Defence

Introduction 

I talk to hundreds or maybe even thousands of people online. I work in the Cyber security industry, I worked previously with central government, local authorities, finance, third sector, healthcare, defence and well most verticals of business. I often see people comment online about how “GCHQ has failed” or some other silly nonsense when it comes to an organisation (not GCHQ) being victim to a cyber incident. 

I fear the world has watched a few too many Bond and Bourne films and let’s their imaginations run wild! The true reality of defending cyberspace is frankly vastly different to what I think people believe it is.

The UK intelligence Services 

Ok I’m not going to write war and peace on the intelligence services, I’m not historian or academic, and frankly there’s a ton of material in the public domain in this space, however let’s just quickly think about the major components of British Intelligence. We have: 

  • Central Government – they are the customer for the intelligence services making policy informed by the intelligence they receive
  • Military – they are often the customer or have their own intelligence capability to help them with their planning.
  • The Intelligence Services  – whose role is to “obtain and provide information relating to the actions or intentions of persons”  (Intelligence Services Act, 1994) who are considered a threat to the UK in three key areas:
    • National Security and Foreign Policy
    • Economic wellbeing
    • Serious and Organised Crime.  (all taken from the ISA 1994

Agencies

SIS – MI6 

https://www.sis.gov.uk/

“We work overseas to help make the UK a safer and more prosperous place” 

MI5 – THE SECURITY SERVICE 

“MI5’s mission is to keep the country safe”  (The role of MI5, as defined in the Security Service Act 1989, is “the protection of national security and in particular its protection against threats such as terrorism, espionage and sabotage, the activities of agents of foreign powers, and from actions intended to overthrow or undermine parliamentary democracy by political, industrial or violent means)

https://www.mi5.gov.uk/

GCHQ (& NCSC) 

“We are the UK’s intelligence, security and cyber agency. Our mission is to help keep the country safe.” 

They have the responsibility to “monitor or interfere with electromagnetic, acoustic and other emissions and any equipment producing such emissions and to obtain and provide information derived from or related to such emissions or equipment and from encrypted material (ISA 1994) relating to the actions and intentions of persons deemed a threat to the UK.

National Cyber Security Centre –
https://www.ncsc.gov.uk/ 

Act as a technical authority and provide guidance and assistance to organisations and general public with respect to cyber security.

(Taken from their website)

“We support the most critical organisations in the UK, the wider public sector, industry, SMEs as well as the general public. When incidents do occur, we provide effective incident response to minimise harm to the UK, help with recovery, and learn lessons for the future.

More specifically, the NCSC:

  • understands cyber security, and distils this knowledge into practical guidance that we make available to all
  • responds to cyber security incidents to reduce the harm they cause to organisations and the wider UK
  • uses industry and academic expertise to nurture the UK’s cyber security capability
  • reduces risks to the UK by securing public and private sector networks

Defence Intelligence 

“Part of Strategic Command, Defence Intelligence (DI) empowers decision makers in the Ministry of Defence (MOD) and UK government by providing intelligence products and assessments.”

https://www.gov.uk/government/groups/defence-intelligence

Joined together by: 

Joint Intelligence Committee (JIC) 

https://www.gov.uk/government/groups/joint-intelligence-committee

“The Joint Intelligence Committee (JIC) is an interagency deliberative body of the United Kingdom responsible for intelligence assessment, coordination, and oversight of the Secret Intelligence Service, Security Service, GCHQ, and Defence Intelligence. The JIC is supported by the Joint Intelligence Organisation under the Cabinet Office.” 

UK Intelligence – In summary 

Everyone is working to make the UK safe! How they do that varies. But people also need to realise these are intelligence services. 

They have finite remit and finite resources; they generally focus on areas such as: 

  • Counter Terrorism 
  • Espionage/Counter-espionage 
  • Sabotage 
  • Serious Crime 
  • Fraud & Money Laundering 
  • Counter-Proliferation 
  • Child Exploitation 
  • Human Trafficking 

With regards to Cyber Security the NCSC is the UK technical authority, we also have capabilities in GCHQ and the relatively recently formed National Cyber Force (NCF). 

When it comes to cyber, GCHQ are responsible for: 

  • Signals Intelligence 
  • Research 

Inside GCHQ we have the NCSC: 

  • Technology/Cyber Standards 
  • Information Assurance 
  • Country Cyber Emergency Response Team (CERT) 
  • Supporting businesses and organisations 
    • There’re some great free services in the Active Cyber Defence Space here you can leverage (some have restrictions to public sector etc.) 
    • Threat Intelligence Sharing via CISP 
    • Early Warning 
    • Mail Check 
    • PDNS 
    • And more! 

Which is great! Lots of people working to keep the UK safe across a wide range of areas focusing on important missions! 

Nowhere here is anyone responsible for: 

  • Ensuring you look your car/house. 
  • Making sure your firewall is well configured and monitored. 
  • Monitoring your PCs and Mobile Devices 
  • Managing your assets cyber security 

Cyber Defence 

Ok so hopefully I’ve set the scene. The intelligence services have a defined scope, remit and set of resources. That doesn’t include (as I have said before) manging the cyber security of your assets! 

You can subscribe to some services from NCSC that will may help you, that is a choice (they are good, so I’d say go looking into them is a good idea!) 

But remember this is on you! It’s your PC, your servers, your data (and probably your customers/supply chain etc.) 

You have loads of free resources, there’s even free cyber awareness training from NCSC! Go use them (or use alternatives, the choice is yours, after all we live in a democratic society). 

Defending the country and its people against Threats – Being good cyber citizens 

Do you know who’s responsible for doing this? 

WE ALL ARE! 

Yes, the government, intelligence services, military, police, industry, and academia have roles to play. But so do we, the people of society. 

When we consider this reality, we need to understand that we have a bunch of competing wants and needs they might include: 

  • Financial Constraints 
  • Privacy wants/needs. 
  • Human Rights 
  • Legal Requirements 
  • Skills 
  • Capabilities 
  • Contractual Requirements 
  • Corporate Police 
  • Desires/Wants/Needs etc. 

There’s not a binary position. 

So, we can’t scream for 100% security (it doesn’t exist anyway) when we know that at a certain point security control (such as TLS interception, man in the middle, data scraping and analysis) can encroach on privacy. Similarly, we have to consider the legal implications, the potential for harm (we can do things in the name of security that may cause harm, this is true at an individual level, organisational level and society level) and that’s before we even think about the likely resource requirements for these organisations to take on that responsibility (and the cost it would mean!)

As society you can’t scream at governments or agencies like GCHQ saying “you don’t protect us from 100% of cyber threats” and say “we don’t want you reading our data” because: 

  1. As I said before 100% security isn’t a real thing, it doesn’t exist. 
  2. If we want and need privacy (I believe we do) we must accept some balance of risk 

I say this as someone who (for reason probably unknown to even myself sometimes) spends a significant amount of time both professionally and personally trying to help people and the country be safer in cyber space. But I also recognise the balance between safety and privacy is a very complex one. I for example under some views of my metadata and data probably look like a baddie! I am followed by criminals on twitter, I am an offensive security practitioner, I operate in the cyber threat intelligence space and I’m generally doing all kinds of odd research. You can take my word that I do it to help people (or not). At work I both must read data and respect privacy, I can tell you even in corporate networks this is challenging, so much so I might write a blog specifically about that subject. The reality of some of this is that it requires, oversight, vetting, good intentions, good execution, freedom from influences that may try and steer my actions for their own gain. 

To summarise I recognise a few things: 

  • 100% Security does not exist 
  • We can’t demand ultimate security and ultimate privacy and think this is realistic or that this works 
  • We can’t not educate the population on the realities of this game, if we keep people in the dark they will turn to Hollywood films, TV shows and sensationalist media content to fill gaps in their imaginations 

A balancing act for Cyber Defence 

If I said I had all the answers to this game I’d be lying, I learn every day, I have a great network of friends, colleagues etc. that help me. I am very fortunate to have what was recently described as “an army of twitter followers” who I talk with and learn from (and they are all over the world from all walks of life). 

  • I don’t know the exact balance of security and privacy we need at a country level, I do think we need to be more open about the challenges, the options and the risks/rewards 
  • I do know the people I work/ed with in Government are just normal people doing their best to do a good job to help defend and keep the country safe and there isnt some evil malevolent inner circle of devious minds creating all these conspiracy theorists wet dreams.
  • I do know that the cyber community is amazing, diverse and wonderful. 
  • I do know the UK cyber scene rocks! 
  • I do know a thing or two about business architecture and cyber defence 

What I can say: 

  • My firewalls, routers, PCs, Servers and Devices are mine to protect, as are yours! (just like my personal property is my responsibility too)
  • We need standards and policies at a country and global level to improve cyber security as a continuum (just like we have standards on how to build safe buildings or fire resistant doors)
  • We need to both protect privacy and keep society digitally safe (honestly, we are bad at both today at a macro level globally) 

We are under threat, but we always have been and always will be! We need to keep fighting the good fight, we need to do our parts to move society in the right direction. We need to enable the goodies (whilst protecting the rights and freedoms of people). We need to be realistic. We need to work together. 

We can’t expect anyone else to be there to do it for us!