Director GCHQ speaks at Billington Cyber Security Summit
News article - 7 September 2018
Yesterday, our Director Jeremy Fleming spoke at the 9th Billington Cyber Security Summit in Washington DC. This was his first speech in the United States and a chance to highlight the strength of the signals intelligence partnership between our two countries. Mr Fleming also spoke about the changing world we're operating in, and the need to build secure technology if we are to keep our citizens, economies and societies safe.
The full version of the speech is below.
Billington Cyber Security Summit
Thursday 6 September 2018
Good afternoon. Thank you for that very warm introduction.
I'm delighted to be here in Washington. It's a privilege to be able to make my first public speech in the United States at such a prestigious event.
This conference always seems to bring together key thinkers on intelligence and cyber policy, at a level you don't usually see.
It's making progress on issues that really matter. You're the type of people who can make things happen. Tom, thank you for inviting me.
Today, I'm going to cover two main areas. Firstly, I'm going to look at how the world we're operating in is changing. And secondly, how we need to work differently with partners to get ahead of cyber-fuelled change and make technology automatically safer to use.
But before expanding on that, I'm going to talk about the longstanding partnerships we have between my organisation and sister organisations here in the US.
US and UK relationship
Of course, the most important and enduring one is with the NSA.
This is the seventy-seventh year of the signals intelligence partnership between our two countries. I believe it's one of the jewels in the Crown of the 'Special Relationship'.
From the early days of computing with crude devices, weighing several tons, through the dark days of the Cold War, to the rise of Islamist terrorism.
And now to the challenges and opportunities of the cyber age, it's always been critical to our joint safety, security and prosperity.
General Eisenhower wrote to Bletchley Park at the end of the war to say thank-you for the support given to him by what was a joint Anglo-American effort. He said: 'The intelligence which has emanated from you before and during the campaign has been of priceless value to me. It has simplified my task as a commander enormously. It has saved thousands of British and American lives ...'
That was our mission then: and that is our mission now.
Today, we see it evolving in new ways: from joint attribution of cyber-attacks, to our campaign against the ISIS propaganda machine, to shared exploration of the possibilities of Quantum Computing, and Artificial Intelligence.
All of this work is based on partnership. And today marks the first time that General Nakasone and I will share a stage in public.
I think we share a common view of the role our organisations must play in keeping our countries safe. How they must adapt and welcome new technologies. Become more transparent. Continue to push the boundaries of research. Be places where anyone with drive and curiosity can flourish. Where diversity, in all senses of the word, is celebrated. And where we follow the examples of our predecessors by being agile, innovative, and persistent.
Ultimately, it's the people of our organisations, the individual relationships and friendships, who make this alliance work.
I'd like to commend General Nakasone for his leadership, and thank the men and women of the NSA and GCHQ for all that they do.
But our relationship in the US isn't just with NSA.
As GCHQ's mission has expanded so has our need to have operational ties with other US agencies. Our work on serious and organised crime to tackle with law enforcement the most difficult and global cases, is a good example of where this is happening.
The rise of cybercrime, and the sickening increase in child abuse and exploitation online, has seen us work ever closer with the FBI.
As our Home Secretary set out earlier this week, the scale of the challenge we face to protect children and young people online is vast, disturbing, sophisticated, and requires even stronger collaboration to tackle it.
In one recent operation, we saw a global effort with teams from the National Crime Agency, the FBI, DHS, the Australian Federal Police, Europol, and my organisation, GCHQ, using cutting edge tradecraft and good old-fashioned detective work.
That international team brought to justice a prolific offender who admitted 137 charges against 46 people. He received a lengthy sentence and will spend the next 32 years at Her Majesty's pleasure in Wakefield jail.
Unfortunately, this is not an isolated example.
Teams from the UK and the US have worked on numerous other cases in all corners of the US and all corners of the world. Working together, they're determined to protect our children.
But it's our work to make the UK the safest place to live and do business online, through our National Cyber Security Centre, that's driving the most change.
This is another team effort.
Earlier this year, the NCSC, FBI, and DHS, published joint technical advice that not only exposed malign Russian activity against Routers, it gave companies the tools to get rid of it.
And we've been working closely with US and UK manufacturers and retailers to embed security in the Internet of Things.
None of this is easy. But we know that the unwavering strength of the US-UK partnership makes us a formidable force.
The world we're operating in
And frankly, this needs to be the case. As society changes, as the technologies we rely upon become pervasive, and as the way our adversaries turn them against us, we need to keep reinventing these partnerships.
I'll use three examples to illustrate the point:
Firstly, terrorism. Whether that's Al-Shabaab car bombs in Somalia cars; trucks and kitchen knives used to maim and murder on the streets of our towns and cities; or ISIS propaganda videos radicalising people across the globe; the threat is as pervasive as ever.
Alongside our partners here in the US and our colleagues at the UK's Ministry of Defence, we've developed offensive cyber techniques to disrupt the ISIS media machine.
The effect is striking.
There were times in 2017 when ISIS found it almost impossible to use or trust their established channels to spread their hateful message.
It was the first time we'd used these methods to systematically and persistently degrade an adversary's online efforts as part of a wider military campaign.
As a result, tackling information and disinformation flows, is now a core part of counter terrorism efforts.
And of course we're seeing it become much more prominent in our fight against hostile states. This is my second example.
States have developed new toolkits to deliver deliberate acts of aggression or interference, to steal intellectual property and spread disinformation. And much of this is happening online.
Sometimes states do the dirty work themselves, sometimes they use proxies. But every time they act, they chip away at our values, our prosperity, and our way of life.
In the UK, that way of life was rocked earlier this year with the attack on Sergei and Yulia Skripal in Salisbury and the subsequent tragic poisonings in Amesbury.
It's worth remembering that this was the first time we'd seen a nerve agent used in Europe since World War Two.
That's sobering, and demonstrates how reckless the Russian state is prepared to be.
But as the Prime Minister said yesterday: we will not tolerate such barbaric acts against our country.
Since March, the Police with the full support of the intelligence community have led a painstaking and highly complex investigation into what happened in Wiltshire. We have ascertained exactly who was responsible and the methods they used.
As you would expect, teams from across GCHQ have worked tirelessly with partners at home and abroad to ensure that our world-class intelligence has informed that investigation.
And I was pleased to see yesterday that two GRU operatives were named and arrest warrants issued.
The threat from Russia is real. It's active.
And it will be countered by a strong international partnership of allies, able to deploy the full range of tools from across our national security apparatus. And ready to reject the Kremlin's brazen determination to undermine the international rules-based order.
So, my third area is the cyber domain.
In the past two years, we've seen terms like Advanced Persistent Threat, DDOS, and Ransomware, move from the tech pages to the front pages.
We've seen state-sponsored hackers conducting cyber-attacks to generate revenue.
Whether that's North Korean cyber actors releasing WannaCry, or persistent attempts to siphon money from the global banking system, these online attacks have real world impact.
These Perpetrators need to know there are consequences for their actions.
And only a few hours ago with the charges brought by the FBI against a North Korean national in Los Angeles, we showed that we are able to hit back.
But the route and method of attack is constantly changing.
Some of the malware we're seeing is highly complex. It uses extensive infrastructure and advanced tradecraft to cause damage.
Others are much simpler, cheaper, and easier to industrialise.
Even the best-equipped actors - including states - are using simple fire-and-forget tools and techniques.
Now, we all know these are relatively easy to defend against, but it's still a sad fact that far too many businesses and yes, Governments, are vulnerable to these basic threats.
It's our job in the UK, through the NCSC, to improve the situation.
The NCSC is approaching its second birthday, and I believe it's rapidly become a world-leading organisation.
Since its Chief Executive, Ciaran Martin, spoke here in 2016, the NCSC has dealt with over 1,000 incidents, ranging from intrusions into important corporate networks, to threats to the UK's critical national infrastructure.
I know these numbers will continue to rise, and I remain concerned that it's still a matter of 'when' not 'if' the UK will face a national scale critical incident.
That will be a significant event. We're ready to respond.
But we know collectively, we have to do better - frankly much better - to get ahead of the threat and the technologies in play.
More than almost any other audience, I really don't need to lecture you on the technology accelerators we're seeing.
It's changing the world& and bringing huge benefits to us all.
It's transforming healthcare, creating smart, energy-efficient cities, making our work and home lives more productive, and revolutionising the relationship between business and the consumer. It's a really exciting time.
Using, understanding, and sometimes inventing that technology, has been central to GCHQ's mission for nearly one hundred years. We've always been a data science organisation.
But as the amount of data has grown, GCHQ has had to find ingenuous ways to analyse it and generate vital intelligence.
This challenge is only going in one direction as computing power grows, the world becomes more networked, and the Internet of Things becomes a reality.
So, how do we cope with that?
Well, just as technology provides a challenge, it also enables us.
Artificial Intelligence and Machine Learning have been in our lexicon for decades. But over the last few years, we've been able to pick out the science fact from the science fiction.
We can see much more clearly how to use these techniques to improve our operational, our cyber security, and corporate practices.
Whilst the benefits are potentially enormous, I'm also clear that the use of AI and other new technologies needs explaining and demystifying.
I want GCHQ to be at the heart of this debate. Whether that's informing policy makers about the realities of these technologies, or by helping oversight bodies understand the new balances society has to make.
I believe it's our responsibility to actively involve the public in this debate. And especially, to explain how we'll make necessary judgements on proportionality and privacy.
As we have done in other areas, we want to bring the 'outside' in - reaching out to academia, civil society, industry, partners here in the US, and other experts in this field.
I see it as vital that we bring as many diverse perspectives as possible to grapple with this complex issue.
How we face the challenges of the future
So, I think it's clear that this mixture of traditional threats and emerging challenges is forcing us to re-examine the way we operate.
This conference and many others before have looked at what this means for the businesses and enterprises we all lead. It affects the skills of our people, our operating models, and the way we interact with our stakeholders and customers.
We all know that big muscle movements are required in every one of our organisations to make this happen.
And yet, I think we'd also admit that in many of the cases the immediacy of the threats we face - whether it's to the bottom line of our P&L, or to our national security - make it extremely difficult to take a truly strategic view.
I think this is also true for cyber security.
We're now past the first generation of mass internet access, of ubiquitous technologies, and global mobile computing. It was driven by ease of use and availability of low-cost products. It did not have security at its core.
We can understand why that was the case, but that is no longer sustainable. For the next generation, we need to find ways of designing in security from the start. Of making it automatically safer.
Fixing this isn't just an issue for Governments.
It's one for industry, for professional standards bodies, and for international partnerships.
It's about not being afraid to fail. Of being open with each other. And, as probably all of our maths teachers said to us at some point: of showing our working.
It means trying things that Governments - especially secret bits of Governments - have found it hard to do in the past. Including publishing the results of research; regardless of whether it worked.
In the spirit of this, we're trying a few things in GCHQ I'd like to share with you now.
The first is the NCSC's Active Cyber Defence programme, launched here in 2016.
It's a genuinely strategic programme designed to remove cyber threats before they affect the enterprise or individual. It aims to implement automated protection for most of the people, from most of the cyber-attacks, for most of the time.
We've had some fantastic results, including reducing the share of global phishing hosted in the UK from 5.5% to 2.4%. If you'd like more detail, I highly recommend the 'Active Cyber Defence - one year on' paper on the NCSC website - the GCHQ account will tweet it afterwards.
We have a pipeline of exciting new ACD experiments that we're trialling over the coming months. And when they're finished, we'll publish those results too.
Some governments are already working with us to experiment with ACD measures in their countries, and we're looking at how to expand the tools and the beneficiaries further.
But as I said: it's not just for governments.
We need the heft of industry - more initiatives like BT's efforts to protect their residential customers by default. We need the experience of the academic community, and the knowledge of security experts working together to address systemic weaknesses with population level effects.
Another area is encryption.
The debate around warranted access to encrypted communications or devices continues to feel entrenched.
GCHQ is engaging because we believe a solution allowing industry and governments to demonstrate responsible access that protects privacy is within reach.
To avoid any doubt: the UK Government strongly supports encryption.
We have no interest in undermining the security of commodity services or the trust placed in those who provide them to the public.
There must be rigorous, technology-literate, and dispassionate discussion about potential solutions.
Yes, encryption enables us all to live safer online lives. But its ubiquity brings anonymity to terrorists, paedophiles, and cybercrime gangs, who law enforcement and intelligence agencies are trying to stop. And it's getting worse.
We're going to engage proactively in this debate. We're going to use our technical expertise built over 100 years to help people understand the realities of the requirement for exceptional warranted access.
We're working to explain the specifics of the problem, but also to help all sides understand the real-world impact of potential solutions.
This debate must be open. And where we can, let's make it easy for non-technical people to understand.
Of course, it goes without saying that there has to be close co-operation and agreement with technology companies.
We're confident these solutions exist. And where they do, proportionality, as in everything else we do, is key.
They should be limited in scope and scalability, supported by modern legislation, and with strong oversight to maintain public confidence.
And a final area is in the future of telecommunications infrastructures. This is most often characterised in the debate about future Chinese involvement in delivering 5G.
We know that the globalisation of technology is here and we need to learn to deal with it.
We need to be realistic that critical technologies and standards - including in 5G - are increasingly likely to come from other countries.
In the past, this type of capability would have 'Made in the UK' or 'Made in the US' stamped on it.
But we don't live in the past. We live in a world where there are more mobile devices than people. Where voice activated speakers are in all of our homes. Where self-driving cars and telemedicine are enabled by 5G.
And where the Internet of Things is fast arriving.
The demand for better infrastructure at home, in the office, and on the move, is only going to increase - the supply has to meet the demand, but it has to do this with security in mind.
This means we all have to look at how to better manage foreign supply into our national infrastructure. Each country will do it slightly differently. But we'll all need controls to balance investment, trade, and security.
We think we need a global push with likeminded Governments and technology companies to make sure that there is a greater diversity of technologies on offer, from a greater number of countries.
And, crucially - irrespective of where those technologies originate - they have to have robust cyber security built into their core.
In conclusion, it's clear to me that we face significant threats now and even more significant change in the future.
That arc of change from technology and from the threats we face is likely to be more aggressive and more consumer-driven than at any point in our history.
Facing up to this situation means working differently with partners - old and new.
It means building security and partnership in at the start of each endeavour.
And it means sharing more of our workings with business and the wider public to make sure we have a common understanding of threats and cyber solutions.
If we get this right, we have will have made technology automatically safer to use.
I said at the start that this is a group of people who have the ability to make things happen.
None of us can or should expect a transformation overnight, but we have a chance to build an environment we need to keep our citizens, economies, and societies, safe.
I think that is something worth shooting for.