This week saw a landmark public meeting of the alliance between the cyber intelligence services of the UK, US, Canada, Australia, and New Zealand. PublicTechnology listened in to find out more
Credit: Andrew Milligan/PA Wire/PA Images
If you spend too much time in certain poorly illuminated corners of the internet, you will find a fair few people who characterise the Five Eyes intelligence alliance as a front for a shadowy cabal committed to spying on citizens, no doubt while spreading chemtrails and pulling the strings of the New World Order.
Not the kind of organisation you would expect to see chatting happily on stage at a conference centre in Glasgow, as representatives of all five of the Five Eyes did at the CyberUK conference taking place this week.
In fairness to online conspiracy theorists, such public appearances are rare. Indeed, the UK National Cyber Security Centre, which organises the annual event, claimed this was the first time representatives of all five member nations – the UK, the US, Australia, Canada, and New Zealand – have appeared publicly together in the UK.
That they have done so at an event dedicated to cyber speaks to the fact that, for the 20 security and intelligence agencies that form Five Eyes, perhaps the biggest threat they face comes malware – rather than moles.
The discussion (pictured above) threw up included a number of insights into the threats faced by the cyber professionals, and how these challenges are being met by the alliance – both collectively and through its individual members.
Here’s five things we learned from the Five Eyes.
The two Es are cyber priorities
“Our two priorities now are electricity and elections,” says Scott MacLeod (pictured above, on the left), an assistant director general at the Australian Signals Directorate.
The first of these speaks a common and long-standing fear of any government cyber professional – an attack on critical national infrastructure. Such assaults are considered to be the most severe; the UK is yet to suffer what the NCSC classes as a ‘category one’ incident.
The cyberthreat posed to our democratic processes is perhaps less well publicised. But it has been a major focus for the Australian intelligence agency this year. Last month saw state elections in New South Wales – which is home to a third of Australia’s population – while next month brings national federal elections.
MacLeod and his team are at the ready.
“The government has established a task force that looks at all the different areas of cybersecurity,” he says.
‘Patching is remarkably effective’
A recurrent theme across CyberUK has been the necessity of getting the basics right – and the depressing frequency with which successful breaches can be chalked up to people failing to do so.
Even for the most senior government cybersecurity officials, it seems, a large part of their job – and a major challenge – is not coming up with sophisticated defences to stave off new threats, but simply making sure that public servants, citizens, and businesses undertake simple, everyday measures.
Or, as Scott Jones (pictured above, second from left), head of the Canadian Centre for Cyber Security puts it: “Patching is remarkably effective. Let’s start to work on some the essentials first, then let’s start working on the all-new cyber laser that that’s going to shoot down malicious packets.”
More information needs to be declassified
Intelligence work involves dealing with a lot of classified information. Five Eyes exists, in part, to make it easier for agencies to share across borders the kind of intel that normally requires high-level security clearance.
“I can give [the NCSC] some information at the classified level very fast and very easily,” says Rob Joyce, senior cyber security advisor at the US National Security Agency.
In the cyber space – where commercial firms play a key role in detecting and combatting security threats – this information often needs to be shared even more widely, he adds. But the practices and protocols of the intelligence community can make this difficult, according to Joyce (pictured above, on the right).
“We are working on getting information down to being unclassified – and actionable,” he says. “We have changed our risk paradigms… exquisite information that cannot be used is worthless.”
Attribution is a big deal
Naming and shaming transgressors is seen as a deterrence tool for those seeking to mitigate or stamp out a wide range of offences.
Cyberattacks are no different and, in the last couple of years, authorities in the UK and around the world have attributed various assaults to hostile states. This includes both the US and UK pointing the finger at North Korea for the WannaCry attack, and the same allies teaming up last year to publicly “hold Russia to account” for a sustained cyber offensive on either side of the Atlantic.
But all of the Five Eyes representatives gathered on stage spoke of the gravity of publicly attributing attacks. Doing so only takes place after very careful investigation and consideration, and naming an attacker is always a decision for government as a whole – not just cyber professionals.
Jan Thornborough (pictured above in the middle), a unit manager at the National Cyber Security Centre of New Zealand, said: “In the last 12 months, we have attributed four attacks to a country. In each case, we took a lot of time to consider what it meant for [our] country.”
Cyber skills are out there
Another topic on which each of the Five Eyes five agreed is that the cyber sector faces a skills shortage. Each relayed details of initiatives they have undertaken in their countries to boost the cyber awareness of the populace, as well as growing recruitment of cyber specialists – with a particular focus on increasing diversity, and attracting more women and BAME candidates to the sector.
And, although growing and maintaining skills remains a challenge, Ciaran Martin (pictured above, second from right), chief executive of the UK NCSC, told attendees that he wishes to remain positive and pragmatic about increasing the talent available to the government cyber agency. This includes initiatives to recruit and work with more people outside London and the south, he says.
“I am passionate about the quantum of skills and the diversity of skills,” Martin adds. “And I am passionate [that we do] not despair about skills… there is a certain element sometimes that [suggests] that the skills situation is so bad, we cannot do anything. Well, give it a try! And, being a pragmatist, you have got to give it a try with the people you have got.”