance will divide opinion, but securing cyber activity, with more specialists weakening the likelihood of cyber risk, is certainly a direction worth pursuing.