One of the Government’s most secretive intelligence agencies is emerging from the shadows for the first time. For almost 100 years the ‘listening agency’, GCHQ, has uncovered vital information from decoded messages, detected threats through phone calls and emails – and increasingly – protected the UK from hostile cyber attacks. Now, in an unprecedented move, two of its most senior staff have agreed to be jointly interviewed to explain their wider mission to help guide firms and the public in the fight against cybercrime.
The Government’s communications agency could never be accused of overdoing the branding. The address for our interview is an anonymous door, beside a coffee shop, on an anonymous London street. No sign indicates to passers-by the line of work of anyone who might pass inside – or even if the building is in use at all.
Inside an empty entrance hall betrays no further clue to our location. The single exception is a line of grey lockers along one wall. In this building at least, the agency sometimes described as the UK’s ‘digital spooks’, would prefer you to check in any phones or recording devices beforehand.
Upstairs, on the first floor of this 1930s office block is a sparse room with a boardroom table and three disconcertingly large video monitors, where two of Britain’s most senior GCHQ staff make themselves known. Both are so utterly different that any preconception of this as a bland, but secretive, civil service disappear quickly out of the carefully-lined window.
First into the room is Ciaran Martin; tall, measured and thoughtful with a dry wit – a former high-ranking Cabinet Office and Treasury official, he is the agency’s director-general of cyber security.
The second is Dr Ian Levy, bearded, more casually-dressed and outspoken, the technical director of GCHQ’s cyber security mission. An expert in his field, he once previously described himself as ‘the evil Cheltenham security geek’ when presenting a paper – hilariously called ‘Fighting The Winged-Cyber-Ninja Monkeys’ – to industry professionals after describing the original title of ‘cyber security’ as frankly too boring.
In a world where both their identity and their work has been secret for so long, the pair are gently stepping into the role of explaining some of what this long secret agency does – and what it can do to protect Britain in the modern cyber age.
The change came late last year when the Government’s intelligence agency was tasked with setting up a new National Cyber Centre for the UK “It is a big national priority” Ciaran Martin says, “Transforming GCHQ.”
The decision stands to revolutionise the services of the agency whose work has largely been kept from the eyes of the public for the best part of a century.
“There is much more expectation to inform and help,” Ciaran says. “There are some extremely sophisticated threats out there which are matters of State and we are expected to act as defenders of the State for the Government and areas of crucial national infrastructure.
“But our new role will also involve looking out for the cyber health of the UK,” he says. “It requires us to get out there and talk to people.
“GCHQ needs to ‘project and amplify’ to allow millions to deal with the low level threats, leaving GCHQ to deal with the biggest, nastiest threat attacks – what the agency call advanced persistent threats (APT).
“We generally divide it into advanced threats and what we like to call those from ‘adequate pernicious toe-rags,” Ian says a touch more frankly.
The number and scale of cyber attacks of all kinds in the UK is on the rise. Robert Hannigan, GCHQ’s director, has confirmed: “The organisation detects a wide range of cyber attacks every day. The threat is growing in number, sophistication and impact.”
The Chancellor George Osborne revealed in November that GCHQ deal with 100 cyber national security incidents a month – twice the rate of the year before.
“Have a look at a website called Zone H, (an archive of hacking attacks),” Ian says. “It tells you how many departments with a .gov.uk address have been hacked in the past year. At last count there were around 1067 – that’s not on!”
Attacks on the private sector have also risen quickly, but Ian adds a note of warning. “A lot of the costs of an attack on business are often exaggerated, and many people are reacting like bunnies in the headlights,“ he says.
“Yes, being hit by a cyber attack is a big risk. But you need to treat it the same as all other risks.”
Ciaran chimes in: “We would like the majority of common attacks to be managed by other people, so we can concentrate our energies on national defences. A lot can be done more straightforwardly to start to reduce the impact of common attacks.”
“While attacks are showering in across the UK every day, there are ways we can suggest that will be reasonably effective umbrellas. They won’t protect against rocks, but they will protect us against showers – if that works as a metaphor?” he adds with a touch of self-mockery.
“We believe we can get 80% of the way – and the final 20% will take a lot more effort. But let’s be clear, we’re not trying to nationalise the cyber security industry – the Government have just tasked us with trying to produce a better national framework.
“Certainly in the organised crime space, our assessment is there are decisions made by the attackers, very like if they were running a big company and using a management information dashboard. If they have a line of business and they see one kind of attack making high margins, they will launch more attacks, but if you make it even slightly harder then it might be not worth their while.”
Amongst the suggested defences GCHQ has published, is advice to web designers and administrators not to continue to make employees and customers remember an endless sequence of passwords.
“Our password guidance was mainly aimed at system designers mainly because they do some stupid things,” Ian says. “Currently the situation is equal to the average person remembering a different 660 digit number every month. That’s terrible to be honest, so by changing the system they can make people’s lives easier.”
Among the suggestions the agency recommends is using passwords made from three random words or using password managers and jettisoning overly complex password rules in favour of systems capable of detecting unauthorised activity.
“We generally divide it into advanced threats and what we like to call those from ‘adequate pernicious toe-rags”
In future there may even be other ways to identify yourself using systems like mobile payment systems, the Trusted Platform Module (TPM), bank credit cards and even your FitBit.
In a single brief example, Ian highlights the scale of the digital challenges facing the UK. Recently he has been examining the £12 billion smart metering system, new energy meters the Government plan to begin installing in every home from later this year.
“The issue,” Ian says, “is will they let someone disconnect all the power to your house? Or can someone turn off the right number of meters in the right way to cause a collapse in the grid’s systems?
“The guys making the meters are really good at making the meters, but they might not know a lot about making them secure. The guys making head end systems know a lot about making them secure, but not about what vulnerabilities might be being built into them.
“In the design of the system, we’ve assumed that vulnerabilities exist in each component and designed the system so that it’s tolerant to those weaknesses. The resilience is gained by needing three independent exploits or failures to happen to cause any large scale effect. This is all being done to protect the population itself.
“I’m not talking about small outages here, because frankly you could take out the supply cabinets of 100 houses with just a hammer! So we’re working on some wider analysis with a few universities.
“The threat is growing in number, sophistication and impact”
“Assuming attacks will come and assuming the vulnerabilities are there – what is the impact? This is how it works, how do I protect it?”
The question of how to cope with the digital threat also raises questions about how so much public and private advice can be provided publicly by an agency that has spent almost a century in the shadows.
While, at least a section of the public may also fear they will be hacking their emails or listening to their phones.
“The polling we’ve done shows we are trusted – people want to engage with us and work with us,” Ciaran says. “But there’s no question that we can’t take the public trust for granted.
“We need to use bulk data to decipher the cyber threats facing the UK, but people should not think that we’ll be trawling through their emails or Facebook accounts. There are clear processes we have to go through to get warrants. We need to make the case for each investigation in the national interest.”
The task of putting forward their case is also helped by, “over 150 pages of advice on our website including advice on the various methods of encryption – so we need to nail that particular canard before it gathers momentum,” he adds.
But the secrecy won’t help surely? How does an agency based from a secret address help inform the public?
“Our Cheltenham location isn’t secret,” he responds quickly. “We even have a bus with a sign on it waiting at the local railway station every morning,” he says of GCHQ’s doughnut headquarters. “We have groups of tourists turning up thinking it’s a football stadium.”
Parts of the new National Cyber HQ itself will also not be top secret. “It will have the same security of a large corporation or a mainstream government department,” he says.
Our interview is briefly interrupted as a group of intent looking staff arrive for a video conference – a series of faces flicker into view on the monitors in front of us.
So there will be a new culture of openness on cyber security – even allowing the press to peek behind the ‘cloak and dagger’ facade?
“Yes, that’s right,” Ciaran adds with a glance towards the street outside the anonymous- looking window.
“We could have done this interview in the coffee shop downstairs really.”
The ‘Simple Stuff’
GCHQ say dealing with the ‘simple stuff’ can mean a host of relatively straightforward solutions for firms trying to tackle cybercrime.
Getting companies to identify emails that originate from outside the firm
“Most attacks start with an email,” Ian says. “So let’s highlight emails that come from outside the company. “If you are dealing with a request from the Chief Financial Officer about staff remuneration it will raise a question mark if that comes from somewhere else.”
Educating the administrators.
“We can’t advise everyone in an office not to open a spear phishing attack, because we know it’s likely that at least one will get through. But what we need to make sure is that when that happens the rest of the system isn’t left wide open to anyone who gets in,” Ian says. “Similar safeguards should ensure no one in the company is using their administrator account to browse the web.”
Dealing with the most common attacks.
“SQL injection and XSS or cross sites scripting are both ‘very common,’ in the world of cybercrime. They are both very easy to fix, yet the impact of not fixing them is potentially catastrophic,” Ian says. “It isn’t even necessary to be a technical expert to make websites safe – very good quality products can be purchased off the shelf,” he adds.
There needs to be an incentive model.
“You have a fixed budget as a company. Do you invest that in something intangible (like securing your existing app servers where nothing bad has happened) or do you invest in building new functionality for your users, such as integrating Apple Pay?”