6 July 2021

Director's speech on Cyber Power - as delivered


Thank you for that warm welcome… it’s great to be here.

Firstly, I’d like to thank the International Institute for Strategic Studies for inviting me and giving me the opportunity to speak about Cyber Power. It’s a topic that I know needs wider discussion. And it’s great to see IISS once again breaking new ground.

In particular, I’d like to thank John and the wider IISS-Asia team for the wonderful work they do with this speaker series. They always pull together a strong and influential audience, and it’s clear to me they are doing great work promoting geopolitical debate in the South East Asian region.

I’d also like to thank the team here at the Fullerton Hotel for all they have done to ensure we have such a productive conference.

It’s great to be here in Singapore. I enjoy visiting this amazingly vibrant and successful City, its palpable optimism for the future and the impact it has far beyond its shores. I love the way it blends the old and new, the juxtaposition between the state of the art GPO of the 19th Century and the subject today is not lost on me.

I echo what Jeremy Hunt, our Foreign Secretary, said in January about the similarities between our two countries - we’re joined at the hip not just by common interests and our shared dedication to the rule of law but by our shared history that has connected our two peoples together for 200 years.

And that sense of shared history and common endeavour that is just as relevant for the other Nations present here today. Indeed, I would argue that as we enter the Fourth Industrial Revolution, as we think about how we will continue to prosper as Nations, whilst protecting the rights and lives of our citizens, it has never been more important.

Which brings me to the point of this speech and of this event.

And that is the concept of Cyber Power. What does it mean? What does a country need to have at its disposal to be a Cyber Power? How should it exercise that power? What rules, regulations and ethics are needed to exercise power responsibly?

We’re all contending with these questions. Our nations are breaking new ground as we develop cyber capabilities, grapple with cyber security and start to think about the skills and the rules we need for the cyber age.

So, how can we move forward together?

My proposition is that we need to converge on agreed definitions, on regulatory frameworks, industry standards and norms of ethical behaviour. Frankly – we need a new lexicon. One that isn’t based on the overly military language of past power frameworks, but a language that clearly refreshes and restates for the cyber age the underlying principles that have served our democracies so well for hundreds of years.

We have a way to go.

Take the language we use to describe cyber security or cyber activities: malware, ransomware, BotNet, and Distributed Denial of Service to name some of the more incomprehensible terms in use.

Then look at the questions we ask about how we measure up to those who would do us harm: how big is their force…? How much do they spend…? How many hackers do they have …?

This sort of framing has been around for decades. It worked for an environment where power. was seen, partly or wholly, through a military lens. An environment where numbers or scale were what mattered.

But in the cyber world, the size of force doesn’t equal potency. Deterrence isn’t absolute.

And cyber attacks are often disruptive or financially motivated, rather than destructive.

It’s a cyber world that is changing at an incredible rate, making the world more interconnectedt than ever before. It’s driving extraordinary opportunity, innovation and progress. But it’s also unleashing unprecedented complexity, uncertainty, instability and risk.

I suspect that many of my predecessors as Director of GCHQ will have said or felt something similar. We’ve contended with changing technologies throughout our one-hundred year history.

But there’s definitely something unique about the combination of uncertain doctrine, hyper technology change and a new form of ungoverned security space that is making this peculiarly challenging. And it’s this uniqueness that makes it difficult to keep up, or crucially to explain these changes to our citizens.

I believe we need a better framework for this conversation. One that provides reference points for the debate about Cyber Power, and one that recognises that the concept goes way beyond technology and the internet.

I’ve given this much thought. The UK – indeed, all of us – need to better understand the challenges and opportunities we face and how best to shape the debate with our partners, allies, and even our adversaries, around the world.

In short, we need to pioneer a new form of security for the cyber age.

I think we can all recognise the basic definitions of power: it’s the ability to direct or influence the behaviour of others. Power comes in many hues: ‘soft power’ is exercised by those who may set an example, project thought leadership, or encourage adherence to a particular set of legal or ethical boundaries. Whilst hard power comes from economic, military or technological might.

Taking this over into the Cyber domain is not straight forward, but there are clear parallels.

And I think we can do better at setting out some core principles.

To me, a Nation is a Cyber power if it is able to direct or influence the behaviour of others in Cyber space. And it can do this in three main ways:

One, it has to be world class in safeguarding the cyber health of its citizens, businesses and institutions – it must protect the digital homeland.

Two, it has to have the legal, ethical and regulatory regimes to foster public trust – without which we do not have a licence to operate in cyber space.

And three, when the security of its citizens are threatened it has to have the ability – in extremis and in accordance with international law – to project cyber power to disrupt, deny or degrade.

I’d like to explore each of these elements in turn.

Starting with cyber security.

Those of us who work in Government, and especially those who have worked in national security roles, know that the first responsibility of any Government is to protect its citizens.

In the twenty first century this relates to the digital homeland as well as the physical one.

To enable this protection we have to put in place measures designed to make individuals and institutions harder to attack. We focused on responding to cyber incidents to reduce harm and increase confidence and we developed new partnerships with industry and academia to share knowledge, remove basic threats and influence behaviour.

We have also grown our key partnerships at home, across the 5EYES, in Europe, and of course here in South East Asia.

In the UK, this sense of a Team Cyber is spreading way beyond the normal national security community with GCHQ’s National Cyber Security Centre leading our response.

Law enforcement colleagues are lining up with intelligence partners, industry and academia.

We’re reaching down into schools, hiring communications specialists to get the messages to stick and working with venture capitalists and start-ups to foster technologies for the next generation.

We’ve also worked hard to take a genuinely strategic approach. It’s easy to get stuck in the maelstrom of today’s attacks. But I think we need to get better at designing in cyber security from the start.

In particular, we are trying to make the internet automatically safer for people to use, so they don’t have to make daily judgements on whether every email or website they come into contact with can be trusted.

This is especially important given the way that criminals are increasingly operating, sometimes with the support – active or passive - of malign states.

This complex environment was a big driver behind the National Cyber Security Centre’s active or automated cyber defence programme. This aims to protect most of our citizens from most of the harm…for most of the time.

We’ve already set out some impressive early results of this work. Protecting 1.3 million Government internet users automatically by blocking access to bad sites we know about, this stopped 54 million malicious connections last year alone.

We have an anti-spoofing mechanism which has greatly reduced the spoofing of UK Government brands.

Our automated takedown service, run by a private company, has more than halved the UK’s share of global phishing.

This is really exciting innovation. It helps make the UK a harder target. It takes away some of the impossible decisions we ask our citizens to make that affect our security.

It doesn’t mean we’re impregnable. It just means we’re harder to attack.

But there is so much more to do to fix an Internet that was not designed with security in mind. With big, structural security problems like identity spoofing and malicious hosting still to be tackled.

My job in this space, as Director of GCHQ, is two fold.

First, it’s to help get these innovations implemented at a scale that makes a truly, nationally, and potentially internationally, transformative difference.

We have a set of services that we’ve tried out on our own Government, on our own terms.

But what happens when the big communications service providers start to introduce our blocking techniques at scale?

What happens when retailers take up some of the security indicators we’ve been developing and use them to promote safety and security? When large corporates really get on board with anti-spoofing?

What we hope is that we start to build a truly whole-of-nation, world class, cyber defence system. One that works at the citizen level.

My second job is to create the time and space for the elite cyber talent we have working on this area to develop the next set of transformative ideas.

Things like: how do we authenticate emails in a way that people might actually be able to understand?

How do we break free of the limitations of password-based user security? How do we make hardware harder to interfere with? How do we allow networks to connect freely but in a way that an infection of one is not an infection of all?

In GCHQ I’m fond of saying that with the right mix of minds anything is possible. And we have some ingenious people working on these challenges. I know they’re equal to the task.

They will find new ways of dealing with the emergence of new technology.

But they’re doing this work in a pretty charged environment and we – I – need to find them the space to get on with real, practical solutions.

Obviously, the most charged part of the current global technology debate relates to 5G and, in particular, the role of Huawei.

Before going further, let’s remember: 5G is going to be one of the most important and impactful technologies of this or any era.

It’ll massively enhance how we use the internet, be a catalyst for technological change, and over time will change the way we think about how our data is being used. It’ll also make us more interwoven and dependent on the internet.

It’s not a cliff-edge transition, and it will not entirely change how we think about security.

Navigating this exciting, transformative technology is going to be difficult and it will be different in each country.

Let me talk about the UK’s approach.

5G is complicated and understanding the complexity and nuance is essential. The NCSC, as part of GCHQ, is the national technical authority for cyber security. It’s our job to bring objective, evidence-based and technically authoritative advice to the policy table.

Last week the NCSC set out how we are approaching these issues. The most important aspect of that intervention was in defining three pre-conditions for securing 5G networks.

First, we must have stronger cyber security practices across the telecommunications sector.

The market is configured in a way that does not incentivise good cyber security. That has to change.

Second, telecoms networks must be more resilient. Vulnerabilities can and will be exploited.

But networks should be designed in a way that cauterises the damage. So we must do that.

Third, there must be sustainable diversity in the supplier market.

A market consolidated to such an extent that there are only a tiny number of viable options will not make for good cyber security. That’s regardless of whether those options are Western, Chinese, or from somewhere else.

Experience shows that any company in an excessively dominant market position will not be incentivised to take cyber security seriously. So we need a diversified market, competing on quality and security, as well as price.

These three conditions are objective, technical, and evidence based. I’m determined they are not lost in the speculation of recent months.

As we made clear last week: the UK has not made a decision about 5G. There is an ongoing review led by the Digital Department and its Secretary of State which will conclude its analysis in the spring. Only when that’s complete will the government make a decision about the supply chain balance.

GCHQ is at the heart of that work.

We already have a role managing Huawei’s presence in our existing networks. We think this is probably the toughest oversight regime for that company in the world. It’s revealed significant problems with their cyber security practices…which have caused them to commit to a multi-million pound remedial programme.

And as I’m sure you will have seen, we’ve been crystal clear that we will not compromise on the improvements we expect.

But…and it’s an important but…5G security is about more than just Huawei…that’s what the three pre-conditions for 5G security are all about.

The final thing I’ll say here is that the strategic challenge of China’s place in the era of globalised technology is much bigger than just one telecommunications equipment company…it’s a first order strategic challenge for us all.

Part of being a Cyber Power is facing up to that challenge and those posed by technology more broadly.

We have to understand the opportunities and threats from China’s technological offer. We have to understand the global nature of supply chains and service provision irrespective of the flag of the supplier. We have to take a clear view on the implications of China’s technological acquisition strategy in the West. And help our Governments decide which parts of this expansion can be embraced, which need risk management, and which will always need a sovereign, or allied, solution.

It’s a hugely complex strategic challenge which will span the next few decades….probably my whole professional career. How we deal with it will be crucial for prosperity and security way beyond 5G contracts.

And to my mind, it shows just how significant cyber security is becoming to a nation’s cyber power.

My second basic tenant of cyber power governs the way in which a Nation behaves and the frameworks within which it operates. We know that statutory and regulatory regimes around cyber space are not yet mature.

Case law is still developing in all of our jurisdictions. Some of the behaviour we’ve seen from certain states or criminals is clearly wrong in any circumstance. An attack on a hospital’s IT, or on a country’s electoral system will always require sanction. But in many cases, there are no clear norms or behaviours. And in some cases, there is a clear divergence in view between blocs of Nations about how to develop these norms for the future.

There’s a lot at stake here. Without a commonly agreed set of principles, it’s much harder to reach agreement on common standards, to exchange and trust data, to prosecute poor behaviours and to create a commonly agreed doctrine of deterrence.

And the situation is diverging, not converging as the internet fragments and the half of the World not yet on the internet gains access to mobile computing.

Unchecked, we’re heading for an even less governed space where rights and wrongs are not automatically recognised and where acceptable behaviours are not a given. We’re certainly heading for a situation where it’s harder for States to underpin or guarantee the trust their citizens expect in their dealings online.

In my view, dealing with this uncertainty means building on the approaches we’ve developed over centuries in international law. Put simply, if something is unacceptable in the real world, it must be unacceptable online.

But as cyber capability becomes more advanced and more widely used, we have to ensure that domestic and international law keeps pace.

Last year the UK’s Attorney General said the following, and I quote: “it is the UK’s view that there are boundaries of acceptable state behaviour in cyberspace, just as there are everywhere else”.

He stressed the need for the application and interpretation of international law to keep pace with change in the real and digital worlds. I’d build on that by saying it is perfectly possible for individuals and states to act responsibly in cyber space in support of – not against – the rules-based international order.

We need to work towards common understandings of how to apply, interpret and develop this law. The international conversation on these issues remains at an early stage but we’re beginning to see a degree of progress.

So if we can all accept that international law applies to the cyber realm – the question for us to answer now is how it applies. Like other global laws and rules, it will take time to settle, but we need to up the pace to ensure its legitimacy and support.

It’s my belief that discussions of these rules and standards should not be solely driven or facilitated by the national security community. There are many other equities involved than security. We need a full debate across government, and working with the leaders of the tech industry, academics and civil society.

There will of course be those who do not want to adhere to these common standards. Those who are intent on causing disruption and harm. To illustrate, about a half of the eleven hundred incidents handled by the NCSC in the last two years have a state actor behind them.

The UK and our Allies have called out this activity and attributed attacks.

The UK Government’s Ministers have remained very clear we will keep on doing this. Again, it was the Attorney General who said: “it is the UK’s view that when states and individuals engage in hostile cyber operations, they are governed by law just like activities in any other domain.”

When we see cyber attacks – by states, terrorists or criminals – our first priority is to seek to use the criminal justice system to achieve a prosecution. If this is not possible we will aim to impose a cost to this behaviour, including through public attribution of the perpetrators.

For example, in late 2018 we attributed disruptive cyber activity to a Chinese group known as APT10 or Stone Panda.

A few months before that we exposed a GRU campaign conducted by Russian group APT28 or Fancy Bear, which indiscriminately used cyber attacks to target political institutions, businesses, media and sport.

This type of behaviour must stop. And as China, Iran, Russia and North Korea all saw last year the UK and its allies will keep calling this out.

To limit the effect of this unacceptable behaviour we will continue to give businesses the information they need to defend themselves. We are making citizens cyber literate, the first line of defence - ensuring they understand what they can do to keep themselves and the wider country safe online.

The deterrence we’re aiming for goes beyond cyber security products and systems. It’s a mindset, a coalition of citizens and businesses, informed by practical and easy to digest advice.

We’re confident that done in the right way it can make a real difference.

That ‘right way’ requires individuals and states to act responsibly in cyber space in support of – not against – the rules-based international order.

I think ethics are central to that.

I’ve always liked the philosopher and scientist Aldo Leopold’s definition of ethics. He said it was about “doing the right thing even when no one else is watching”. Nowhere does that apply so much than in the world of national security. In spying, intelligence gathering, espionage – whatever term you’d like to use – I believe that there are ethical rules and boundaries, and these should always be followed and upheld.

Of course, the UK is a liberal democracy. There is extensive oversight of the work of the intelligence and security agencies. Someone else, typically a senior judge, is always watching over what we do.

It’s perhaps easy to be ethical in such a situation – and in our democracies, sometimes we take that oversight for granted. Nonetheless, our analysts are constantly reminded that it is not enough to be able to do something… it is not even enough for it to be legal to do something… it must also be right to do something.

Internationally, amidst the confusion of malevolent states, serious crime groups, hacktivists, terror groups and their hostile online activities, it could be tempting to put ethics aside, or to assume a moral equivalency between actors. But I don’t believe we live in a Hobbesian world, where might equals right, and where integrity is a sign of weakness.

Looking around this room, I see friends and allies, committed to the international rule of law in cyberspace, committed to discussion, listening to alternative views, acting with restraint.

In short, organisations and nations that are committed to acting ethically, even when our adversaries refuse to do so.

The greater the capabilities and norms we develop together, the more important this dimension of cyber power becomes – it is at the heart of our shared values and our collective strength. It gives us our licence to operate. And I hope, it also enables us to retain the trust of the societies we serve.

So to bring this section to a point: the digital age still requires us to be governed by the rule of law. It still requires us to have the highest level of ethics. But it requires those immutable concepts and our values to operate in new and difficult terrain.

Ultimately it’s a framework that promotes the responsible use of Cyber Power.

Of course, that responsibility applies as much to the projection of a nation’s cyber capabilities as it does to cyber defence. The ability, in extremis, to be able to use cyber tools to disrupt, deny or degrade is the most contentious and least well understood aspect of cyber power. It’s also another part of GCHQ’s role alongside our military and intelligence partners.

Some call it offensive cyber, others effects or covert cyber operations. Ultimately, regardless of the label, it’s about taking action online that has direct real-world effect. Many nations are building these capabilities and are obviously seeing real value in deploying them. But some are deploying it in ways that do not accord with the basic tests I’ve just raised, with a reckless approach to broader damage and with little regard to the criminality of the effects they are trying to achieve – North Korea’s use of ransomware to prop up the finances of that regime is a good example here.

But in the right context, governed by appropriate international and domestic laws, offensive cyber is an essential part of a nation’s cyber tool kit.

Here’s an example: for well over a decade, starting in the conflict in Afghanistan, GCHQ has pioneered the development and use of these cyber techniques. In recent years, we’ve worked even more closely with the Ministry of Defence and key allies to grow these capabilities at pace.

Last year I spoke about GCHQ’s cyber operations for the first time and the damage it did to Daesh. This was the first time the UK has systematically and persistently degraded an adversary’s online efforts as part of a wider military campaign.

We can see that these operations made a significant contribution to coalition efforts to suppress Daesh propaganda, hindered their ability to coordinate attacks, and protected coalition forces on the battlefield.

This was remarkable work carried out by a talented and committed group of men and women from several nations and it helped lead to the end of the physical Caliphate.

It’s not the only example where action online to cause real world effect is enhancing regional and global security. Its use gives nations or institutions like NATO – where the UK’s cyber capabilities are an increasingly important contribution to the Alliance – the ability to surgically disrupt, deny, or degrade an adversary’s network where it is being used to cause harm.

And in that way, it’s unlike any other lever available to government.

I’d like to add another point of emphasis here. These types of capabilities are not kept in a locker solely to respond to cyber or digital aggression. Cyber action cannot equal cyber reaction. The UK’s response to a cyber action by an adversary or criminal is determined by

Ministers, and they consider the full range of possible options.

That broader approach is integral to our wider Fusion doctrine. Others may call this a hybrid approach – the words are different, but the effect is the same – any use must be considered alongside diplomatic, economic, political and hard power levers.

And it’s here that my points about ethics, frameworks and responsible usage must be repeated. Yes, these offensive cyber capabilities give a nation incredible reach and impact, but we must not see them as the answer to every problem.

Their use must always meet the three tests of legality, necessity and proportionality. Their use – in particular to cause disruption or damage - must be in extremis.

So, if we accept that Cyber Power has (at least) these three components, I’d also argue that it’s increasingly the case that our nations cannot operate in isolation. Our future security will be guaranteed not by the quality of our coding, the design of our silicon, or the cunning of our cyber operators – but by the bonds that tie us together and the relationships that give us confidence to act decisively against common threats.

I have already touched upon the challenges of interconnectivity in the online world.

The technology that crosses national boundaries, the data flows that wash around our economies every minute of every day. All of our governments are under huge pressure to harness this technology for good… and to provide solutions for the accompanying social harms.

But the geography of cyberspace does not equate to the borders laid down in the industrial age. No nation, no company, no one group can deliver success alone – we need to reinvigorate and adapt old partnerships, and build and shape new ones. These alliances between countries, with the private sector, with academia are only limited by our imagination and willingness to embrace change.

Countries such as the UK will always provide the leadership to contain, frustrate and defeat our adversaries in cyber space. But we are infinitely stronger when we act in concert with our allies whether that’s the 5EYES, with NATO, or with other partners around the world. We should come together as a community to drive standards, harness skills and capabilities, share knowledge and defend ourselves against our adversaries.

A word of caution, however. Creating and evolving these alliances requires work.

We need collectively to invest in cyber capabilities – offence and defence, whether that be cyber security, governance or the ability to project cyber power. Many of us will bring all of these capabilities to the table, others only some, but each of our commitments must be real and meaningful.

This has to be an era of new alliances and not just those between traditional partners because the Internet is not governed by states alone.

We must be bold, put aside historic differences (where we can) and bring together the best people from academia, governments, civil society, industry and even standard bodies, to think through these challenges.

In short, we all need to engage differently to make the most of this, starting with the 5G challenge we’ve already covered.

We must find ways to encourage that type of openness and collaboration that we know works between people and nations.

Finally, alliances require us to act – decisively if need be. Processes and debates should not become an excuse for prevarication and delay. Instead, we should show collectively the courage of our convictions in cyber space as we would elsewhere, using our combined cyber capabilities to frustrate and defeat our adversaries.

There may sometimes be tension, as in any partnership. But I recall the words of Sir Winston Churchill: “There is at least one thing worse than fighting with allies – And that is fighting without them.”

So, Cyber Power is about defending our digital homeland, having the right capabilities to actively promote and protect our interests if we need to.

It’s about having strong alliances. Growing connections. Boosting collaboration. Finding ways to encourage openness and collaboration between people and nations. It’s about creating new rules of engagement for our digital future. So we can share ideas and work together for stability and prosperity.

Cyber Power is also about having the right technical expertise to use cyber power well and having the right legal and ethical base to use it wisely.

It’s about embracing the unexpected and seeing into the future.

I believe the UK is a Cyber Power with the potential to provide leadership in this debate.

GCHQ is at the heart of that. I am confident we can succeed because with the right mix of minds, anything is possible.

No comments: