GCHQ

Global upheaval shows cyber security isn’t good enough, says GCHQ director

Generational global upheaval has laid bare significant gaps in national cyber strategies, GCHQ chief Jeremy Fleming has said in a speech

Cyber security is failing to keep pace with generational global upheavals and is in need of significant investment and focus as a result, GCHQ director Jeremy Fleming has told an audience at Australia’s National Security College (NSC) at Australian National University (ANU) in Canberra.

Amid the impact of the continuing Covid-19 pandemic, Russia’s war in Ukraine and an increasingly confident and assertive China, Fleming said that gaps in national cyber security strategies were being painfully exposed as governments come to realise they have failed to understand the depth of global interconnectedness and dependence.

“Before 2020, who here would have realised that the global supply chain for face masks would be such a critical dependency? Or that a grounding of a container ship in the Suez would cause such chaos? Or even that semi-conductor availability would be so fragile it would affect everything from smartphone to washing machine availability?” he said.

“We’ve had to wake up to the reality of what that means for our economies and our security. And we’ve seen how vital technology is to stay connected, to keep our economies going and to change the way we work, even in the national security community.

“It’s also shown how vulnerable our nations are to cyber threats and how quickly our adversaries adapt to take advantage,” said Fleming.

In a wide-ranging speech, Fleming dwelled at length on the implications for cyber security of Russia’s invasion of Ukraine, noting significant commentary expressing surprise that Moscow has not deployed a major cyber attack during its depraved campaign.

“A lot of this misses the point; whilst some people look for cyber Pearl Harbours, it was never our understanding that a catastrophic cyber attack was central to Russia’s use of offensive cyber or to their military doctrine,” he said. “To think otherwise misjudges how cyber has an effect in military campaigns. That’s not to say we haven’t seen cyber in this conflict. We have – and lots of it.”

Read more about cyber security

Fleming said that the National Cyber Security Centre (NCSC), which ultimately falls under his remit as part of GCHQ, was seeing sustained intent from Russia to disrupt Ukrainian systems, and some spill over into neighbouring countries. There are also a growing number of indications that suggest Russian cyber actors are trying to find targets in countries that explicitly oppose the invasion.

“Just as we pay tribute to the Ukrainian military’s brave actions, we should pay tribute to Ukrainian cyber security, too,” he said. “We and other allies will continue to support them in shoring up their defences. And at home, we are doing all we can to ensure sure that businesses and government urgently follow through on plans to improve basic levels of cyber resilience. I know your ACSC is doing the same here in Australia.”

Fleming acknowledged that the picture when it comes to cyber is complicated by various threat groups pledging allegiance to, and attacking, both sides; by the impact of businesses distancing themselves from the Russian economy; and by technology suppliers stepping in to support Ukraine and counter Russian disinformation.

“It’s all making the space very complicated, and in some ways, way beyond the control of governments,” he said. “It’s another reminder of the interconnectedness of the world today. And as no single entity holds the whole solution, it highlights a need for global institutions effectively working in coalition.”

China’s growing assertiveness

Fleming also touched on China’s growing assertiveness on the global stage, saying Beijing is increasingly clear it wants to set the “rules of the road” on technology and cyber; the UK and other countries have already seen this desire begin to manifest through the various controversies surrounding the work of Huawei.

“Historically, technology development was largely driven and owned by the West,” he said. “Shared values among involved nations meant industry standards for emerging technologies tended to be global. Investment in technology brought status, wealth and security. Today, we are in a different era. We can see that significant technology leadership is moving East. It’s causing a conflict of interests. Of values. Where prosperity and security are at stake.

“[China] also has a competing vision for the future of cyber space and it is increasingly influential in the debate around international rules and standards,” said Fleming. “China’s bringing all elements of state power to control, influence design and dominate technology, if you like, the cyber and the fibre.

“If we don’t act – with our allies, with our partners and with the private sector – we will see undemocratic values as the default for vast swathes of future tech and the standards that govern it. There is no doubt that democratic nations are facing a moment of reckoning.”

Fleming called on democratic states to try to find new ways to collaborate and cooperate, drawing on existing alliances such as Nato, the Anglophone Five Eyes group, and ASEAN. He also stressed the importance of making the democratic “counter offer” to China more persuasive and coherent.

“Whatever we do, we must make sure that we stay true to our values, those that have made our systems and democracies so successful and will do so in the future, too,” said Fleming.

Read more on IT risk management