Cyber power: a moment of reckoning
This is an audio transcript of the Rachman Review podcast episode: Cyber power: a moment of reckoning
Roula Khalaf
Hello and welcome to the Rachman Review. I’m Roula Khalaf, editor of the Financial Times, and I’m standing in for Gideon Rachman this week because I have a very special guest, Sir Jeremy Fleming, director of Britain’s signals intelligence agency, GCHQ. Fleming was an art student who trained as an accountant and worked in the city before being drawn into the public sector. He applied for a job which was advertised as being in the Ministry of Defence, but was actually in the UK’s domestic intelligence agency, MI5. As our lives move from the physical world to the virtual domain, it is the role of cyber spies like Fleming to work against those seeking to hack into critical infrastructure, spread disinformation or steal intellectual property. Britain is also honing its offensive capabilities in cyber space. So how well-equipped is the UK to deal with these new and emerging threats? GCHQ, which is 102 years old this year, sits at the heart of the UK’s national security framework. As the UK’s top cyber security agency, it collects intelligence against national security threats. It also helps protect citizens and businesses from hackers. It is one of the only national signals intelligence organisations to have a global footprint of listening stations. I interviewed Fleming along with my colleague Helen Warrell, the FT’s former defence and security editor, at the London headquarters of the UK’s National Cyber Security Centre, GCHQ’s defensive arm. We spoke just as another of Britain’s spy chiefs, Richard Moore of MI6, gave his first ever public speech, setting out his concerns about the growing threat posed by China.
Audio clip of Richard Moore
The Chinese intelligence services are highly capable and continue to conduct large-scale espionage operations against the UK and our allies.
Roula Khalaf
This warning comes after the SolarWinds and Microsoft Exchange hacks in the US showed the vulnerability of Western networks to online espionage by both Russia and China. The coronavirus pandemic and the increase in remote working has also led to a surge in ransomware attacks, which are crippling companies and putting all our data at-risk. And revelations about spyware made by Israel’s NSO Group and used by autocratic regimes to spy on activists, academics and journalists, has increased concerns about the safety of our personal data.
Audio news clip
Apple is suing an Israeli spyware company known as the NSO Group. Lawsuit says the company broke US law by selling tools that can remotely hack into phones. Apple wants to block the company . . .
Roula Khalaf
So I began by asking Fleming why the government is placing greater urgency now on building Britain’s cyber power capabilities.
Jeremy Fleming
We have been saying for some time that for nations to be influential and credible on the world stage, then of course they wield soft power through their culture and their alliances. They also need to have the potential to use hard power. But in the 21st century and in this decade, it’s increasingly obvious that nations also have to and want to wield cyber power. For us, that means being influential in technology and cyber space, being able to make sure that the UK is safe and prosperous given this cyber world. And so we need to be really thoughtful as a nation about how these various aspects of power come together. And those factors were set out recently by the government and strategy. And just in the next few weeks, we’ll have a new national cyber strategy, which brings those out even more clearly. But I’ve said in public that within that construct, we face a moment of reckoning. And that moment of reckoning is when we understand that some of the traditional levers of power that the West has enjoyed for a long time, particularly in and around technology, are moving East. And that’s because China has stolen a march. That’s because China is investing very heavily and overtly and covertly. And that’s because it is starting to exercise real influence in the way in which the rules of the road are going to operate in a technology and a digital context for the future. So we have to work out what our response is to all of that.
Roula Khalaf
Is the digital renminbi a specific concern for you in terms of giving influence to China beyond its borders, but also valuable data?
Jeremy Fleming
We think that there’s great opportunity from digital currencies. It, in many ways, democratises payment systems, it reduces some of the lack in the relationships in those sorts of spaces. It potentially enables easier trade. You know, there a whole range of opportunities that come from that. But wrongly implemented, it gives a hostile state the ability to surveil transactions. It gives them the ability to get under the applications, which have to be in place to support all of that. And it gives them the ability in one way or another to be able to exercise control over what is conducted on those issued currencies. So I guess my view is that if the Chinese digital renminbi is operating the way in which we can be assured about our values in the way it’s operated, then the rest of the world will be joining in with that. But if we can’t have that assurance, then I think we have to tread very carefully.
Roula Khalaf
How would you have that assurance? Do you see signs of what you’re describing as a more threatening use of the renminbi?
Jeremy Fleming
I don’t see those signs yet, but we know, for example, that 140 million individuals and businesses in China have already signed up to this. And we know even in the context of the forthcoming Olympic Games, that China is taking every opportunity to project their digital currency. And the hope is that foreign visitors will use it in the same way as domestic visitors. So I think there’s definitely work for us to do to better understand how that technology is being rolled out. But longer term, the issue has to be what sort of international regulatory standards do we want around digital currencies? And that means being really clear on the way in which they operate, the way in which they’ll safeguard personal information. And if you like, the regulatory frameworks that allow all of us to understand that it’s being used in the right way.
Helen Warrell
Has the UK started any dialogue with China about regulation of these digital currencies and have you sought any particular assurances so far?
Jeremy Fleming
The conversations around digital currency are happening right around the world at the moment, and it’s clear to me that there is quite a lot of confusion in the private sector about where cryptocurrencies start from, where digital currencies start. There’s a real thirst from those involved in digital currencies, be they cryptocurrencies or national currencies, to have a much better dialogue about regulation. I’m not seeing that pull yet from China, but I’m hopeful that there could be. Of course, in all of these areas when we’re talking about the rules of the road, we have to remember that the international systems which govern the way in which states interact are largely still defined by the years after the second world war. And we, I think as global nations and as Western democratic nations, need to decide what sort of framework we want for the future, that we can properly investigate govern and develop the standards that are going to be fit for the digital world.
Roula Khalaf
Isn’t that the biggest challenge that leading global powers are facing right now? Because cyber space, AI weapons, there is the opacity of the world of conflict. It’s not something that you can either count or that you can properly surveil in many ways. How do you get to a new framework, new rules of the game?
Jeremy Fleming
If we take a very long view on this, then this isn’t a new situation, and we’ve had to respond to changes in technology and change the imbalances of global power and geopolitics and say over the long term, I think we should be confident that we can create a new set of norms and a new set of alliances. We should be very confident in the West that entrepreneurship, our ingenuity, our innovation and our values, are extremely relevant and can come out on top in this conversation. So I am not pessimistic about the way in which this will evolve. I think it’s there for the taking. But this is not something that I think we can rely on happening in a rather sort of glacial evolutionary way. I think that there is this lens of reckoning, and I think many countries around the world are recognising this. I mean, who’d have thought that ransomware would become a subject around the G7 table in Cornwall just this year? These sorts of issues are now on the top table. But one further thing on this, I think there’s a real danger, as in many aspects of national security work, that the conversation is defined by the threat. We have to maintain our fix on the opportunities here. And by that, I mean that the technologies that have been developed, and we can see it coming down the track, hold great promise for us, from a prosperity perspective, from a security perspective, from a community perspective.
Roula Khalaf
But it’s easy for these technologies to fall into the wrong hands. It’s not very complicated. We’re not talking about nuclear power here.
Jeremy Fleming
No, but it’s not easy for them to be promulgated globally. So I can see how that analogy works in some key use cases. But if we’re talking about which sorts of global trading platforms are gonna come out on top, then that’s not something that just gets handed over. You know, this is something that it has to be developed and developed consciously. So I think there is something for us to go after that. If we are serious about our position as a responsible democratic cyber power, I think the UK can play a really important role in that too.
Roula Khalaf
Do you think that there’s any justification for the criticism that is sometimes levelled at the US, UK, Israel, that this is a space that was opened up by actions such as Stuxnet and that it’s been in a way democratised, but that, you know, some countries bear more responsibilities than others in creating the opacity around cyber warfare?
Jeremy Fleming
That’s a very complicated question, and I think my broad answer is no (laughter). I mean, let me try and unpick some of that, try and unpick some of that (laughter). So let me try and unpick some of that. It is the case that cyber space is increasingly a place in which global competition, as well as global trade happens. And so the fact that those technologies have been democratised, I think, is to be welcomed. It’s made and underpinned the global economy to enable us to connect societies and communities right across the world. In fact, I mean, it’s hard to imagine how we would have coped with the pandemic of the last 18 months without those sorts of technology. So I think we have to applaud the way in which that has happened. But that said, it’s developed in a way that at least initially didn’t have security at its core. And so products including the internet in its very early days were not designed thinking that they might end up carrying the load that they are, and most certainly not developed with security in the way we currently think about it. And so it is the case that capabilities have been built on their vulnerabilities, and we’ve seen those who seek to contest us and go against our interests, exploit these vulnerabilities in ways which are against our interests and our values. So I think there’s a few conclusions to take from all of that. Firstly, we’re really good designing security from the start and that’s security for everyone. GCHQ is a poacher and a gamekeeper. We are charged with making the UK the safest place to live and do business online. So you know, our interests in the way in which we consider our capabilities always start from that premise. But of course, obviously we also collect intelligence and we do that based on the best legal framework I’ve seen anywhere in the world. So there’s a way in which we can make the system work in the future, even if in the past it’s been a bit imperfect.
Roula Khalaf
There was the “Snowden effect”, obviously, to needing to be more transparent and more out there and explaining what you do.
Jeremy Fleming
I think Snowden is in that narrative, but it certainly doesn’t define it. Instead it cost our country and other countries a lot of treasure and blood, and I still believe that he should be pursued through the courts. But that said, he came at a time when I think there was a need to update our narrative about what we’re doing and how we’re doing it. And so he fits in there, but it’s definitely not defined by Snowden and what’s happened in this last decade I think it’s something that we forget at our peril. The open debates that we’ve had in parliament about the sorts of things that we do, the judge-led work from here in the UK, Judge David Anderson, to help the public and parliament understand the sorts of operations that we mount and then the world-leading legislation that has resulted is a continuum here I think.
Roula Khalaf
Helen has written about the threat to smart city technology in the past, and I wanted to ask you whether you had seen proof that Chinese providers were supplying smart city technology in the UK?
Jeremy Fleming
So we’ve certainly seen evidence that Chinese companies are interested in supplying smart city technology here in the UK. I’m not yet aware of a project where all of the smart city technology has gone to a Chinese provider. We know there are over 40 in Europe as a whole that are provided by Chinese companies. And of course, you know, smart cities are a classic example of the sorts of technologies we’ve already been talking about here because on the one hand, properly implemented and with assurance over the technology, they offer great promise for the way in which we live our lives in the built environment. But of course, implemented in a way which doesn’t respect or anonymise personal data, then you can quickly see a situation where that technology enables an individual to be the subject rather than the experience of living in the environment. And of course, that’s the fear here. And it’s a broader fear in other contexts too because it’s clear that the competition for data is one of those big global competitions that we now face.
Helen Warrell
Richard Moore of MI6 has talked about this idea of data harvesting, which I think smart cities is a very good example of. Are there other particular technologies where you think the potential of data harvesting is there and is potentially a threat?
Jeremy Fleming
Modern life is increasingly dependent on the use of data. So we’re all creating data every day in how we work, how we shop, how we socialise, even how we travel. And of course, the accumulation of all of that data offers, again, great potential advantage. But in the wrong hands, it’s also deeply intrusive. So I think this is, this is again one of those things where I believe that the public debate about it is not as developed as it should be. And I think that we ought to be having a whole of society and a whole of government conversation about what we do want and don’t want in our data world.
Roula Khalaf
What are the questions that people should be asking?
Jeremy Fleming
I don’t think people should be naive about that data, and I think the whole, the whole society needs to be very conscious, if you like, about the deals that are being made with their data. And there are ways in which recent changes in legislation, some of them European, have made that much more transparent. But of course, that said, it’s not as transparent as it needs to be.
Roula Khalaf
Do you think businesses are taking the cyber threat seriously enough?
Jeremy Fleming
If you are a business in the UK in the last 18 months, then there’s a 50-50 chance that you suffered a ransomware attack. So half the businesses in the UK are thinking differently about cyber. If you’re an individual, then over the lockdown period I think there was an 85 per cent increase in the incidence of crime online. And so I think it is on people’s consciousness and increasingly it’s on businesses’ consciousness. And I think boards are increasingly recognising it as a board-level risk. Has it gone far enough? No. But for most of us, most of the time, these are pretty simple actions we can take to make ourselves much more secure and you’ll all be bored of us talking about basic cyber hygiene and changing your password and backing up and making you understand that your business understands where your critical data are. That is still so important. We should all be doing that, whether we’re individuals or businesses.
Roula Khalaf
I’m someone who does take care of her cyber hygiene, and yet I appear to have been hacked by NSO technology. So how do you protect against that and why is it that NSO hasn’t been banned, for example, in the UK? It has in other countries. How concerned are you about such a company?
Jeremy Fleming
So NSO is a company now sanctioned by the US for the way in which it has sold cyber operational capabilities.
Roula Khalaf
It’s because the technology was then used by their clients against activists and journalists.
Jeremy Fleming
And I’m sorry to hear that you were on the receiving end of that. Assuming that you’ve done all the things that you’ve been asked to do. You’ve kept your software up to date and you’ve been careful about the way in which you are connected to things which obviously pose a threat. And for most people and most people listening, then that would have been enough. And of course, there are though still some vulnerabilities out there that haven’t been discovered by those people who are providing the base operation systems upon which we all live our lives. And that vulnerability has been exploited. And the difference I think in this case is that those capabilities were then, you know, allegedly used by states who don’t share our values. And in systems where the rule of law and the oversight that we and other western liberal democratic countries enjoy, were just not there. So the strategic question is, what do we really think about proliferation of these sorts of capabilities? And I think it’s a really good question. And it plays to some of the things we were discussing a few minutes ago, which is the immaturity of the global debate about the rules of the road for the future.
Roula Khalaf
But why is, why is a company like NSO not sanctioned in the UK?
Jeremy Fleming
Well, we haven’t decided to sanction the NSO Group, but of course, that’s something that I’m sure the government will want to keep under close review. The way in which that capability has been deployed around the world is not something that we would ever be happy with in the UK system or would ever support. And I think we need to call out and have called out that that sort of use of the capability is completely beyond the pale. It’s not something that accords with our values or our systems. There are different ways of dealing with this. My personal view is that countries or companies that promulgate in an unconstrained way like that are damaging and should not be tolerated. And more than that, the systems within which they operate, it will become undermined if they’re not addressed. So I think it’s an important tenet for us.
Roula Khalaf
I want to talk to you about AI. You have talked in the past about the need for a responsible debate around the use of AI. Because AI is dynamic, those who use it may not realise how powerful it is. If it can be something in the environment that humans can’t see, for example, it may not act predictably. There’s a new book co-authored by Henry Kissinger and Eric Schmidt. I don’t know if you’ve had a chance to see it, but they ask how does one develop a strategy, offensive or defensive, for something that perceives aspects of the environment that humans may not perceive? What do you say to that? And we were talking earlier about rules of engagement on cyber. Surely we need rules of engagement and pretty quickly on AI weapons as well.
Jeremy Fleming
AI, of course, one of the most overused term in the, in the technical lexicon at the moment.
Roula Khalaf
Yes.
Jeremy Fleming
And so we are in GCHQ, we try to be quite disciplined about how we describe these sorts of capabilities. Recognising that, of course, one of our predecessors in Alan Turing set out the original test for artificial intelligence. But for me, it’s helpful I think to discern between what is truly artificial intelligence, which is a way, way of the machines thinking the way that humans think, to capabilities which are increasingly being built on the sorts of data that we were talking about earlier that are enabling the production of rules-based algorithms, some of which can then learn lessons from the way in which they’re deployed and be reapplied for the data. So this is absolutely at the core of some of the thinking we’ve been trying to develop about responsible use. And GCHQ is trying to get ahead of this a bit. We’ve published the work of some collaborative study we did with think-tanks here in the UK and with artificial intelligence and its possible use in intelligence and national security work. So I haven’t read Eric and Henry Kissinger’s book yet, but I think the questions that they pose are properly up there at the top table now. I think it’s all of our fear that technology will be developed in a way which starts to undermine our confidence that the technology is really supporting our prosperity and security. And for me particularly, to undermine our values and the way in which we think about properly reflecting the country we’re here to serve.
Roula Khalaf
You may be familiar with the arguments of Stuart Russell, the AI expert. He talks about the inevitable endpoint for AI being the development of a market in autonomous weapons, which would become very cheap. And, you know, they’ll be very cheap weapons of mass destruction. Is that something that’s high on your list of concerns?
Jeremy Fleming
I don’t think it’s inevitable, but I do think that the way in which machine learning in particular and later aspects of artificial intelligence come into our lives, is gonna be a massive factor. In our economies, in the way in which society operates and is already, in some ways, they change the way in which militaries and our intelligence agencies work. So when we’ve had other capabilities like that which haven’t been unprecedented, that we have no experience of understanding, then we’ve ended up having proper global conversations and treaties around their use. And I fully expect that that’s where we’ll have to end up. You know, the doomsday scenario, the film-like image of, you know, out-of-control, AI-dominated weaponry, I think that’s a one-off.
Helen Warrell
You may be taking the conversation to a slightly more optimistic perspective (laughter). There’s been a lot of discussion about how biometrics and surveillance are changing traditional models of espionage and obviously things like travelling undercover is now much harder for your sister agencies like MI6. And I was wondering, does this mean that the role of GCHQ is changing as well?
Jeremy Fleming
Yeah, the role of GCHQ is changing very rapidly, probably one of the fastest times in our history. I mean, ultimately, now you’ve got thousands of technologists in GCHQ whose expertise can be brought to bear on a much broader problem set and can help shape policy for this digital and technical age in a way which aligns deeply with others and other sorts of policy expertise across government.
Helen Warrell
Just going back to what you said about how fast things are changing, the fact that we’re all living our lives online a lot more. Doesn’t that make things a lot easier for you to track and identify, obviously entirely within the law, what individuals are doing that may be of concern?
Jeremy Fleming
No it doesn’t. It doesn’t make it easier. And I’m glad that you qualified your question (laughter) because, you know, always within the law and we only do what is necessary and proportionate and is legal obviously. It presents a different environment for us within which we operate. But I have to say that the global technology industry, despite some of the issues that we’ve discussed already, is pretty good at security, and so it’s not a trivial thing. Even with those authorities to be able to understand what groups of individuals who seek to cause the UK harm, or our interests harm, are up to. You know, it’s still a deeply sophisticated and technical job.
Roula Khalaf
Who are the most sophisticated players in the space other than the Chinese and the Russians and are you seeing any new players coming onto the space from an offensive perspective?
Jeremy Fleming
The most prominent countries are the four that I’ve talked about publicly and obviously talked about publicly. And so Russia and China are top of the league. And then, of course, we see Iran and North Korea playing in the cyber space and continue to see all four of those actors in various ways. But of course, it’s no longer just the preserve of a state. And so the extent to which cyber capabilities are now within reach of criminals and serious organised crime groups, some of them themselves closely aligned to states in Russia in particular, means that we have to as a nation in a way, be a bit actor agnostic. And of course you don’t, you don’t require great sophistication to be able to mount a cyber crime and to cause harm.
Roula Khalaf
We’ve written about the National Cyber Force, which is using offensive cyber capabilities. Can you tell us more about how these would be deployed and whether they’ve been targeted at ransomware gangs, for example?
Jeremy Fleming
National Cyber Force is a partnership between intelligence and defence. GCHQ and MoD are the biggest partners. SIS and other government agencies are involved in that effort. And it is already doing a good job, some of which I’ve been able to talk about publicly. So I’ve talked about Islamic State, and that is as far as we will go at the moment. The point about whole of cyber in the UK is that it builds out from our defensive posture. Then it only works if it’s within a context where we’ve and the government has invested very heavily in our cyber security. And so cyber actions and reactions are not just constrained to that space.
Roula Khalaf
You mean, it’s in the tool box? It’s part of a toolbox?
Jeremy Fleming
In the 21st century, then it’s a really important part of our cyber power. It’s how states compete. It becomes a part of state craft because it’s, it is about influencing. It’s about shaping as much as it’s about, you know, the more destructive end of the envelope. And indeed, I think if we’ve learnt one thing about cyber power over the last two decades that an exquisite red button for cyber capabilities really doesn’t exist. You know, you use cyber capabilities to contest and compete. So it’s a much more continuous, what the Americans call persistent engagement model.
[MUSIC PLAYING]
Roula Khalaf
That was Jeremy Fleming, director of GCHQ, ending this edition of the Rachman Review. Thanks for joining me. Gideon will be back as usual next week.
This transcript has been automatically generated. If by any chance there is an error please send the details for a correction to: typo@ft.com. We will do our best to make the amendment as soon as possible.
Comments