Infosec 2015: Has GCHQ lost the cyber security plot?
It's more about what GCHQ doesn't say about the Snooper's charter than what it does, according to Davy Winder
Infosecurity 2015 has been a great place to be if you care about IT security either from the vendor or enterprise perspective. The biggest event of its type in Europe, you would have expected a big-hitter to open things and that's what you got in the shape of Ciaran Martin, Director General of Cyber Security at GCHQ.
Or at least that's what you might think you were getting, until the actual point that Martin started talking that is and you realised that what you actually got was a spin-doctor. The key theme of the keynote presentation was how cyber attacks are driven by power, money and propaganda, and how apt that turned out to be seeing as Mr Martin used his position of power to push the government privacy argument position of you have nothing to fear from us'.
An odd mix of vendors going for the hard sell alongside technical workshops and roundtable discussions pretty much sums up Infosecurity. I attended one of those roundtable events an hour or so after the GCHQ presentation, which included our very own occasional contributor Tom Brewster asking whether vendors control the narrative when it comes to media reporting of IT security. You may not categorise GCHQ as a vendor, but I would argue that Mr Martin was certainly trying to sell a product; namely the ability to pry on our private communications wrapped up in the packaging of protecting us from evil.
Vendor-esque overtones or not, Mr Martin certainly attempted to control the narrative by not only stating from the get go that he wouldn't be talking about the so-called Snoopers' Charter but also ended things by only having time for one question from the floor. A question asking about tech firms leaving the UK over the likelihood of forced encryption back doors, I hasten to add, that was answered by quoting someone else confirming that GCHQ was no threat to our privacy.
None of this should come as any great shock of course, what with Mr Martin previously having been the lead negotiator on the referendum for Scottish independence for the Prime Minister in his role as Constitution Director' at the Cabinet Office. Something of a career civil servant with roles as Head of the Cabinet Secretary's Office and Director of Security and Intelligence behind him, I wasn't that surprised when his speech ended up like something from Sir Humphrey out of Yes Minister.
Now it would be disingenuous of me to suggest that Mr Martin, given both that Director of Security role and his current one, knows nothing about IT security. Just like it would be disingenuous of the government to suggest there is no political motivation behind speeches such as this one.
A speech entitled Building Cyber Security for Tomorrow' with Sir Humphrey, sorry I mean Mr Martin, spelling out right from the start that he would be focusing his comments on who is attacking us and how, what defensive and response strategies are most effective to combat them and what the role of GCHQ is in all of this.
Needless to say we never really discovered the who or how, and the combat strategies were just a repeat of usual broad sweep basics of business IT security 101. He did, however, take some time to explain why he wouldn't be talking about the Snoopers' Charter, which he didn't mention by name.
Here's exactly what Mr Martin said:
"Our role only really works because we have a world class intelligence capability to draw on. If we want to protect the UK from the darkest aspects of cyber space, we have to be able to understand how that works. That intelligence role has been the source of well-known controversy around privacy.
"I won't and can't talk about that in any detail today. The Queen's speech set out a process for considering legislation on the proper powers for national security and law enforcement bodies and it is for Ministers to propose and for Parliament to debate. All I would say is that everyone in GCHQ is acutely conscious that we are entrusted with significant power under the law, and we use it extremely carefully.
"Just over a year ago, the Interception Commissioner, Sir Anthony May, who was formerly one of England's three most senior judges and had ruled against the intelligence services in the past, compiled a report on the various allegations. He had full access to the papers and staff of GCHQ. He asked the question: "does GCHQ engage in the random mass intrusion into the private lives of law-abiding citizens?" The answer was "emphatically no".
"To get back to cyber, one of the things that has almost flippantly been said in our defence is that even if we wanted to do such things we don't have enough people to engage in such unlawful mass intrusion. And size naturally affects our role on cyber. We're simply not big enough to put a big cyber umbrella over the UK: no single organisation could possibly do that over any country."
The clue is at the end of all of that, of course, in that the bill which the Home Secretary and Prime Minister want passed into law would mean that it's the Internet Service Providers which would be forced into both collecting and storing the vast amounts of data required to snoop on users, and then handing over the bits (no pun intended) to GCHQ that relate to specific users upon request.
Which puts quite a different perspective upon it. David Cameron has also made it quite clear that he wants encrypted messaging services banned, and/or back doors put into encryption services.
Quite how an ability to devalue the ability to encrypt data serves to help British business in the fight against cyber crime, which was the main thrust of the Martin presentation remember, is frankly beyond me. Just as all the themes of Intelligent Security' as set out by Infosecurity Europe appear to be beyond Mr Martin, GCHQ and this government. Those themes were Protect - Defend - Respond - Recover. Mr Martin certainly achieved the first two with his presentation, and when he responds properly we might be able to tell if GCHQ can recover...