22 April 2019

GCHQ: a century of ciphers

By Nick Smith

This year, the UK government’s intelligence and security organisation celebrates its centenary. From its earliest days of cipher decryption to mounting today’s defences against global cyber attack, GCHQ has come a long way.

In 1919, with the end of the First World War still ringing in the nation’s memory, Britain was already putting in place intelligence countermeasures to ensure it would maintain the upper hand, should such conflicts ever happen again.

By the time the Armistice was signed on 11 November 1918, four years and three months of industrialised slaughter had left just over 700,000 British soldiers dead. Within a year, on the recommendation of Lord Curzon, the British Army and Royal Navy intelligence services – M11b and ‘Room 40’ ­– were merged to form the Government Code and Cypher School (GC&CS).

Located at Watergate House, London, the GC&CS was in the century that followed to become the Government Communications Headquarters, commonly known as GCHQ, arguably the most famous national government intelligence agency in the world.


It started as a small group of a few dozen officers advising the government on the security of their communications ciphers but was to become one of the three main British intelligence agencies (the other two being MI5 and MI6) and a crucial part of the UK’s security machinery, employing upwards of 6,000 personnel. Its history is defined by technological change, secrecy and controversy, with allegations, scandals and tabloid headlines dragging the organisation out of relative obscurity and into the limelight of public scrutiny.

Today, the organisation appears to welcome positive media attention, and while it is unforthcoming about the specifics of how it spies on the nation’s enemies, it has in place a coordinated PR charm offensive on matters such as diversity, and is this year going public about some of its activities with a centenary exhibition at the Science Museum in London and an authorised history of the organisation.

Its outreach includes schools initiatives and even puzzle books to help you to self-assess whether you’ve got what it takes to be a codebreaker in the mould of Alan Turing or even creator of ‘The Lord of the Rings’ Professor J R R Tolkien of the University of Oxford, who, according to GC&CS archive documents, was “keen” to become a cryptanalyst, but for reasons unknown never did.

‘GCHQ has solved or harnessed some of the world’s hardest technology challenges’Jeremy Fleming, GCHQ director

If the early work of the GC&CS – decrypting overseas diplomatic ciphers – seems a low-key start to a century of code breaking, in the years leading up to the Second World War its role became more prominent. With the government expecting aerial bombardments on London, plans were made to evacuate the GC&CS from its London base to Bletchley Park in Buckinghamshire. Bletchley was fitted out with communications and power, while the first wooden huts were erected in its grounds to accommodate the rapidly expanding organisation.

On 15 August 1939, about 180 GC&CS personnel moved to Bletchley, while a further 20, who produced communications security materials such as cipher keys and codebooks, moved to Mansfield College, Oxford, so that they could maintain close proximity with their printer, the Oxford University Press. By the end of 1944, 10,000 were employed at Bletchley Park, with a larger number engaged on ‘sigint’ (‘signals intelligence’) collection and dissemination projects worldwide.

Bletchley will always be best known for the decryption of the German military Enigma electro-mechanical rotor cipher machines. But equally important was the development of Colossus – the world’s first programmable, electronic, digital computer – which enabled cryptanalysts to gain an understanding of the Lorenz cipher years before they ever saw the machine itself. Both projects made a massive contribution to the Allied victory in 1945 after which, in April 1946, the organisation became GCHQ. After the war, operations extended in reach with the formation of an intelligence alliance with the US, with whom Britain shares information via the National Security Agency (NSA) to this day.

But the work of GCHQ was to take on another technical aspect as it pitched its signal intelligence wits against the threat from the Soviet Union during a period of constant tension – that George Orwell described as a permanent state of “Cold War” – between opposing western and eastern geopolitical blocs. GCHQ was at the forefront of advances in transistors and miniaturisation up until the 1970s, while Clifford Cocks and Malcolm Williamson developed public key cryptography, a protocol for internet security that was classified until 1997, which in turn led to an American team being credited with its invention, despite the British getting there first by four years.

While technological frontiers were being broken behind closed doors, the tabloid newspapers had a field day with a series of scandals in which GCHQ was implicated. There were trials concerning embedded KGB moles, revelations of leaked tapes of private phone calls made by members of the royal family, as well as allegations of mass eavesdropping on British citizens. Then there was the prolonged Snowden affair in which the former US Central Intelligence Agency employee turned whistle-blower alleged that there was documentary evidence for GCHQ profiling “every visible user on the internet” based on harvested metadata “without any public debate or scrutiny”. Public debate over the balancing of national security against individual privacy continues today.

Despite these high-profile embarrassments, GCHQ forges ahead, rarely commenting on press stories, as it prepares for a future in which, contrasting starkly to the First World War out of which it was born, the main assault weapons are likely to be digital rather than physical. To ramp up the response to cyber threat, in October 2016 the National Cyber Security Centre (NCSC) was launched. Part of GCHQ and based in London where it all started with the GC&CS, its stated aim is to “make the UK the safest place to live and work online”.

To mark the centenary of GCHQ the Queen visited the original home of the GC&CS at Watergate House, where ‘2519’ (Her Majesty’s security code for her 1947 visit to South Africa) unveiled a commemorative plaque containing two secret messages about GCHQ’s history of code breaking. Commenting on the centenary, director Jeremy Fleming said: “GCHQ has been at the heart of the nation’s security for 100 years. It has saved countless lives, given Britain an edge, and solved or harnessed some of the world’s hardest technology challenges.”
GCHQ timeline

1919: Government Code and Cypher School formed as peacetime code-breaking agency based at Watergate House, London. Produces first decrypt on 19 October.

1920s: Successfully reading Soviet Union diplomatic ciphers.

1939-45, Second World War: Moves to Bletchley Park. Work on Enigma machine and Lorenz ciphers. Staff includes Alan Turing.

1940: Working on diplomatic codes and ciphers from 26 countries, addressing 150 diplomatic cryptosystems.

1946: Renamed Government Communications Headquarters (GCHQ).

1951: GCHQ moves to Cheltenham.

1955: Founding of Joint Technical Language Service (JTLS), co-located with GCHQ for administrative purposes.

1969: Communications-Electronic Security Department (CESD) merges with GCHQ and becomes Communications-Electronic Security Group (CESG).

1976: Investigative journalists Duncan Campbell and Mark Hosenball reveal existence of GCHQ in Time Out. Hosenball, an American, later deported.

1983: GCHQ comes to wider public attention during trial of Soviet spy Geoffrey Prime, KGB mole in GCHQ.

1984: UK Prime Minister Margaret Thatcher prevents GCHQ employees from becoming union members for reasons of national security (ban lifted in 1997).

1993: In wake of ‘Squidgygate’ scandal, GCHQ denies ‘intercepting, recording or disclosing’ telephone calls of British Royal Family.

1994: Intelligence Services Act 1994 puts activities of intelligence agencies on legal footing.

1996: David Omand becomes director and restructures agency in response to new technologies. Plans GCHQ’s new headquarters ‘The Doughnut’ at Benhall, Cheltenham.

Mid-1990s: GCHQ starts to investigate cyber crime.

2003: GCHQ moves to the Doughnut, the largest secret intelligence headquarters outside the USA.

2003-4: Katharine Gun removed from post after leaking email regarding wiretapping of UN delegates in run-up to 2003 Iraq war.

2010: Criticised by Intelligence and Security Committee of Parliament for IT security practices and failing to meet cyber-crime targets.

2014: Based on documents gathered by Edward Snowden, the Guardian reveals GCHQ is gathering 1.8 million webcam images. The Intercept reveals joint Threat Intelligence Group and CNE units within GCHQ.

2014: Incoming director Robert Hannigan writes in Financial Times that large US technology companies “have become the command and control networks of choice for terrorists and criminals”.

2015: GCHQ admits in court to computer hacking.

2016: The National Cyber Security Centre established; absorbs and replaces CESG as well as other cyber-related organisations.

2017: US Press Secretary Sean Spicer alleges GCHQ surveillance of US President Donald Trump.

2017: Jeremy Fleming, former deputy director-general MI5, becomes GCHQ director.

2019: The Queen unveils centenary plaque.

2019: Centenary of GCHQ celebrated with exhibition at Science Museum in London. First authorised history of GCHQ published.

GCHQ’S REACH

What it can do - and what it can’t

GCHQ is allowed to examine data in the pursuit of investigations related to matters of national security as well as serious and organised crime. Despite the widely held public assumption – often perpetuated by the tabloid press – that GCHQ has a virtually unlimited brief to listen in to and intercept communications made by phone and digital communications such as email, the truth is different, with the organisation having access to “only a tiny percentage of global communications traffic”. According to GCHQ, communications cannot be viewed or examined by an analyst other than in “strictly controlled circumstances”.

GCGQ says that because its primary focus is on threats to the UK, its main concentration is on dealing with communications originating from overseas. If an investigation of these threats leads to someone in the UK, there is still a daunting defence-work of procedural hoops to jump through before communications can be intercepted. These include putting together a case to justify the action in order to secure authorisation, usually in the form of a warrant that can only be issued by, or with the express approval of, a Secretary of State. The application for a warrant must be in the context of both necessity and proportionality, which means there need to be conditions such as national security in play.

Even then, “great care is taken to balance individual privacy with the need to keep the nation safe, detect and prevent serious crime and protect the economic security of the UK”. GCHQ says that in order to perform security tasks under such circumstances, “we must do some detective work to piece the picture together”; that may include gathering data about people that they admit are “just living their lives”. But, the organisation says, “the overwhelming majority of data collected by GCHQ is never seen by an analyst before it is discarded”.

The ideas of justification and appropriateness are further protected by the fact that to listen to even a fraction of all phone calls and to monitor all emails would be “physically impossible”. Further to which, GCHQ is subject to rigorous legal oversight and complies with the European Convention on Human Rights. Authorised searches on data are held in secure automated systems for limited time periods and can only be accessed by analysts that can prove their investigation is legal, necessary and proportionate. These justifications are then stored and audited.

While analysts may only examine data that matches their legally compliant searches, legally privileged information and communications are not excluded: “For example, if a lawyer was involved in terrorism or paedophilia, his communications may need to be examined, even if that means the incidental interception of legally privileged communications. However, legally privileged material is particularly sensitive.” Which is why robust safeguards are set out in the statutory code of practice on the interception of communications.

In the process of tracking down terrorists, the examination of confidential communications between, say, lawyer and client, are “exceptional and rare”, but in such cases GCHQ must comply with the requirements of the Regulation of Investigatory Powers Act 2000 (RIPA) Code of Practice, a process that is overseen by the independent Interception of Communications Commissioner, who is required to be (or have been) a senior judge. “Add to this scrutiny by the Intelligence Security Committee of Parliament (ISC) and a complaints mechanism in the form of the Investigatory Powers Tribunal (IPT) and you have one of the strongest systems of democratic accountability for secret intelligence in the world.”

What is a global cyber power?

GCHQ Director Jeremy Fleming recently outlined his definition of the rules and ethics of the cyber age at a keynote speech in Singapore. His address, part of the Fullerton Lecture series by the International Institute for Strategic Studies (IISS), explored international issues as the UK develops cyber capabilities, grapples with cybersecurity, and “builds the skills and rules required in the cyber age.”

Fleming introduced the concept of the ‘global cyber power’, examining what rules, regulations and ethics are needed at a national level to exercise such power responsibly. He said that with technological change comes opportunity, while warning of the accompanying complexity, uncertainty and risk.

Fleming suggested that a nation is a ‘cyber power’ if it is able to direct or influence the behaviour of others in cyber space in three main ways. First, “it has to be world-class in safeguarding the cyber health of its citizens, businesses and institutions. It must protect the digital homeland.” Second, it needs legal, ethical and regulatory frameworks to foster public trust, “without which we do not have a license to operate in cyber space.” Third, “when the security of its citizens is threatened, it has to have the ability – in extremis and in accordance with international law – to project cyber power to disrupt, deny or even destroy.”

He went on to say that cyber power is also about “having the right capabilities to actively protect our interests if we need to. It’s about having strong alliances. Finding ways to encourage openness and collaboration between people and nations, while rewriting the rules of engagement for our digital future.” Cyber power is also about having the right technical expertise.” He concluded by saying: “The UK is a global Cyber Power with the potential to provide leadership in this debate. GCHQ is at the heart of that and will make sure the opportunities presented by this cyber future are fully realised.”

No comments: