On April 24, Jeremy Fleming, Director of the United Kingdom Government Communications Headquarters (GCHQ), gave the keynote speech on cybersecurity issues at the National Cyber Security Centre’s (NCSC’s) flagship conference, CYBERUK 2019, in Glasgow. In his speech, Fleming first noted that the technology revolution “is providing extraordinary opportunity, innovation and progress – but it’s also exposing us to increasing complexity, uncertainty and risk.” That revolution, in his words, “brings with it new and unprecedented challenges for policymakers as we seek to protect our citizens, judicial systems, businesses – and even societal norms.”
Fleming then explained GCHQ’s perspective on cybersecurity. He stated that “whatever the shape of our cyber security mission, it made no sense to silo it away from other aspects of national security. To be effective, it had to be able to take advantage of high-grade intelligence and other security capabilities,” and that GCHQ “knew that we needed to invest more in getting the public and private partnership really working” and “to set even clearer lines of accountability when cyber incidents happened.”
Accordingly, Fleming stated, the United Kingdom Government’s National Cyber Security Strategy gave GCHQ, through the NCSC, “responsibility for a major national risk for the first time in our hundred year history.” GCHQ’s roles participation in that process included the GCHQ incident management team’s working on more than 1,500 significant cybersecurity incidents, its use of automation to reduce the harm from thousands of attacks a month, and the major role that GCHQ has played in dealing with strategic threats from hostile states.
Fleming also commented that the first priority for the United Kingdom’s cybersecurity strategy is to make that strategy “more citizen facing and more citizen relevant.” In that regard, he pointed to a number of the findings in the recently issued “UK Cyber Survey”:
- 89 percent of British people use the Internet to make online purchases, and 24 percent do so daily.
- Only 15 percent said that they knew how to protect themselves online.
- 2 million victims of hacks used the password 123456 to protect their accounts.
Recognizing the challenges that cyber threats pose to the population, Fleming promised several actions by GCHQ to help “take the burden of cyber security away from the individual”: (1) “work[ing] closely with device manufacturers and online platform providers to build security into their products and services at the design stage”; (2) working with Internet Service Providers to enhance the security of internet-connected devices in the home; and (3) “shar[ing] intelligence with banks to enable them to alert customers close to real time.”
A second priority for the United Kingdom that Fleming identified is “is to ensure our national infrastructure has the best defences in the world.” Pursuing that priority will involve fixing critical national infrastructure (CNI) and discussing “what further legislation or regulation might be required to ensure cyber standards right across the CNI.” A third priority is “to expand the cyber security ecosystem – and by that I mean taking a bold, interventionalist approach to involve a wider set of stakeholders in protecting the nation’s cyber security.” Implementing that priority includes expanding the reach and impact of NCSC’s Active Cyber Defence program, which “uses automation to block attacks on an enormous scale,” using a protective Domain Name System for the public sector that blocked access 57.4 million times, and putting in place programs to help small businesses.
Finally, in outlining how to improve public-private sector information sharing, Fleming emphasized GCHQ’s commitment to sharing more information about cyberthreats in real time, to help businesses and the Government defend themselves. Among various examples of that commitment, he noted that
in the last year we have made it simple for our analysts to share timecritical, secret information in a matter of seconds. With just one click, this information is being shared and action is being taken.
In the coming year, we will continue to scale this capability so – whether it’s indicators of a nation state cyber actor, details of malware used by cyber criminals or credit cards being sold on the Dark Web – we will declassify this information and get it back to those who can act on it.
Note: Director Fleming’s comments present a number of relatively concrete ways in which GCHQ is seeking to enhance cybersecurity – notably the commitment to improve real-time information-sharing with the private and public sectors, in part to enable financial institutions to alert customers quickly to new cyberthreats.
It is interesting to note that although the United States Government’s departmental and agency structure is configured quite differently for pursuing a national cybersecurity strategy, National Security Agency officials, in public speeches in 2017 and 2018, have refrained from endorsing the structure of the NCSC, but have made positive comments about the NCSC’s accomplishments. GCHQ should make it a point to continue to report periodically and publicly on whether and how well the new initiatives that Director Fleming discussed are bearing fruit.