Euro Security Watch with Mathew J. Schwartz

3rd Party Risk Management , Application Security , Artificial Intelligence & Machine Learning

Cybersecurity Call to Arms Issued by British Spy Chief

Act Decisively Now to Control West's Destiny, Says GCHQ Director Jeremy Fleming
Cybersecurity Call to Arms Issued by British Spy Chief
Jeremy Fleming, director of GCHQ, speaks at the CyberUK conference in Glasgow, Scotland, in 2019. (Photo: Mathew Schwartz)

Does the West want to have its digital existence defined by adversaries, or is it ready to devote the time, resources, expertise and planning required to more fully take control of its evolving destiny?

See Also: eBook: Secure Remote Access Simplified

That's the techno-Darwinian call to arms issued by Jeremy Fleming, the director of Britain's GCHQ intelligence agency - the U.K.'s equivalent of the U.S. National Security Agency.

"Without action, it is increasingly clear that the key technologies on which we will rely for our future prosperity and security won’t be shaped and controlled by the West," Fleming said on Friday, delivering virtually the annual Vincent Briscoe Lecture at Imperial College London. "As the digital world evolves and powers shift, it is completely clear to me that the next epoch will be defined by those who grab the innovation initiative and succeed in promoting their values."

Mastering Technology Is Tough

Unfortunately, Britain and its allies have an imperfect track record when it comes to their government officials fostering emerging technologies that have a national security impact.

Indeed, the failure of Britain and many of its closest allies - including the U.S. - to develop and roll out trusted, domestic alternatives to Chinese manufacturers' 5G equipment, at an attractive price point, stands as one of the biggest national security failures in recent years. And unless governments act now, many more such failures may follow (see: Britain's 5G Policy Failure: No Ideal Alternative to Huawei).

On the other hand, the government has not been sitting still. Last week, the U.K. government's Department for Digital, Culture, Media and Sport, which oversees cybersecurity matters, says it plans to introduce a law to regulate consumer IoT products. DCMS says it wants the law to ban the supply of unsecure IoT to British consumers. Approved devices must not have any default passwords, including for administrator interfaces. Vendors would also have to maintain a transparent way for vulnerabilities in devices and accompanying services to be reported, as well as clearly detail the minimum period of time in which they will release device security updates.

Ecosystem Complexity Challenges

GCHQ Director Jeremy Fleming delivers the 2021 Vincent Briscoe Lecture for the Institute for Security Science and Technology at Imperial College London, titled "A World of Possibilities: Leading the Way in Cyber and Technology."

The trouble with technology is that it's constantly changing, tough to understand and often can be used for bad as well as good purposes. "It’s this complexity of a sprawling ecosystem - every positive has a possible opposite - that makes the digital world so difficult to manage and secure," Fleming said in his speech, for which he made a rare public appearance (see: Cybersecurity Drives Intelligence Agencies in From the Cold).

Examples he cited include:

  • Online communities: Tools designed to connect people can be poisoned "to instead create discord" and "to fuel division, exploit vulnerable people and peddle extreme views," he said.
  • Smart cities: These are predicated on knowing everything about the devices in communities but nothing about the users. Of course, they could be deployed in ways that do violate users' privacy.
  • Digital currencies: Future digital coins could be rolled out to monitor precisely who spends what and when. "Designed without liberal values, they could be used to enable significant intrusions into the lives of citizens and companies in those countries and those they do business with globally," he said.
  • International standards and laws: Will new technologies and standards ensure that people's privacy rights remain intact? "States that do not share our values build their own illiberal values into the standards and technology upon which we may become reliant. If that happens, and it turns out to be insecure or broken or undemocratic, everyone is going to be facing a very difficult future," he said. "The effect is to turn technology markets into new areas of geopolitical competition and the development of and access to technology into statecraft tools."

Also challenging: trying to regulate the industries that emerging technology touches, investigating crimes that get committed with this tech and securing the supply chains involved.

"So think about emerging technologies like quantum computing - about vendors and systems that aren’t always interoperable. Think about all the interacting with legacy systems that cannot easily be replaced, about highly regulated industries like telecoms and energy coming together with highly unregulated industries like the internet and smart cities," Fleming said.

Nation-State Threats

Naming names, Fleming said that while Russia poses a threat, China poses the biggest existential risk to Western values, in part because it is such an early adopter, developer and pursuer of the latest technologies.

Fleming offered an operating system analogy: "The threat posed by Russia’s activity is like finding a vulnerability on a specific app on your phone - it’s potentially serious, but you can probably use an alternative," he said. "However, the concern is that China’s size and technological weight means that it has the potential to control the global operating system."

Policymakers' Imperative

Fleming noted that just as the world faces an intensifying "climate emergency," in the digital realm, "we face another existential threat to our way of life as the old order is replaced by players who don’t share our values or follow the rules."

Accordingly, he says policymakers must devote themselves to constantly grappling with the implications of new technologies. Where appropriate, they must develop not just new sectors and technologies, but also band together with allies to collaborate on strategic "moonshot" programs.

The underlying imperative might be best summarized not as, "Move fast and break things," but with a more British-sounding approach: Move quickly and with a broad, well-funded remit. "To stay relevant, the U.K. and like-minded allies are recognizing that the landscape is shifting and that there is a pressing need to act," Fleming said.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.