GCHQ – Moving Out From the Shadows

Noun: Smart Home

Definition: Mini data center minus admin and security staff.

This is of course tongue-in-cheek, although some will recognise truth in this. As consumers we are reliant on manufacturers of our “smart appliances” being cognisant of security and engineering safeguards.

But can we trust them?

Yesterday we learned that despite £11bn being spent on new smart energy meters due to be installed in every UK home, GCHQ had to intervene as every meter had the same encryption key. We saw a similar problem in Spain in 2014 with poorly protected credentials. Aside from miscreants leveraging these weaknesses to lower their own energy bills, there is the worry they may interfere with others and worse still, exploit the trust relationship with the energy supplier and possibly attack the grid itself.

Although this is disturbing and interesting there is another striking fact in this story; namely, the very public involvement of GCHQ.

Obviously GCHQ has rightly intervened in this issue as it poses a national security threat; however, not so long ago we would have known nothing of it. Instead, Dr Ian Levy technical director for CESG (Communications Electronic Security Group) chose to disclose this publicly.

CESG is the Information Security arm of GCHQ.

This decision to go public with the smart meter intervention is part of an ongoing strategy of “reaching out” which began back in 2014 with the giant Remembrance Day Poppy; then in 2015 the Rainbow Doughnut and TV cameras allowed inside GCHQ for first time.

Since then we have witnessed a steady trickle of public engagement.

However, this year we have seen a rapid intensification in public activity.

This new phase began with GCHQ dropping Gaffer (A large-scale graph database) on Github which was well received by the Open Source Community.

Then came the appearance of the CESG Twitter account (being run as a pilot and subject to review) which heralded the arrival of a revamped website replete with commercial products and services guides, architectural design advice, collaborative projects such as Steganographic Advanced Information Hiding, White Papers on topics such as their position on Quantum Key Distribution, and so forth.

This month has seen an explosion in the media charm offensive with both Robert Hannigan, Director of GCHQ and Alex Dewedney, director of cybersecurity at CESG, giving public talks.

Hannigan spoke at the Massachusetts Institute of Technology on “Encryption, privacy and intelligence gathering in the digital era”. Full transcript here. A balanced talk I thought.

Dewedney spoke at the RSA Conference on how they are failing despite a budget of over £1bn. An odd one I know. Sadly a full transcript hasn’t been published to the best of my knowledge to afford these comments any context. Suffice to say, folk were a little surprised and the overall sentiment expressed in response to this is best coined: “If they can’t do it with all their resources how are the rest of us supposed to?”.

This unusual activity kept coming this month with the publication of The Brewery Journal on Cybercrime which features an interview with Dr Ian Levy (technical director CESG) and Ciaran Martin (director General for Government and Industry Cyber Security and a member of the GCHQ Board).

Their intriguing and brief interview can be found on page 19.

I thought this journal a seminal piece and well worth reading.

Next up we had the announcement of the first ever public GCHQ security conference launched by CESG.

There will be a mixture of high impact plenary talks, themed tracks and interactive activities, which will centre on an informal networking area. Interaction will be central to this event. In the networking area you will find a comfortable space, providing an area to relax, share ideas, work and enjoy great coffee from our barista bar. You’ll also find the ‘myths, challenges and ideas’ wall for you to share your views. Many comments posted on day one will be addressed on day two.

I’ve read the blurb and I must say this conference looks excellent. Free for those in the public sector.

Given this highly unusual flurry of activity it was evident GCHQ were heading for a crescendo and we finally caught sight of it in the form of a New National Cyber Security Centre (NCSC) to be headed up by both Ciaran Martin and Dr Ian Levy.

The UK faces a growing threat of cyber-attacks from states, serious crime gangs, hacking groups as well as terrorists. The NCSC will help ensure that the people, public and private sector organisations and the critical national infrastructure of the UK are safer online.

It will bring the UK’s cyber expertise together to transform how the UK tackles cyber security issues.

It will be the authoritative voice on information security in the UK and one of its first tasks will be to work with the Bank of England to produce advice for the financial sector for managing cyber security effectively.

It was to this announcement on Friday GCHQ and CESG had been heading.

What to make of it all?

Personally, I think this new approach of “moving out from the shadows” is the right one.

By their own admission, GCHQ are struggling to keep apace with the Information Security threats we face. They are not able to secure everything in the UK and neither are they charged to do so. It must be a collaborative effort with partnership between the Intelligence services, the private sector, law enforcement and academia.

It’s interesting to note the emphasis on working with the Bank of England. This is no mere dalliance. Much of the income of UK PLC is through the financial sector and it is imperative to provide a secure trading environment for the UK in order to maintain its dominance in this arena.

Information Security is itself big business and a knock-on benefit will be selling this know-how in the form of services and products to other financial centers.

Of course, given this financial sector imperative, a London location is required. Although this is borne of necessity, I sincerely hope this won’t simply become a “London Bubble” and that they will look outward towards the North to harness their expertise in securing the energy sector and manufacturing.

Overall, I feel these developments are positive for us all and hope this new synergetic approach emanating from GCHQ is welcomed and utilised.