IA15 Speaking this morning to CESG's Information Assurance conference, Robert Hannigan, director of GCHQ, declared that Britain was a "sovereign cryptographic nation" and reproached the free market's ability to provide adequate cybersecurity.
The claim was delivered to a cybersecurity shindig attended by government employees and private professionals, arranged by GCHQ's infosec arm CESG, as GCHQ's head honcho pontificated upon the relationship between the market, regulation, and threats affecting the cyber domain.
"At this event last year, we set out a raft of measures in response to the demands of commercial partners for greater clarity about what they could do to protect themselves and where they could go for help," said Hannigan, who added that "there has been some very good progress."
"Over 1,200 companies are now registered as meeting the requirements of Cyber Essentials. Information sharing partnerships are flourishing in some sectors. Cyber risk reviews are helping transform others," Hannigan claimed, days after CESG was accused of leaving a gaping hole in the government security advisor profession by axing its accreditation scheme.
The global cyber security market is not developing as it needs to: demand is patchy and it is not yet generating supply. That much is clear.
The normal drivers of change, from regulation and incentivisation through to insurance cover and legal liability, are still immature.
And what's also clear is that we cannot as a country allow this situation to continue.
Speaking on the government's most recent attempt to regulate in this area – the controversial Investigatory Powers Bill – Hannigan declared his intention to "confront head on some of the myths about these matters, some of which have surfaced again as the government consults on proposals for new national security and law enforcement legislation."
We advocate encryption.
"First is the myth that the government wants to ban encryption," said the head of GCHQ. "We don’t. We advocate encryption. People and business in the UK should use encryption to protect themselves. If you don't believe me, look at the website we launched today which is full of advice to use good encryption. All the government is saying is information needed for national security and serious crime purposes should not be beyond the lawful, warranted reach of the state when the need arises."
Nor does GCHQ want security products to be weakened by forcing products in the UK to have "so-called backdoors," Hannigan claimed.
"We have never said this and we do not want this,” he added. “Products should be secure. We work with companies to help make them secure."
The third myth is that we encourage vulnerabilities and leave them there. The truth is the opposite. In the last two years, GCHQ has disclosed vulnerabilities in every major mobile and desktop platform, including the big names that underpin British business. Vendors sometimes publicly credit us with finding those weaknesses. In September, Apple publicly credited us with the detection in the operating system for iPhones.
"No organisation does more to protect the UK in cyberspace," said Hannigan, "from active defence, through advice, to working with companies to improve the security of products."
Earlier this year, the Electronic Frontier Foundation filed a lawsuit against GCHQ's partner organisation in the US, the NSA, over its Vulnerabilities Equity Process, which it uses to hoard 0-day exploits.
Dr. Richard Tynan, a technogist from Privacy International told The Register: "Mr Hannigan is extremely nuanced with his words when he asserts that GCHQ does not encourage system weaknesses and regularly reports found vulnerabilities. While we may never know the full extent of coercion used by GCHQ, we do know that its big brother, the NSA, paid $10m to RSA, a company that provides encryption products."
We also know from the Edward Snowden revelations that GCHQ does not disclose all the vulnerabilities it finds and instead uses them for offensive hacking purposes. We have seen GCHQ target a variety of providers, from anti-virus vendors to software commonly used for online blogs and forums around the world.
There is no basis in law at present, or in the proposed Investigatory Powers Bill, authorising GCHQ to fail in its duty to protect the privacy and security of the public. Furthermore, this conduct undermines trust in devices, networks and services as users can be betrayed at any moment by anyone aware of the flaw, including cyber criminals and governments.
GCHQ declined to comment when questioned by The Register about the existence of a Vulnerabilities Equity Policy.
Elaborating on GCHQ's information assurance successes, Hannigan stated the Sigint agency has "pioneered a world leading approach to declassifying threat data and sharing it at scale with commercial partners."
We have developed a strong partnership with law enforcement here and in the US, and I pay tribute to our colleagues in the National Crime Agency and the FBI. Together we have disrupted the operations of some of the most dangerous global cyber criminal networks operating today.
"At the high end, we are working closely with the Ministry of Defence to secure the UK's long term future as one of the world's few truly sovereign cryptographic nations, something, as many of you will know, the Prime Minister attaches great importance to.
Asked about "cryptographic sovereignty" GCHQ explained to The Register that "in the context of the speech, [the] Director was referring to the UK being a world leader in [cryptography] in its own right, in that we do not need to depend on other countries, whether state or industry, to have this capability."
"I am all too aware that we can only achieve anything in partnership. Each and every day I am reminded of the importance of our partnerships – our contractors, who make up a third of our workforce, our suppliers, our commercial partners, those who work with us lawfully on both intelligence and cyber security, and the experts with whom we develop our knowledge and expertise." said Hannigan.
We have an excellent, proud and long record of working with industry – back through the Second World War – to promote the highest standards of information security in the UK.