GCHQ director blasts free market, says UK must be 'sovereign cryptographic nation'

Hannigan also denies spy agency ever wanted backdoors


IA15 Speaking this morning to CESG's Information Assurance conference, Robert Hannigan, director of GCHQ, declared that Britain was a "sovereign cryptographic nation" and reproached the free market's ability to provide adequate cybersecurity.

The claim was delivered to a cybersecurity shindig attended by government employees and private professionals, arranged by GCHQ's infosec arm CESG, as GCHQ's head honcho pontificated upon the relationship between the market, regulation, and threats affecting the cyber domain.

"At this event last year, we set out a raft of measures in response to the demands of commercial partners for greater clarity about what they could do to protect themselves and where they could go for help," said Hannigan, who added that "there has been some very good progress."

"Over 1,200 companies are now registered as meeting the requirements of Cyber Essentials. Information sharing partnerships are flourishing in some sectors. Cyber risk reviews are helping transform others," Hannigan claimed, days after CESG was accused of leaving a gaping hole in the government security advisor profession by axing its accreditation scheme.

The global cyber security market is not developing as it needs to: demand is patchy and it is not yet generating supply. That much is clear.

The normal drivers of change, from regulation and incentivisation through to insurance cover and legal liability, are still immature.

And what's also clear is that we cannot as a country allow this situation to continue.

Speaking on the government's most recent attempt to regulate in this area – the controversial Investigatory Powers Bill – Hannigan declared his intention to "confront head on some of the myths about these matters, some of which have surfaced again as the government consults on proposals for new national security and law enforcement legislation."

We advocate encryption.

"First is the myth that the government wants to ban encryption," said the head of GCHQ. "We don’t. We advocate encryption. People and business in the UK should use encryption to protect themselves. If you don't believe me, look at the website we launched today which is full of advice to use good encryption. All the government is saying is information needed for national security and serious crime purposes should not be beyond the lawful, warranted reach of the state when the need arises."

Nor does GCHQ want security products to be weakened by forcing products in the UK to have "so-called backdoors," Hannigan claimed.

"We have never said this and we do not want this,” he added. “Products should be secure. We work with companies to help make them secure."

He continued:

The third myth is that we encourage vulnerabilities and leave them there. The truth is the opposite. In the last two years, GCHQ has disclosed vulnerabilities in every major mobile and desktop platform, including the big names that underpin British business. Vendors sometimes publicly credit us with finding those weaknesses. In September, Apple publicly credited us with the detection in the operating system for iPhones.

"No organisation does more to protect the UK in cyberspace," said Hannigan, "from active defence, through advice, to working with companies to improve the security of products."

Earlier this year, the Electronic Frontier Foundation filed a lawsuit against GCHQ's partner organisation in the US, the NSA, over its Vulnerabilities Equity Process, which it uses to hoard 0-day exploits.

Dr. Richard Tynan, a technogist from Privacy International told The Register: "Mr Hannigan is extremely nuanced with his words when he asserts that GCHQ does not encourage system weaknesses and regularly reports found vulnerabilities. While we may never know the full extent of coercion used by GCHQ, we do know that its big brother, the NSA, paid $10m to RSA, a company that provides encryption products."

We also know from the Edward Snowden revelations that GCHQ does not disclose all the vulnerabilities it finds and instead uses them for offensive hacking purposes. We have seen GCHQ target a variety of providers, from anti-virus vendors to software commonly used for online blogs and forums around the world.

There is no basis in law at present, or in the proposed Investigatory Powers Bill, authorising GCHQ to fail in its duty to protect the privacy and security of the public. Furthermore, this conduct undermines trust in devices, networks and services as users can be betrayed at any moment by anyone aware of the flaw, including cyber criminals and governments.

GCHQ declined to comment when questioned by The Register about the existence of a Vulnerabilities Equity Policy.

Elaborating on GCHQ's information assurance successes, Hannigan stated the Sigint agency has "pioneered a world leading approach to declassifying threat data and sharing it at scale with commercial partners."

We have developed a strong partnership with law enforcement here and in the US, and I pay tribute to our colleagues in the National Crime Agency and the FBI. Together we have disrupted the operations of some of the most dangerous global cyber criminal networks operating today.

"At the high end, we are working closely with the Ministry of Defence to secure the UK's long term future as one of the world's few truly sovereign cryptographic nations, something, as many of you will know, the Prime Minister attaches great importance to.

Asked about "cryptographic sovereignty" GCHQ explained to The Register that "in the context of the speech, [the] Director was referring to the UK being a world leader in [cryptography] in its own right, in that we do not need to depend on other countries, whether state or industry, to have this capability."

"I am all too aware that we can only achieve anything in partnership. Each and every day I am reminded of the importance of our partnerships – our contractors, who make up a third of our workforce, our suppliers, our commercial partners, those who work with us lawfully on both intelligence and cyber security, and the experts with whom we develop our knowledge and expertise." said Hannigan.

We have an excellent, proud and long record of working with industry – back through the Second World War – to promote the highest standards of information security in the UK.

Similar topics


Other stories you might like

  • New audio server Pipewire coming to next version of Ubuntu
    What does that mean? Better latency and a replacement for PulseAudio

    The next release of Ubuntu, version 22.10 and codenamed Kinetic Kudu, will switch audio servers to the relatively new PipeWire.

    Don't panic. As J M Barrie said: "All of this has happened before, and it will all happen again." Fedora switched to PipeWire in version 34, over a year ago now. Users who aren't pro-level creators or editors of sound and music on Ubuntu may not notice the planned change.

    Currently, most editions of Ubuntu use the PulseAudio server, which it adopted in version 8.04 Hardy Heron, the company's second LTS release. (The Ubuntu Studio edition uses JACK instead.) Fedora 8 also switched to PulseAudio. Before PulseAudio became the standard, many distros used ESD, the Enlightened Sound Daemon, which came out of the Enlightenment project, best known for its desktop.

    Continue reading
  • VMware claims 'bare-metal' performance on virtualized GPUs
    Is... is that why Broadcom wants to buy it?

    The future of high-performance computing will be virtualized, VMware's Uday Kurkure has told The Register.

    Kurkure, the lead engineer for VMware's performance engineering team, has spent the past five years working on ways to virtualize machine-learning workloads running on accelerators. Earlier this month his team reported "near or better than bare-metal performance" for Bidirectional Encoder Representations from Transformers (BERT) and Mask R-CNN — two popular machine-learning workloads — running on virtualized GPUs (vGPU) connected using Nvidia's NVLink interconnect.

    NVLink enables compute and memory resources to be shared across up to four GPUs over a high-bandwidth mesh fabric operating at 6.25GB/s per lane compared to PCIe 4.0's 2.5GB/s. The interconnect enabled Kurkure's team to pool 160GB of GPU memory from the Dell PowerEdge system's four 40GB Nvidia A100 SXM GPUs.

    Continue reading
  • Nvidia promises annual updates across CPU, GPU, and DPU lines
    Arm one year, x86 the next, and always faster than a certain chip shop that still can't ship even one standalone GPU

    Computex Nvidia's push deeper into enterprise computing will see its practice of introducing a new GPU architecture every two years brought to its CPUs and data processing units (DPUs, aka SmartNICs).

    Speaking on the company's pre-recorded keynote released to coincide with the Computex exhibition in Taiwan this week, senior vice president for hardware engineering Brian Kelleher spoke of the company's "reputation for unmatched execution on silicon." That's language that needs to be considered in the context of Intel, an Nvidia rival, again delaying a planned entry to the discrete GPU market.

    "We will extend our execution excellence and give each of our chip architectures a two-year rhythm," Kelleher added.

    Continue reading
  • Amazon puts 'creepy' AI cameras in UK delivery vans
    Big Bezos is watching you

    Amazon is reportedly installing AI-powered cameras in delivery vans to keep tabs on its drivers in the UK.

    The technology was first deployed, with numerous errors that reportedly denied drivers' bonuses after malfunctions, in the US. Last year, the internet giant produced a corporate video detailing how the cameras monitor drivers' driving behavior for safety reasons. The same system is now apparently being rolled out to vehicles in the UK. 

    Multiple camera lenses are placed under the front mirror. One is directed at the person behind the wheel, one is facing the road, and two are located on either side to provide a wider view. The cameras are monitored by software built by Netradyne, a computer-vision startup focused on driver safety. This code uses machine-learning algorithms to figure out what's going on in and around the vehicle.

    Continue reading
  • AWS puts latest homebrew ‘Graviton 3’ Arm CPU in production
    Just one instance type for now, but cheaper than third-gen Xeons or EPYCs

    Amazon Web Services has made its latest homebrew CPU, the Graviton3, available to rent in its Elastic Compute Cloud (EC2) infrastructure-as-a-service offering.

    The cloud colossus launched Graviton3 at its late 2021 re:Invent conference, revealing that the 55-billion-transistor device includes 64 cores, runs at 2.6GHz clock speed, can address DDR5 RAM and 300GB/sec max memory bandwidth, and employs 256-bit Scalable Vector Extensions.

    The chips were offered as a tech preview to select customers. And on Monday, AWS made them available to all comers in a single instance type named C7g.

    Continue reading
  • Beijing reverses ban on tech companies listing offshore
    Announcement comes as Chinese ride-hailing DiDi Chuxing delists from NYSE under pressure

    The Chinese government has announced that it will again allow "platform companies" – Beijing's term for tech giants – to list on overseas stock markets, marking a loosening of restrictions on the sector.

    "Platform companies will be encouraged to list on domestic and overseas markets in accordance with laws and regulations," announced premier Li Keqiang at an executive meeting of China's State Council – a body akin to cabinet in the USA or parliamentary democracies.

    The statement comes a week after vice premier Liu He advocated technology and government cooperation and a digital economy that supports an opening to "the outside world" to around 100 members of the Chinese People's Political Consultative Congress (CPPCC).

    Continue reading
  • Nvidia teases server designs for Grace-Hopper Superchips
    x86 still 'very important' we're told as lid lifted on Arm-based kit

    Computex Nvidia's Grace CPU and Hopper Superchips will make their first appearance early next year in systems that'll be based on reference servers unveiled at Computex 2022 this week.

    It's hoped these Arm-compatible HGX-series designs will be used to build computer systems that power what Nvidia believes will be a "half trillion dollar" market of machine learning, digital-twin simulation, and cloud gaming applications.

    "This transformation requires us to reimagine the datacenter at every level, from hardware to software from chips to infrastructure to systems," Paresh Kharya, senior director of product management and marketing at Nvidia, said during a press briefing.

    Continue reading
  • Nvidia brings liquid cooling to A100 PCIe GPU cards for ‘greener’ datacenters
    For those who want to give their racks an air cut

    Nvidia's GPUs are becoming increasingly more power hungry, so the US giant is hoping to make datacenters using them "greener" with liquid-cooled PCIe cards that contain its highest-performing chips.

    At this year's Computex event in Taiwan, the computer graphics goliath revealed it will sell a liquid-cooled PCIe card for its flagship server GPU, the A100, in the third quarter of this year. Then in early 2023, the company plans to release a liquid-cooled PCIe card for the A100's recently announced successor, the Hopper-powered H100.

    Nvidia's A100 has already been available for liquid-cooled servers, but to date, this has only been possible in the GPU's SXM form factor that goes into the company's HGX server board.

    Continue reading

Biting the hand that feeds IT © 1998–2022