Montrose Journal Christmas 10
CAN WE CLOSE PANDORA'S CYBER BOX? -
Since the end of the Cold War questions of national security have shifted from a largely producer-dominated perspective (that is, the outlook of the military and security authorities) to one which may be described as a client centred one. Here, national security should be seen in terms of a state of confidence on the part of the citizen that normal life can continue, despite the dangers to individuals, families and businesses from Man-made threats or impersonal hazards. A distinguishing feature in this respect lies in the public being given confidence in the government's ability to manage the risks, including those that pertain to systems and networks, or indeed to the handling of the information itself.
The WikiLeaks affair reminds us, if we need reminding, that good personnel security practices and access control procedures must not be overlooked in our concerns over advanced technical attacks across cyber space. Nevertheless, the threat from cyber attack is increasing, and we need to think through how the networks on which our everyday life depends are to be given adequate protection, at least adequate to allow Normal life to continue.
If we consider the protection of critical networks from high-end cyber attack, even that limited part of the subject involves considerations of integrity of the data itself - (think of the consequences were medical records to be tampered with); maintaining the availability of the information (think of the crippling effects for Estonia when its systems were effectively shut down or, more recently, the hijack of 12% of the internet by a Chinese telecoms company that may have been a technical accident but which demonstrates vulnerability nonetheless); and of course confidentiality (think of the massive scale of theft of intellectual property through large numbers of intelligence attacks on Western companies and government departments, attributed to hackers in China).
Iain Lobban, Director of GCHQ, suggested in a recent speech a new form of the Pareto rule that we got used to in defence where 20% of the cost buys you 80% of the military capability. In cyber security, the rule of thumb Iain suggests is that good cyber security based on professional intelligence advice will solve 80% of cyber security vulnerabilities, for example through basic network security disciplines like keeping patches up to date (much as one is advised to do on one's home computer), and keeping good personnel security to counter the 'insider' threat.
But the remaining 20% of the threat is complex and not easily addressed by trying to build an electronic Maginot line. And unlike the defence equipment case, it is the final 20% of vulnerabilities that are the most dangerous. Indeed the determined professional attacker will test out their attack on the proprietary firewalls and other products, or will have developed ruses around their electronic identity and will know before the attack is launched that it will not be detected. And once inside the network, the attacker may well then be able to open a covert sluice gate to exfiltrate information or draw up the ladder behind them, leaving no trace to indicate that they have ever been there.
Assuming that the 80% has been well dealt with, then tackling the top 20% of threat (remembering that this is potentially the most damaging part of the threat, whether from criminals or other adversaries) is going to involve active detection. That means using the intelligence capabilities of the UK and our close allies to illuminate the capabilities of the attacker, and even the intentions of the attacker, and also to detect the exfiltration of information – or in the case of criminals, cash – from our systems. That can trigger law enforcement investigation and in future may then also give us active means of disrupting the attacker or even in some circumstances of striking back. Readers familiar with 'The Girl with the Dragon Tattoo', in which the cyber-punk heroine ends up hacking passcodes and covertly siphoning off ill-gotten gains from the villain's bank accounts, will have some sense of the possible future options.
Although the challenges may be more complex than those faced during the Cold War, there is a useful analogy to be drawn with the conceptual security framework used at that time to protect Government as well as defence contractors with sensitive technologies, known as List X companies, from Soviet and Warsaw Pact espionage.
The 80% of vulnerability was covered by good personnel and security practices, such as security vetting, classifying and protecting information, combination and locks and bars on the windows, all based on professional advice from the Security Service drawing on the work of the intelligence community. That effort needed central policy and authority through the Cabinet official SO Committee, a central security policy team, and a network of authorised and trained security officers in all relevant establishments including List X companies. The Security Service also made advice and updates available directly or through sponsor departments, including publicity materials such as 'Keep our Secrets Secret' posters and the famous 'Their Trade is Treachery' booklet.
But even then, tackling the top 20% of vulnerability was another matter. In this case the threat included long term penetration of government organisations over many years by individuals working on behalf of another power or ideology. Philby and the Cambridge spy ring, the Soviet Atom spies in Los Alamos or the later Portland spy ring that attacked UK expertise on underwater sonars are all familiar examples. A second aspect was sophisticated technical attack, such as the Soviet attack using a microwave resonating cavity inside the US Great Seal in the American Ambassador's office in Moscow.
Evidently countering this 20% of the threat involved at times top secret plus levels of intelligence, sources and methods. And careful consideration of each party's ownership and interests through clear governance so that strategic intelligence sources and methods were not blown for short term gain or in low level security operations.
The parallels with top end cyber security should stimulate reflection. They suggest implications for the organisation of government - and also for the partnerships necessary between government and law enforcement with both the critical national infrastructure (CNI) operators and the cyber-security and ICT supplier base.
For the 80% we already have good arrangements involving government, the security and intelligence agencies and the private sector to organise the promotion of good information assurance in the cyber domain, and to encourage the CNI companies in particular to adopt good personnel practices and good general IT security processes. This effort has been going on for some time and complements the longstanding work of the Centre for Protection of National Infrastructure in promoting resilience. There is also ample capability in the ICT and consultancy industry to provide sound design of networks, recommend appropriate firewalls and update security services from the large IT security suppliers, and accredited individual encryption and other security products from the vibrant SME security sector.
But dealing with the top-end threat requires a different approach. Somehow, two conflicting considerations have to be brought into balance. The first is the ability to be able to help protect a very large number of companies and government organisations, all using networks critical to our economic, financial and everyday life, from serious cyber attack. The second is that to do this requires the leverage afforded by the intelligence and law enforcement space, and that involves very highly classified information and a near-real time response. It is unlikely to be possible in the way that the old intelligence centre could liaise with all the List X companies.
One way to conceptualise this, and to make it both more manageable and achievable, is to consider the various actors as if in a set of concentric rings.
The bulls eye has to represent the intelligence space, with GCHQ hosting the joint Cyber Operations Centre working hand in glove with law enforcement and the other members of the UK intelligence and defence community, and with our close allies, especially the US. The Centre should have a joint governance structure, learning from the successful operation of JTAC, and should work to policies and priorities from the National Security Council and the National Security Staff (that now includes the Information Assurance and cyber policy team).
That centre should be connected to a surrounding ring made up of a small number of segments, perhaps three or four, representing trusted technology-rich security and ICT companies, probably arranged in consortia so as to cover all the necessary competences. Each segment in this 'ring of trust' would be connected in near real time to the intelligence centre to allow the fast two way passage of information, in recognition of the very rich information held by the relevant ICT security companies about current attacks as well as the specialized intelligence held by the Operations Centre. The consortia could include intelligence liaison officers to ensure two way information flows and to check that the ownership and concerns associated with highly sensitive information about cyber attacks are being properly considered.
Each of these trusted commercial security consortia would then be able to compete with each other to provide top end security services to CNI operators, under contracts those companies would place with the ring of trust, to identify and classify attacks as well as to plug vulnerabilities and to cooperate in further intelligence-led work to frustrate attackers. For some CNI companies, access to such security advice could well become a Regulator's condition for operations in the UK.
The outer ring then contains all the CNI operators, government departments, agencies, defence contractors and R&D base whose intellectual property and assets - ranging from financial accounts to nuclear power station control systems - need high end protection.
Is this a feasible model based on concentric circles of trust? Of course an array of questions would arise about the sharing of commercially sensitive information and the protection of the equities of the different players. Much study would be needed. But the high end threat is growing and we need to have a simple enough concept to allow progress to be made. A model along the lines described above would have the advantage of utilising both the highly secret and specialized knowledge and capabilities of the intelligence space (including law enforcement) and the commercial capabilities of the leading UK and US industry players who provide a secure means of connecting to the very many government and private sector operators of networks that support the CNI.
Such a model, or one based on the principle considerations sketched out here, would indeed represent another significant step in our national resilience journey from the 'Secret State' of the Cold War to the future 'protecting state'. National security in the protecting state is about preserving a state of normality, derived from a sense of confidence on the part of the public (and of the markets and our allies and adversaries) that the big risks facing us are being managed satisfactorily, so that people can get on with their lives in freedom under the rule of law and make the best of their opportunities at home and abroad. And can do so with confidence that the risks are being managed by government through policies that would command public support. In turn our potential adversaries – and the markets - need to feel that we are well-defended, and willing to protect and defend our interests, including in cyberspace.
Such security rests on anticipatory management of risk; it does not rest on attempts to eliminate all risk. There is a delicate balancing act for governments in maintaining justice, freedom of movement and of speech, privacy, civic harmony and the right to security. Indeed, a core ingredient in public security in a democracy is confidence in the government's ability to manage risk in ways that respect human rights and the values of society.
The key to maintaining that delicate balance is to have better informed decision-making by government, including better intelligence. We should look to government then to decide in good time whether to act to try to reduce the risk or to reduce society's vulnerability to it, or in many cases sensibly to decide to leave well alone.
In the pursuit of better intelligence, the last few years have seen the development of a new 'INT' to sit alongside HUMINT, SIGINT, ELINT,and all the rest, and that is what I term PROTINT, data protected information about each of us as individuals: our movements and travel, communications, finances, social security and medical history and all the rest of the 'electronic exhaust' we leave behind. Naturally, such powerful tools in a cyber age need careful regulation and oversight.
In a coalition world, there is room for these issues to be incorporated into a new understanding between Parliament and public on the one hand and government and its security and intelligence agencies on the other. There are five underlying principles or steps toward achieving this new compact. First, all must recognize the importance of maintaining security as a state of normality in which individuals can get on with making the most of their lives as they choose, in freedom and without fear. Secondly, public and media have to be encouraged to accept that there is no absolute security and chasing after it does more harm than good.
The third aspect requires the acceptance of pre-emptive secret intelligence as essential in shifting the security odds in the public's favour. But the intelligence machine should only be used for public protection to prevent significant harm and not to check on what we put in our dustbins. The principles of proportionality, necessity and due authority will have to be followed, and suspects will be prosecuted within the criminal law.
The fourth element looks to our international relationships. Overseas intelligence liaisons have to be maintained in the interests of public safety, and intelligence received that is capable of helping in that task will be accepted and acted upon but overseas partners must be clear that UK intelligence, police and military personnel will never solicit information that they have reason to believe may be obtained through torture or ill treatment.
Finally, the public must accept that there is no general 'right to know' about intelligence sources and methods, but in return the public has a right to oversight of the work of intelligence agencies by senior judges and cleared Parliamentary representatives on the public's behalf, with the right of investigation and redress in cases of abuse by government of its powers.
It matters to all of us how government in the future will think about modern national security, and how much attention is given to new vectors of threat such as through cyberspace; a careful balance of investment is needed between the components of the risk equation, acting on likelihood, vulnerability and impact. Life is full of surprises, some of them unwelcome, and some level of insecurity has to be accepted day to day and lived with. Working to keep those risks to a minimum is a primary duty of government, part of the implicit contract between people and their government. Fulfilling that duty is thus integral to good government. In an age of austerity there are new opportunities for thinking about how best to develop the partnerships between industry and the most secret parts of the State in order to deliver those security benefits.
Sir David Omand was the first UK Security and Intelligence Coordinator in the Cabinet Office, having previously been Permanent Secretary at the Home Office and Director GCHQ. He is now a visiting Professor in the War Studies Department of King's College London, and author of 'Securing the State' published by Hurst & Company