Sir David Pepper: “Phorm? I don’t recognise the story.”

On 19 March 2012, I was lucky enough to attend the BCS/RSI Annual Lecture 2012 “Intelligence and Security in the Cyber Age”, given by Sir David Pepper… former director of the British Intelligence agency GCHQ (from 2003 to 2008, spanning the dates of the covert ‘stealth trials’ conducted by BT/Phorm).

I managed to ask some questions at the end concerning the BT/Phorm affair, the answers I received were astounding.

These are my notes from the event.

His presentation was divided into two parts;

  • Gathering Intelligence
  • Cybersecurity

Gathering Intelligence

Sir David highlighted some of the methods used by spies prior to the advent of the internet; the recruitment of spies, use of oral information, stolen documents, dead letter drops, VHF radios, and satellites. He discussed the gathering of SIGINT (signals intelligence) by targeting telephones, fax messages, interception, over the horizon radar, listening devices in useful places, photography, infrared, satellites.

In the modern world, he said there is still a need for human sources, and satellites… but targets are often using the internet to communicate, and storing documents online. Smartphones have made the web ubiquitous. He considered that ease and convenience of communications has given rise to increased use of communications. Though he described the topic of encryption and cryptography as ‘too murky’ to discuss.

Sir David claimed that huge amounts of data accessible on the internet thus present a ‘succulent target at rest or in motion’.

He described communications as an opportunity to gather intelligence. He suggested that people are more indiscrete when they communicate… and asserted ‘the more senior they are the more indiscrete they are likely to be’.

He used the metaphor of the internet as a ‘much bigger haystack of information, but with many more needles in it’.

He said sophisticated techniques are being used to trawl information, and derive intelligence from the sum of parts. Collecting ‘footprints’ was seen as an important task; “a good deal can be found about agents by analysis of their footprints”.

He stated that terrorist organisations like Al Qaeda were not slow to use the web as a medium for covert action. Understanding and countering them was seen by him as an important task for the intelligence services.

Technologies like biometrics were an entirely new factor affecting false identities, and the ease of maintaining a false identity.

The ‘Google Effect’ had made an enormous amount of information available over the internet. Streetview had put satellite photography at the fingertips of the general public.

He said intelligence officers had to be careful not to classify publicly accesible information as ‘secret’, and are now expected to deliver information very fast (especially on the battlefield).

Has saw a continuing need for intelligence to counter terrorism and bolster diplomacy, and claimed a transformation has taken place in the way  the British intelligence services interoperate. GCHQ has evolved from a cold war design and structure based on stove pipe compartmentalisation and ‘need to know’, to greater sharing of techniques and information across the organisation.

The customers of the intelligence services apparently expect faster and more tailored solutions. Leading to a transformation of culture, technology, and process in the intelligence services.

He claimed there is now a hitherto unknown high speed collaboration between agencies; saying it was ‘unlike anything I have seen in my career’.

Cybersecurity

He said there are obvious threats to  National Security… almost all aspects of commerce, finance, utilities and national defence are reliant to some extent on the internet.

Hence he said there are potential threats to to all aspects of society; ‘The threat is now real and seen as a ‘tier 1′ issue, and a problem which has been neglected for too long’.

He identified the threats as

1. Cybercrime – financial theft, phishing, fraud costing tens of billions of dollars with the tools becoming commoditised in professional kits sold online.

2. Cyber espionage – no different in principal from conventional espionage… agents trying to get secrets from information online, with the chances of being caught much lower. Industrial espionage is much easier online; any company with a process online is vulnerable. The defence industry was suggested as a particularly attractive target for attack  (with BAe highlighted as an example of a defence business falling victim). Attacks on utilities are even considered possible.

3. Cyber activists – people with political motives (with Anonymous and the penetration of Stratfor, Wikileaks cables, or Sony and Lulzsec cited as examples).

4. Cyber terrorism – currently considered a theoretical risk, though Al Qaeda are considered to be very competent and a medium term threat. He suggested that a hack attack on London might be considered an act of cyber terrorism.

5. Cyber warfare – actions of one state against another (examples including a denial of service attack on Estonia, or Russian attacks against Georgia, or the Stuxnet attack on Iran as the first example of a ‘weapon’ being used).

He said, ‘you might assume people had woken up to these threats’… but suggested ‘sadly you would be wrong’.

The reasons he gave for it ‘taking so long to achieve an awakening’ included;

  • the complexity of the technology and lack of senior engagement
  • the inability of the human brain to deal with threats; and the resulting need for crisis or attack before action

Consequently Sir David considered that the IT industry needs to ‘frame the problem not in terms of threat but risk’. He believes risk is easier to comprehend and respond.

Personal Threats

He observed that at a personal level the ability to mitigate risks was not easy; particuarly for some elderly internet users leaving many vulnerable. Their software and computer systems in their homes were designed ‘by geeks for geeks’.

Commercial Threats

For corporates, the financial industry especially, the risk of attack and denial of service were stated to be strategic risks that should be addressed at board level. He called it an ‘issue of organisational leadership’.

Staff need to be educated, he said. Security has to be achieved by changes in organisations.

The changes required were seen by Sir David as a key role for the IT community. He believes it is our role to translate risks into something comprehensible by our clients.

Sir David forsees more collective action between stakeholders; more collaboration against a shared threat. Companies are often reluctant to share information; but doing so could reduce the overall threat.

State Threats

He said states face financial losses due to theft and fraud. They face  loss of confidence in in internet services if the infrastructure is not trusted. And attacks on critical national infrastructure represent a national security risk.

There are risks to the national economy if the UK is not seen as a safe place to do business.

He said Governments can co-ordinate information sharing, and secure critical national infrastructure through regulation. Government can educate individuals in the need for security. Covert and secret activity can be used to counter pernicious threats. And cyber warfare tools can be used as defensive and offensive measures.

Conclusions

Sir David was keen to emphasise two key themes…

1. There has been a transformation of power brought about by the internet, with issues of trust and security. Organisations must realise their dependency on the internet has far reaching consequences.

2. The issue cannot be left to IT specialists; it is a challenge to leaders in IT and Government to address

Awkward Questions

There was an opportunity to ask questions when he had finished speaking. I immediately raised my hand to ask;

“GCHQ provides intelligence, protects information and informs relevant UK policy to keep our society safe and successful in the Internet age”. In 2006, 2007, and 2008 … Russian/Greek/American/Turkish industrial espionage crooks conspired with BT Directors to monitor UK personal & commercial telecommunications on a nationwide scale, in what they described as “a covert stealth trial”. You were in charge of GCHQ in 2006, 2007, and 2008. How could this possibly happen on your watch? Why has no one been arrested? Why is no one in jail?

There was a pregnant pause. Sir David responded,

I don’t recognise the story

I was stunned, I countered

You can’t be serious? Let me ask you a second question to see if it might remind you…

Kent Ertugrul has been described as a ‘spyware tsar’. He ran a business offering joyrides in Russian MIG aircraft and T-80 tanks, weapons training including RPGs, and even boasted he could “arrange submarines”. F-Secure described the Russian developed spyware Ertugrul distributed as the “most widespread malicious rootkits of 2005′. Ian Livingston – BT’s Chief Executive – conspired with Kent Ertugrul to engage in fraud, computer misuse, copyright theft, illegal interception, and covert nationwide industrial espionage. Why do you think we should we trust Ian Livingston to hold the position of BT Chief Executive?

He responded again,

I don’t recognise the story. I have nothing to say.

After the meeting a number of delegates approached me, some were keen to assert that Sir David was a ‘policy man’ and might genuinely be clueless about the events of the BT/Phorm affair.

Personally, I doubt it. And if he was ignorant of Phorm, he was derelict in his duty.