Analysis

Infosec 2015: Has GCHQ lost the cyber security plot?

It's more about what GCHQ doesn't say about the Snooper's charter than what it does, according to Davy Winder

Cyber spy

Infosecurity 2015 has been a great place to be if you care about IT security either from the vendor or enterprise perspective. The biggest event of its type in Europe, you would have expected a big-hitter to open things and that's what you got in the shape of Ciaran Martin, Director General of Cyber Security at GCHQ.

Advertisement - Article continues below

Or at least that's what you might think you were getting, until the actual point that Martin started talking that is and you realised that what you actually got was a spin-doctor. The key theme of the keynote presentation was how cyber attacks are driven by power, money and propaganda, and how apt that turned out to be seeing as Mr Martin used his position of power to push the government privacy argument position of you have nothing to fear from us'.

An odd mix of vendors going for the hard sell alongside technical workshops and roundtable discussions pretty much sums up Infosecurity. I attended one of those roundtable events an hour or so after the GCHQ presentation, which included our very own occasional contributor Tom Brewster asking whether vendors control the narrative when it comes to media reporting of IT security. You may not categorise GCHQ as a vendor, but I would argue that Mr Martin was certainly trying to sell a product; namely the ability to pry on our private communications wrapped up in the packaging of protecting us from evil.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Vendor-esque overtones or not, Mr Martin certainly attempted to control the narrative by not only stating from the get go that he wouldn't be talking about the so-called Snoopers' Charter but also ended things by only having time for one question from the floor. A question asking about tech firms leaving the UK over the likelihood of forced encryption back doors, I hasten to add, that was answered by quoting someone else confirming that GCHQ was no threat to our privacy.

None of this should come as any great shock of course, what with Mr Martin previously having been the lead negotiator on the referendum for Scottish independence for the Prime Minister in his role as Constitution Director' at the Cabinet Office. Something of a career civil servant with roles as Head of the Cabinet Secretary's Office and Director of Security and Intelligence behind him, I wasn't that surprised when his speech ended up like something from Sir Humphrey out of Yes Minister.

Advertisement - Article continues below

Now it would be disingenuous of me to suggest that Mr Martin, given both that Director of Security role and his current one, knows nothing about IT security. Just like it would be disingenuous of the government to suggest there is no political motivation behind speeches such as this one.

A speech entitled Building Cyber Security for Tomorrow' with Sir Humphrey, sorry I mean Mr Martin, spelling out right from the start that he would be focusing his comments on who is attacking us and how, what defensive and response strategies are most effective to combat them and what the role of GCHQ is in all of this.

Needless to say we never really discovered the who or how, and the combat strategies were just a repeat of usual broad sweep basics of business IT security 101. He did, however, take some time to explain why he wouldn't be talking about the Snoopers' Charter, which he didn't mention by name.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Here's exactly what Mr Martin said:

"Our role only really works because we have a world class intelligence capability to draw on. If we want to protect the UK from the darkest aspects of cyber space, we have to be able to understand how that works. That intelligence role has been the source of well-known controversy around privacy.

"I won't and can't talk about that in any detail today. The Queen's speech set out a process for considering legislation on the proper powers for national security and law enforcement bodies and it is for Ministers to propose and for Parliament to debate. All I would say is that everyone in GCHQ is acutely conscious that we are entrusted with significant power under the law, and we use it extremely carefully.

"Just over a year ago, the Interception Commissioner, Sir Anthony May, who was formerly one of England's three most senior judges and had ruled against the intelligence services in the past, compiled a report on the various allegations. He had full access to the papers and staff of GCHQ. He asked the question: "does GCHQ engage in the random mass intrusion into the private lives of law-abiding citizens?" The answer was "emphatically no".

Advertisement - Article continues below

"To get back to cyber, one of the things that has almost flippantly been said in our defence is that even if we wanted to do such things we don't have enough people to engage in such unlawful mass intrusion. And size naturally affects our role on cyber. We're simply not big enough to put a big cyber umbrella over the UK: no single organisation could possibly do that over any country."

The clue is at the end of all of that, of course, in that the bill which the Home Secretary and Prime Minister want passed into law would mean that it's the Internet Service Providers which would be forced into both collecting and storing the vast amounts of data required to snoop on users, and then handing over the bits (no pun intended) to GCHQ that relate to specific users upon request.

Which puts quite a different perspective upon it. David Cameron has also made it quite clear that he wants encrypted messaging services banned, and/or back doors put into encryption services.

Advertisement - Article continues below

Quite how an ability to devalue the ability to encrypt data serves to help British business in the fight against cyber crime, which was the main thrust of the Martin presentation remember, is frankly beyond me. Just as all the themes of Intelligent Security' as set out by Infosecurity Europe appear to be beyond Mr Martin, GCHQ and this government. Those themes were Protect - Defend - Respond - Recover. Mr Martin certainly achieved the first two with his presentation, and when he responds properly we might be able to tell if GCHQ can recover...

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/policy-legislation/data-protection/356344/eu-institutions-warned-against-purchasing-any-further
data protection

EU institutions told to avoid Microsoft software after licence spat

3 Jul 2020
Visit/security/vulnerability/356295/microsoft-patches-high-risk-flaws-that-can-be-exploited-with-a
vulnerability

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020