Pages

1 March 2018

We need a global cyberwar treaty, says the former head of GCHQ

By MATT BURGESS

There should be an international treaty on cyberwarfare that sets clear boundaries for nation states around hacking computer infrastructure, the former director of GCHQ has said.

In a wide-ranging interview, Robert Hannigan spelled-out the growing threats cyberwarfare, Russia, and artificial intelligence pose as well as calling for tighter regulation. "We should be looking at some kind of arms control for cyberspace," says Hannigan, who left GCHQ last year. "We do need to come to some kind of international agreement about what's acceptable and what isn't".


How this would work, though, is a difficult proposition. Put simply: no straightforward solution to cyberwarfare and offensive hacking campaigns by countries exists – and coming up with one is no easy task.

Publicly calling out a country for a cyberattack is still relatively rare as digital tracks are often covered, or non-existent, and naming and shaming also has political ramifications. Yet there's a growing movement for a global agreement on what government-backed hackers can do.

Microsoft has previously called for a digital Geneva conventionand the UN secretary general has also made similar suggestions. Nato's cyber defence centre has also been clear to clarify pre-existing international laws around cyberwarfare. But any such international agreement would take years to create, Hannigan says.

"Now is a particularly difficult time to get any kind of international agreement through because there is so much tension between the major powers. The big danger is you end up with a treaty which one side implements and the other doesn't. That would make things worse than ever."

But such a major undertaking may start with "small gestures", Hannigan says. "You could have discussions about what things are so important to us all that we need to protect." These, he proposes, include the infrastructure of the internet and global financial institutions.“If you start tampering with power supply or a traffic control you raise the risk of people being hurt”

Hannigan's intervention came just before the UK government publicly blamed Russia for launching the NotPetya malware in the summer of 2017. The attack was spread through thousands of computers using a compromised piece of accounting software. Hit hardest was Maresk. The international shipping firm reportedlyreplaced 45,000 computers, 4,000 servers and reinstalled 2,500 applications. Disruption at the courier firm TNT lasted for months.

NotPetya was one of the most destructive forms of malware that has been attributed to a nation-state. But how do we stop people subverting the supply chain in hardware and software. Hannigan claims an international agreement could focus on individual sectors – healthcare, for instance – and outline that these are areas that can't be touched by nation states. But controlling Russia and North Korea would be a hard task.

Such an agreement would also be unprecedented. While chemical weapons are controlled by the PCW, Hannigan believes this method wouldn't work for cyber. "Western governments could not trust the intelligence behind their assessments to an international body without compromising it," he says. "At the moment it's hard to see who would police this because you couldn't really have an independent body."

The cyberwars

The evidence of cyberattacks conducted by nation states is compelling. Russia's attacks against Ukrainian power grids have left hundreds of thousands of homes without electricity; the WannaCry ransomware, which North Korea has been blamed for, took hundreds of NHS computer systems offline and put lives at risk.

What constitutes an act of cyberwarfare is still murky, though. Hannigan, who has been at the head of the UK's offensive capabilities, is still unclear what the term fully defines. Since leaving the GCHQ for personal reasons in mid-2017, Hannigan has started working with cybersecurity firm Blue Voyant as well as consulting for McKinsey. He will also be speaking at the Great Innovation Festival in Hong Kong in late March. "It is quite hard to draw a distinction between intelligence gathering espionage and destructive," he says.

The difficulty comes from working out who launched what. Disguises in code and masked data make pinning down a source incredibly hard. Even when a country is named, caution comes with it: last week, when the UK government called out Russia for creating the NotPetya ransomware, the strongest wording it used was "almost certainly". But the attribution, which also came from the US, was significant. NotPetya was a piece of destructive malware that had real-world consequences. And it was launched by Russia.

According to Hannigan, there's a "reassuring consistency" to the cyberwarfare tactics of Russia and North Korea: they keep to the country's national interests. (Russia acted aggressively online and offline towards Ukraine; North Korea uses cyberattacks to show its strength internationally). "I think the worrying thing is that international relations at the moment mean that people don't feel constrained," he says. "They feel they can take risks that they wouldn't have done five or ten years ago. [Russia] didn't seem to mind it was being attributed to them," he says of the country's disturbance of the US election. He warns to expect more live testing from hostile states.

"If [Russia's] intent changes and they become more reckless and destructive and aggressive then it really does get very worrying," he says. "Particularly when you see what they did in Ukraine and other places before."“I think the Investigatory Powers Act is going to be a big issue in the negotiation of any data agreement with the EU”

In July 2017, leaked documents from GCHQ's public facing arm revealed it believed hackers were "likely" to have compromised power systems in the UK. At the time, Motherboard reported the National Cyber Security Centre as saying industrial control system engineering had been successfully hit.

This sort of attack on critical national infrastructure is of particular concern. ITSec Team, a group of Iranian-linked hackers, were indicted in May 2016 on charges relating to cyberattacks on a small US dam. At present, Hannigan hasn't seen any attacks on infrastructure physically harm or kill anyone. But it is only a matter of time. "It seems almost inevitable at some stage it will happen," he says.

"If you start tampering with power supply or a traffic control you know you raise the risk of people being hurt. It seems unlikely to be going to be on a massive scale. It's much more likely this would happen by accident". Asked about likely scenarios when people would be injured or killed by cyberattacks, Hannigan says it will probably be from "collateral damage and unintended consequences". Much of the former GCHQ director's reasoning behind this lies in the fact that cyberattacks and security are largely unpredictable. Until a piece of code – whether it's in genuine software or something malicious – is made live, it is impossible to know what its impact will be. "You can test them but until they go out into the wild you don't really know what is going to happen."

When it comes to causing physical harm to people, terrorist groups remain the most likely candidates. "There will, of course, be a small group of terrorists who actively want to try and kill people through cyber. But I think they're a long way from having that capability," Hannigan says. "They've got the intent but they're miles away from having the capability. State-backed terrorism could do really destructive things in cyber." However, terrorists launching cyberattacks have been predicted for some years and little real-world impact has been seen.Hackers are on the brink of launching a wave of AI attacks

Artificial Intelligence
Hackers are on the brink of launching a wave of AI attacks

UK on the offensive

In November 2016, the then defence secretary Philip Hammondannounced the UK was going on the offensive. It was the first time the government had admitted it was developing proactive powers to disrupt others in cyberspace. Hammond said the UK would look to cause "damage, disruption or destruction" to enemies as part of the National Offensive Cyber Programme, run between GCHQ and the Ministry of Defence.

But, the government has refused to reveal how many offensive cyberattacks it has launched since 2010 and hasn't given any reasons for launching offensive operations. It has also refused Freedom of Information Act requests on national security grounds about which public bodies have been involved in launching cyberattacks. As a result, what the UK is doing remains opaque.

Hannigan describes the UK's abilities to launch cyberattacks against enemies as being "pretty sophisticated" but not anywhere near the scale of the US. "It is a kind of an arms race and everyone is at this," he adds.

There are a range of options available for the UK when it comes to offensive cyber offensives. These range from "high level" deterrence – he wouldn't discuss specifically what these were – to campaigns to disrupt cybercrime. "If you're in an armed conflict, and you are increasingly cyber dependent and so is the enemy, you're going to want to interfere with other country's weapons systems or whatever," Hannigan says.

The only time that the UK government has admitted it has used cyberattacks in the wild is against the Islamic State. In October 2016, Hammond said that "offensive cyber" was being used for the first time in northern Iraq. Hannigan says the government, GCHQ and other intelligence agencies such as Mi5 aren't likely to be forthcoming with details of cyber offensives soon.

"I suspect it will be provoked by other people rather than volunteered," he says. "If other countries, or for that matter crime groups, do things that are destructive or reckless on a large scale there may come a point at which government has to put a red line down and say this is what we're going to do in response." Incidents such as NotPetya make this more likely.

Increasing regulation

Much has changed since Hannigan took post at GCHQ in 2014. Cyberwarfare wasn't as common and his immediate responsibility was dealing with the fallout of Edward Snowden's disclosures. The bulk data collection and mass surveillance programmes revealed by the former NSA contractor forced the UK spy agency to face more scrutiny than at any point in its 99-year history. This focus will only increase as data analysis and artificial intelligence become widespread.

Courts have ruled GCHQ unlawfully collected private data for around a decade and the introduction of the Investigatory Powers Act has further increased the parliamentary scrutiny of the work carried out by UK security services. The IP Act has been the biggest change to the UK's surveillance laws in two decades. It not only sets out intrusive government hacking clearer than ever before, but also extends powers available. Under pressure, the government has made concessions since it was passed.“We have to use data better because there's no way that you can, or should, put thousands of people under surveillance”

The IP Act is also likely to cause problems when it comes to the UK's Brexit negotiations. "I think the Investigatory Powers Act is going to be a big issue in the negotiation of any data agreement with the EU," Hannigan says. While national security information won't be included in any Brexit data agreement, the agreement will govern how data can pass between the UK and EU. "It's bound to focus on the use of bulk data. That's the bit that is litigated and that's the bit that most of those who are unhappy in the EU, there are various views across the EU, are unhappy about." Hannigan says. "It's going to be a very complex negotiation, but a critical one."

Another area that's likely to need intervention with the law, Hannigan says, is the use of machine learning and artificial intelligence. "My concern these days – and especially now that I am out of government – is the ethics of it. In the future we may need regulation of AI and legislation around AI that builds in a privacy reinforcing approach to algorithms." Such a framework would likely apply to GCHQ and other security agencies handling huge quantities of personal data with the help of AI.

For the spy agencies, the former spy agency boss says, there can be learnings from recent court action and the Anderson review into the UK's surveillance laws. "We have to use data better because there's no way that you can, or should, put thousands of people under surveillance," he says. "How can you use data in a more intelligent way to triage the real priorities? AI is really good at that."

No comments:

Post a Comment