ウィスパリング同時通訳研究会コミュのIISS Fullerton Lecture: Jeremy Fleming on cyber power

Thank you for that warm welcome… it’s great to be here. Firstly, I’d like to thank the International Institute for Strategic Studies for inviting me and giving me the opportunity to speak about Cyber Power. It’s a topic that I know needs wider discussion. And it’s great to see IISS once again breaking new ground. In particular, I’d like to thank John and the wider IISS-Asia team for the wonderful work they do with this speaker series. They always pull together a strong and influential audience, and it’s clear to me they are doing great work promoting geopolitical debate in the South East Asian region. I’d also like to thank the team here at the Fullerton Hotel for all they have done to ensure we have such a productive conference. It’s great to be here in Singapore. I enjoy visiting this amazingly vibrant and successful City, its palpable optimism for the future the impact it has (156w/m) far beyond its shores. I love the way it blends the old and new, the juxtaposition between the state of the art GPO of the 19th Century and the subject today is not lost on me. I echo what Jeremy Hunt, our Foreign Secretary,said in January about the similarities between our two countries - we’re joined at the hip not just by common interests and our shared dedication to the rule of law but by our shared history that has connected our two peoples together for 200 years. And that sense of shared history and common endeavour that is just as relevant for the other Nations present here today. Indeed, I would argue that as we enter the Fourth Industrial Revolution, as we think about how we will continue to prosper as Nations, whilst protecting the rights and lives of our citizens, it has never been more important. Which brings me to the point of this speech and of this event. And that is the concept of Cyber Power. What does it mean? What does a country need to have at its disposal to be a Cyber Power? How should it exercise that power? What rules, regulations and ethics are needed to exercise power responsibly? We’re all contending with these questions. Our nations are breaking new ground as we develop cyber capabilities, grapple with cyber security and start to think about the skills and the rules we need for the cyber age. So, how can we move forward together? My proposition is that we need to converge on agreed definitions, on regulatory frameworks, industry standards and norms of ethical behaviour. Frankly – we need a new lexicon. One that isn’t based on the overly military language of past power frameworks, but a language that clearly refreshes and restates for the cyber age the underlying principles that have served our democracies so well for hundreds of years. We have a way to go. Take the language we use to describe cyber security or cyber activities: malware, ransomware, BotNet, and Distributed Denial of Service to name some of the more incomprehensible terms in use. Then look at the questions we ask about how we measure up to those who would do us harm: how big is their force…? How much do they spend…? How many hackers do they have …? This sort of framing has been around for decades. It worked for an environment where power was seen, partly or wholly, through a military lens. An environment where numbers or scale were what mattered. But in the cyber world, the size of force doesn’t equal potency. Deterrence isn’t absolute. And cyber attacks are often disruptive or financially motivated, rather than destructive. It’s a cyber world that is changing at an incredible rate, making the world more interconnected than ever before. It’s driving extraordinary opportunity, innovation and progress. But it’s also unleashing unprecedented complexity, uncertainty, instability and risk. I suspect that many of my predecessors as Director of GCHQ will have said or felt something similar. We’ve contended with changing technologies throughout our one-hundred year history. But there’s definitely something unique about the combination of uncertain doctrine, hyper technology change and a new form of ungoverned security space that is making this peculiarly challenging. And it’s this uniqueness that makes it difficult to keep up, or crucially to explain these changes to our citizens. I believe we need a better framework for this conversation. One that provides reference points for the debate about Cyber Power, and one that recognises that the concept goes way beyond technology and the internet. I’ve given this much thought. The UK – indeed, all of us – need to better understand the challenges and opportunities we face and how best to shape the debate with our partners, allies, and even our adversaries, around the world. In short, we need to pioneer a new form of security for the cyber age. I think we can all recognise the basic definitions of power: it’s the ability to direct or influence the behaviour of others. Power comes in many hues: ‘soft power’ is exercised by those who may set an example, project thought leadership, or encourage adherence to a particular set of legal or ethical boundaries. Whilst hard power comes from economic, military or technological might. Taking this over into the Cyber domain is not straight forward, but there are clear parallels. And I think we can do better at setting out some core principles. To me, a Nation is a Cyber power if it is able to direct or influence the behaviour of others in Cyber space. And it can do this in three main ways: One, it has to be world class in safeguarding the cyber health of its citizens, businesses and institutions – it must protect the digital homeland. Two, it has to have the legal, ethical and regulatory regimes to foster public trust – without which we do not have a licence to operate in cyber space. And three, when the security of its citizens are threatened it has to have the ability – in extremis and in accordance with international law – to project cyber power to disrupt, deny or degrade. I’d like to explore each of these elements in turn. Starting with cyber security. Those of us who work in Government, and especially those who have worked in national security roles, know that the first responsibility of any Government is to protect its citizens. In the twenty first century this relates to the digital homeland as well as the physical one. To enable this protection we have to put in place measures designed to make individuals and institutions harder to attack. We focused on responding to cyber incidents to reduce harm and increase confidence and we developed new partnerships with industry and academia to share knowledge, remove basic threats and influence behaviour. We have also grown our key partnerships at home, across the 5EYES, in Europe, and of course here in South East Asia. In the UK, this sense of a Team Cyber is spreading way beyond the normal national security community with GCHQ’s National Cyber Security Centre leading our response. Law enforcement colleagues are lining up with intelligence partners, industry and academia. We’re reaching down into schools, hiring communications specialists to get the messages to stick and working with venture capitalists and start-ups to foster technologies for the next generation. We’ve also worked hard to take a genuinely strategic approach. It’s easy to get stuck in the maelstrom of today’s attacks. But I think we need to get better at designing in cyber security from the start. In particular, we are trying to make the internet automatically safer for people to use, so they don’t have to make daily judgements on whether every email or website they come into contact with can be trusted. This is especially important given the way that criminals are increasingly operating, sometimes with the support – active or passive - of malign states. This complex environment was a big driver behind the National Cyber Security Centre’s active or automated cyber defence programme. This aims to protect most of our citizensfrom most of the harm…for most of the time. We’ve already set out some impressive early results of this work. Protecting 1.3 million Government internet users automatically by blocking access to bad sites we know about, this stopped 54 million malicious connections last year alone. We have an anti-spoofing mechanism which has greatly reduced the spoofing of UK Government brands. Our automated takedown service, run by a private company, has more than halved the UK’s share of global phishing. This is really exciting innovation. It helps make the UK a harder target. It takes away some of the impossible decisions we ask our citizens to make that affect our security. It doesn’t mean we’re impregnable. It just means we’re harder to attack. But there is so much more to do to fix an Internet that was not designed with security in mind. With big, structural security problems like identity spoofing and malicious hosting still to be tackled. My job in this space, as Director of GCHQ, is two fold. First, it’s to help get these innovations implemented at a scale that makes a truly, nationally, and potentially internationally, transformative difference. We have a set of services that we’ve tried out on our own Government, on our own terms. But what happens when the big communications service providers start to introduce our blocking techniques at scale? What happens when retailers take up some of the security indicators we’ve been developing and use them to promote safety and security? When large corporates really get on board with anti-spoofing? What we hope is that we start to build a truly whole-of-nation, world class, cyber defence system. One that works at the citizen level. My second job is to create the time and space for the elite cyber talent we have working on this area to develop the next set of transformative ideas. Things like: how do we authenticate emails in a way that people might actually be able to understand? How do we break free of the limitations of password-based user security? How do we make hardware harder to interfere with? How do we allow networks to connect freely but in a way that an infection of one is not an infection of all? In GCHQ I’m fond of saying that with the right mix of minds anything is possible. And we have some ingenious people working on these challenges. I know they’re equal to the task. They will find new ways of dealing with the emergence of new technology. But they’re doing this work in a pretty charged environment and we – I – need to find them the space to get on with real, practical solutions. Obviously, the most charged part of the current global technology debate relates to 5G and, in particular, the role of Huawei. Before going further, let’s remember: 5G is going to be one of the most important and impactful technologies of this or any era. It’ll massively enhance how we use the internet, be a catalyst for technological change, and over time will change the way we think about how our data is being used. It’ll also make us more interwoven and dependent on the internet. It’s not a cliff-edge transition, and it will not entirely change how we think about security. Navigating this exciting, transformative technology is going to be difficult and it will be different in each country. Let me talk about the UK’s approach. 5G is complicated and understanding the complexity and nuance is essential. The NCSC, as part of GCHQ, is the national technical authority for cyber security. It’s our job to bring objective, evidence-based and technically authoritative advice to the policy table. Last week the NCSC set out how we are approaching these issues. The most important aspect of that intervention was in defining three pre-conditions for securing 5G networks. First, we must have stronger cyber security practices across the telecommunications sector. The market is configured in a way that does not incentivise good cyber security. That has to change. Second, telecoms networks must be more resilient. Vulnerabilities can and will be exploited. But networks should be designed in a way that cauterises the damage. So we must do that. Third, there must be sustainable diversity in the supplier market. A market consolidated to such an extent that there are only a tiny number of viable options will not make for good cyber security. That’s regardless of whether those options are Western, Chinese, or from somewhere else. Experience shows that any company in an excessively dominant market position will not be incentivised to take cyber security seriously. So we need a diversified market, competing on quality and security, as well as price. These three conditions are objective, technical, and evidence based. I’m determined they are not lost in the speculation of recent months. As we made clear last week: the UK has not made a decision about 5G. There is an ongoing review led by the Digital Department and its Secretary of State which will conclude its analysis in the spring. Only when that’s complete will the government make a decision about the supply chain balance. GCHQ is at the heart of that work. We already have a role managing Huawei’s presence in our existing networks. We think this is probably the toughest oversight regime for that company in the world. It’s revealed significant problems with their cyber security practices…which have caused them to commit to a multi-million pound remedial programme. And as I’m sure you will have seen, we’ve been crystal clear that we will not compromise on the improvements we expect. But…and it’s an important but…5G security is about more than just Huawei…that’s what the three pre-conditions for 5G security are all about. The final thing I’ll say here is that the strategic challenge of China’s place in the era of globalised technology is much bigger than just one telecommunications equipment company…it’s a first order strategic challenge for us all. Part of being a Cyber Power is facing up to that challenge and those posed by technology more broadly. We have to understand the opportunities and threats from China’s technological offer. We have to understand the global nature of supply chains and service provision irrespective of the flag of the supplier. We have to take a clear view on the implications of China’s technological acquisition strategy in the West. And help our Governments decide which parts of this expansion can be embraced, which need risk management, and which will always need a sovereign, or allied, solution. It’s a hugely complex strategic challenge which will span the next few decades….probably my whole professional career. How we deal with it will be crucial for prosperity and security way beyond 5G contracts. And to my mind, it shows just how significant cyber security is becoming to a nation’s cyber power. My second basic tenant of cyber power governs the way in which a Nation behaves and the frameworks within which it operates. We know that statutory and regulatory regimes around cyber space are not yet mature. Case law is still developing in all of our jurisdictions. Some of the behaviour we’ve seen from certain states or criminals is clearly wrong in any circumstance. An attack on a hospital’s IT, or on a country’s electoral system will always require sanction. But in many cases, there are no clear norms or behaviours. And in some cases, there is a clear divergence in view between blocs of Nations about how to develop these norms for the future. There’s a lot at stake here. Without a commonly agreed set of principles, it’s much harder to reach agreement on common standards, to exchange and trust data, to prosecute poor behaviours and to create a commonly agreed doctrine of deterrence. And the situation is diverging, not converging as the internet fragments and the half of the World not yet on the internet gains access to mobile computing. Unchecked, we’re heading for an even less governed space where rights and wrongs are not automatically recognised and where acceptable behaviours are not a given. We’re certainly heading for a situation where it’s harder for States to underpin or guarantee the trust their citizens expect in their dealings online. In my view, dealing with this uncertainty means building on the approaches we’ve developed over centuries in international law. Put simply, if something is unacceptable in the real world, it must be unacceptable online. But as cyber capability becomes more advanced and more widely used, we have to ensure that domestic and international law keeps pace.