Ciaran Martin's CyberSec speech in Brussels
By Ciaran Martin, CEO of the NCSC, speaking at CyberSec in Brussels
February 21, 2019
Think Global, Act Global: cyberspace and emerging technology
Thank you to Izabela Albrycht and her colleagues at CyberSec for hosting this excellent conference and for inviting me. CyberSec is an outstanding institution making a very positive contribution to global cyber security.
Iím very proud to represent the UKís National Cyber Security Centre, a part of GCHQ, our signals intelligence agency. It is a pleasure to be among friends discussing our shared aim of improving our digital environment.
Our commitment to working with partners here on the European continent is unshakeable. Whatever form the future relationship between the UK and the European Union takes beyond 29 March this year, the Prime Minister and her Cabinet have long made clear that our support to European security as a whole is unconditional.
More practically, within the cyber security sphere, it is objectively true that nearly all of the functions of the UKís National Cyber Security Centre fall outside the scope of EU competence. It follows that our enhanced cooperation with European partners, and the EU as a whole, in cyber security over recent years is not automatically affected by the UKís changing relationship with the EU. Pretty much everything we do now to help European partners, and what you do to help us, on cyber security can, should, and I am confident will continue beyond 29 March.
Over the past few years we have shared classified and other threat data with the vast majority of member states and with the institutions. We have also, we hope, played an important role in the development of European thinking in areas like standards and incident response. We hope weíve helped through our work with CERT-EU on incidents and with ENISA and ETSI on standards.
As the next phase of the UKís relationship with the rest of Europe takes shape, we will want to take these partnerships further and to develop new ones. I am proud of the increasing frequency with which I see my European counterparts and the deepening friendships we have nurtured, the boundaries we are removing and the ground we are breaking. The protection of our shared values of freedom, democracy and prosperity, all underpinned by the rule of law, is what we strive for.
My theme today is about how we cooperate together in the age of globalised technology. Because whatever final form the UKís relationship with the EU takes, we need, together, to be at the forefront of global efforts to build an internet that remains not just free but safer too.
In this era of truly globalised technology, it is more important than ever that that effort is Ė truly Ė global. There are limitations to what even a continent of the size and wealth of Europe can do on its own in an age where the US and China dominate tech development.
I want to deal today with two structural challenges for the future of internet security. The first is about telecommunications infrastructure, now and in the future. The second is how we improve structural flaws in the wider internet environment.
In both areas, EU and non-EU European nations will need to act with others outside the continent to shape future technology and the security around it.
So first, letís talk about telecommunications infrastructure. The next generation of telecoms security is particularly important given the sorts of networks dependent on it Ė there will be large-scale use of autonomous vehicles, desktop experiences from the cloud, high-definition streaming, the underpinning of smart cities.
A hard headed, risk based approach to the policymakers taking decisions
Like many countries, including our five eyes partners, and partners here in Europe, the UK is looking at the right policy approach to 5G security. That policy process is being led by the Digital Department and its Secretary of State. It concludes its analysis in the spring. The government will then take decisions. As its public terms of reference make clear, it is a holistic review, taking account of economic, security, quality of service and other factors. It is considering a full range of policy options.
Everything is on the table. Contrary to some reporting no decisions have been taken and no decisions are being announced today.
The National Cyber Security Centreís role is to offer expert, objective, technologically literate input into the security considerations around 5G. That is consistent with the NCSCís wider mission to bring objective rigour to complex technical issues. And today I want to talk to you about the lessons we have learned.
And the first thing to say is that 5G is complicated.
It hugely accelerates the pace of technological change but there is no cliff edge transition.
It will change the way we think about risk because of what will, over time, depend on it. But it doesnít change immutable concepts of security or the laws of science.
And whilst key to the virtual world, it requires a huge amount of complex physical infrastructure. And how that physical infrastructure is configured varies from country to country, not least depending on the size of the countryís landmass and is population.
And it is not a fresh start. It has to build on existing telecommunications infrastructure.
Understanding these complexities is essential. The National Cyber Security Centre is an open and transparent organisation. We have set out before our understanding of how telecommunications networks work and what is needed to secure them. And we will continue to publish objective, technically credible, clear-headed and rigorous analyses of cyber security requirements.
And we need to set out telecommunications security in the context of the threat picture. Again, here we are open and transparent about the threats we see and how they impact the UK.
Over the past two years, the UK government has, based on NCSC findings, attributed state-sponsored malicious cyber activity against the UK to Russia, China, North Korea and Iran. There is also a serious and sustained threat from organised cyber crime.
These attacks have come against a range of targets spanning different sectors. Their aims have been different. The methods have been different. The supply chain, and where suppliers are from, is one issue but it is not the only issue. Last year, the NCSC publicly attributed some attacks on UK networks, including telecoms networks, to Russia. As far as we know, those networks didnít have any Russian kit in them, anywhere. The techniques the Russians used to target those networks were looking for weaknesses in how they were architected and how they were run.
So we are not naÔve. Far from it. In the 1,200 or so significant cyber security incidents the NCSC has managed since we were set up, the country of origin of suppliers has not featured among the main causes for concern in how these attacks are carried out.
Three technical pre-conditions for telecommunications e-security
Thatís one example of our objective, evidence-based analysis of the threat. We take a similar objective, evidence-based approach to the technical security requirements for 5G. Taking threat and requirements together, this leads us to conclude that there are three technical pre-conditions for secure 5G networks.
First, we must have higher standards of cyber security across the entire telecommunications sector.
The biggest threat to our cyber security is weak cyber security.
Practices must be improved. That is the real lesson of the 1,200 cyber security incidents.
The market does not currently incentivise good cyber security.
That has to change.
The number one pre-condition for safe 5G is better cyber security.
Second, telecoms networks must be more resilient.
We must assume that a global supply chain will have multiple vulnerabilities, whether intentional or, more likely, unintentional. Networks are built by human beings and human beings make mistakes. No network can be totally safe.
From the point of view of managing corporate risk, or, in our case, national risk, it essentially doesnít matter whether the vulnerabilities are deliberate or the result of honest mistakes. What matters is that those vulnerabilities can and will be exploited.
But the networks can and should be designed in a way that will cauterise the damage. That is what we need to do. Put it another way, if youíve built a telecommunications network in a way that the compromise of one supplier can cause catastrophic national harm, then youíve built it the wrong way.
Resilience is key.
The third pre-condition flows from that. There must be sustainable diversity in the supplier market.
Should the supplier market consolidate to such an extent that there are only a tiny number of viable options, that will not make for good cyber security, whether those options are Western, Chinese, or from anywhere else. Any company in an excessively dominant market position will not be incentivised to take cyber security seriously. And at the same time that company could also become the prime target for attack for the globeís most potent cyber attackers.
These pre-conditions are technical. They are generic. They are about the technology and the architecture and the structure of our networks.
They are about creating the necessary conditions for a safe 5G network.
As already mentioned, like everywhere else, the UK is not starting from scratch. We have an existing telecommunications infrastructure. It is highly internationalised.
And we already have a framework for managing risk. Again, I stress that this is based on an objective understanding of how telecoms networks work. As our guidance to operators shows, we assume that every bit of kit in any network can fail. And so whatís vital is that the failure of individual bits of kit, either because of a malfunction or because of an attack, will not cause catastrophic harm.
Thatís the framework we apply at national level. There are things we particularly care about. National security networks, most obviously. And for those, we apply special protections.
Huawei and standards of cyber security
One well-known specific aspect of our current mitigation framework is how we manage Huaweiís presence in UK networks.
Huaweiís presence is subject to detailed, formal oversight, led by the NCSC. Because of our 15 years of dealings with the company and ten years of a formally agreed mitigation strategy which involves detailed provision of information, we have a wealth of understanding of the company.
We also have strict controls for how Huawei is deployed. It is not in any sensitive networks Ė including those of the government. Its kit is part of a balanced supply chain with other suppliers.
Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei.
And it is proving its worth. Last July, our annual Oversight Board downgraded the assurance we could provide to the UK government on mitigating the risks associated with Huawei because of serious problems with their security and engineering processes.
As we said then, and repeat today, these problems are about standard of cyber security; they are not indicators of hostile activity by China.
The company have accepted these findings and have pledged to address them, acknowledging that this will be a process of some years.
We will monitor and report on progress and we will not declare the problems are on the path to being solved unless and until there is clear evidence that this is the case.
We will not compromise on the improvements we need to see from Huawei.
And, based on our hard-headed assessment of risk and our detailed knowledge of how networks work, we are putting in place our own plans for helping our operators to manage these risks.
So today I am setting out how the NCSC is looking to manage the risks now, for example those around Huawei, and how we could seek to manage the risks into the future. The UK community is united in this effort. As the head of MI6, Alex Younger, said in Munich last week, itís complicated. As the Director of GCHQ, my boss, Jeremy Fleming, has set out before and will do so again shortly, it is vital that the UKís stance is informed by the most rigorous assessment of threat, risk and technical requirements. GCHQ, of which the NCSC is part, is at the heart of that discussion.
It is the NCSCís job, working with partners in central government, the regulators and elsewhere to make sure the UK can prosper securely in these complex market conditions through a hard-headed, technically informed assessment of the risk.
That will enable government to weigh up those vital decisions on things like suppliers from different countries.
5G is about much more than just cyber security.
Our job is to make sure that the government can be confident that behind whatever decision it takes, there will be a technical framework that works and a competent national technical authority that knows what it is doing.
Whatever decisions are taken will need to ensure that those three essential pre-conditions for cyber security that we have set out today can be met: stronger standards, more resilience and supplier diversity.
Indeed our experience with Huawei, if nothing else, demonstrates the importance of raising standards of performance in cyber security.
5G security is not a simple, binary choice. It is about complex technical functions, a complex global threat environment, and a complex global market. One thing is clear: the way that market works has to change. Security must be a bigger consideration in market decisions in the future than it has been to date. We will help fix that.
Active/automated cyber defence
And the push to improve standards in cyber security should be a global effort. So the more we can do with partners to deliver those, the better.
That brings me to the wider issue of how we cooperate to improve the global digital infrastructure more generally.
The internet was not built with security in mind. Thatís no oneís fault. It wasnít malicious. Itís just the way it happened. A model evolved over time where the price of entry for online services became the provision of personal data.
Itís safe to say that the limitations of that model are becoming more apparent as time passes.
And they also leave us with structural security problems in the way the internet works.
At the National Cyber Security Centre we focus on the technical solutions that the market hasnít provided because of the way the internet environment has evolved.
We aim to make the internet automatically safer for people to use. Itís not fair on busy individuals with complicated, rushed lives and other priorities if we expect them to make judgments every day about how trustworthy one of the hundreds or thousands of bits of communication they get every day are.
That is what is behind our active, or automated, cyber defence programme.
Its aim is to provide a framework to take away most of the harm from most of the people most of the time.
Here are some of the early results.
We have developed a system to use our vast quantity of threat data to block connections to malicious sites from government networks. We are now protecting 1.3 million government internet users. In 2018, we blocked 11,000 unique malicious domains every month. In the course of the year, we blocked 54 million malicious connections. Thatís 54 million incidents that automatically didnít happen.
We developed an anti-spoofing mechanism to protect government brands. In the first year, we helped our tax authority block half a billion attempts to spoof it. Half a billion fake emails that didnít land in peopleís inboxes.
We developed a system for automatically taking down known phishing sites. They used to be up for a day on average. Now itís about an hour. And the UKís share of global phishing that we can see has fallen from 5.3 per cent to 2.2 per cent in the past two and a half years.
None of them has required legislation, and none has been particularly contentious. They are technical improvements Ė targeted government interventions where commercial solutions canít work. They are low classification Ė we publish details for most of them. I cannot think of an area more ripe for international cooperation.
So whether itís future telecommunications infrastructure, or digital security more generally, we want to work with everyone across Europe and beyond to push these changes, to deliver the digital world we all want to see, one that is not just free and prosperous, but safer as well.