In his speech Fleming referred to how automation can help block attacks and said that by doing this, GCHQ had already helped reduce the UK’s share of global phishing from 5% to 2.4%.
See IBM says automation is the next big step in cyber security
Opportunity and challenge
He began his speech by arguing that the technology revolution “is providing extraordinary opportunity, innovation and progress – but it’s also exposing us to increasing complexity, uncertainty and risk.” There is nothing new in this claim, of course, but for technologists who say this to a sometimes sceptical audience, it is good that we can cite the GCHQ Director to back us up.
Highlighting findings from the ëUK Cyber Survey, he pointed out that although “89% of Brits use the Internet to make online purchases – and 24% do so on a daily basis…only 15% said they knew how to protect themselves online…this lack of awareness was particularly marked amongst older people.”
He said that “new policy and a new rule book” is required to tackle the way “vulnerable people are suffering from online harms like cyber bullying and hate speech.”
He also argued that GCHQ should not work in isolation and he referred to that word that is so often the enemy of digital transformation — silo — as something that must be avoided.
Success to date — from HMRC to small businesses
The GCHQ Director stated that since the formation of NCSC — National Cyber Security Centre — it has worked on “1,500 significant cyber security incidents,” and by using automation, “has reduced the harm from thousands of attacks a month. And it has played a major role in dealing with the strategic threats we face from hostile states.”
He gave as an example, work GCHQ has done in collaboration with HMRC, which has fallen from being the “16th most phished brand globally” in 2016, to 146th. He said: “Our protective DNS system for the public sector blocked access 57.4 million times with malware such as Conficker.”
He also said that “GCHQ had identified over 1,200 sites which were serving malicious code to illicitly copy credit card transactions. We were able to help these small businesses fix the problem and protect their customers and their reputation.”
How can the UK become a cyber power?
Fleming outlined three ways the UK can demonstrate it has become a cyber power:
- “By becoming world-class in safeguarding the cyber health of its citizens, businesses and institutions.
- Via legal, ethical and regulatory regimes to foster public trust..
- When the security of the nation is threatened, it has to have the ability – in accordance with international law – to project cyber power to disrupt, deny or degrade our adversaries.”
Information Age comment: It is encouraging to see him refer to ethical regimes. Ethical AI is emerging as a critical theme at the moment, and while it is clear that the UK will always lag behind the US and China in AI, many argue that it can become the world leader in ethical AI and ethical use of data.
It is interesting to see him refer to the UK disrupting denying or degrading adversaries. This has been a theme with Information Age, which has looked at how companies apply a vigilante approach to cyber security, but how this is best done in collaboration with the public sector.
Vigilante cyber security: collaboration is better than proactive cyber security
Can organisations realistically go on the offensive? Jonathan Couch saddles up to fire-off some words about proactive cyber security, it seems it helps if they can gather up a posse first, because proactive collaborative cyber security can work
What GCHQ is doing
Fleming said that GCHQ and NCSC “intend to do more to take the burden of cyber security away from the individual.” The plan is to work “closely with device manufacturers and online platform providers to build security into their products and services at the design stage.”
He talked about working with ISPs “to enhance the security of internet-connected devices in the home.”
Fleming referred to ‘security by design’ and “the potential to bake in cyber security as new systems are brought in to replace aging legacy systems.”
GCHQ is also planning to share “intelligence with banks” so that they can alert customers to any issues in “real time.”
He also said that GCHQ is working with schools to encourage the “development of critical cyber and STEM skills.”
‘By design’ has become a key way of looking at things. A critical part of GDPR is ‘privacy by design,’ others talk about ‘ethics by design.’ Fleming referred to ‘security by design’ and “the potential to bake in cyber security as new systems are brought in to replace aging legacy systems.”
Looking towards third parties
These days, Huawei never seems to be far from the front pages. While Fleming did not mention the company by name, he did say: “When we analyse a company for their suitability to supply equipment to the UK’s telecoms networks, we are looking at the risks that arise from their security and engineering processes, as well as the way these technologies are deployed in our national telecom networks.”
Significantly he added: “The flag of origin of 5G equipment is an important, but it is a secondary factor.”
Back to automation
The GCHQ Director did talk extensively about automation. For example he said that NCSC’s Active Cyber Defence programme “uses automation to block attacks on an enormous scale.”
He was positively exuberant when he said: “In March, the UK hosted share of global phishing fell below 2% for the first time. When we started in 2016 it was 5.4%.” He added that this approach will be expanded “both domestically and with international partners so that it is implemented at a scale to make a truly, nationally, and potentially internationally, transformative difference.”
He also referred to work GCHQ is doing in AI, Internet of Things and Quantum.
Collaboration and the aim
He also talked about how GCHQ, government, business and academia must work together.
To describe the relationship with academia he selected choice words: “it means solving hard problems, not admiring them.
“The prize is great,” he concluded, “a world leading cyber security approach and as a consequence, a safer, more successful UK.”
Mark Crichton, Senior Director of Security Product Management, OneSpan said that the speech “illustrates how collaboration across all industries involved in the fight against fraud is crucial to facing today’s threats and keeping customers safe.
“The fight against fraud today relies heavily on the analysis of vast amounts of real-time data. With technology-enabled financial crime increasing, banks need to be able to act fast. New risk-based technologies, powered by AI and machine learning, are driving financial institutions’ ability to analyse huge amounts of transaction, device, geographical and behavioural data to detect and prevent fraud as it happens. Having additional real-time information from GCHQ and other channels will only help banks and other organisations further shore up their defences.”
Jake Moore, cyber security specialist at ESET said: “GCHQ working more closely with banks and other businesses can’t come soon enough.
“Cyber security awareness is a national issue and those who are unaware of the magnitude of the problem require extra support. Sharing intelligence in real time with banks might be the difference between someone losing their life savings and being able to stop the attack in the first place.”