Britain’s intelligence-gathering chief gives a unique insight into the threats his country, and the West, are facing.

18 November 2021 By Paul Martin

Sir Jeremy Fleming, Head of Britain’s GCHQ, or intelligence-gathering:

GCHQ has roots – 102 years now – as a spy agency, but if you look at the agency we are today then yes we collect intelligence so we are one of the few global intelligence agencies but we’re now public-facing. The National Cyber Security Centre is part of GCHQ’s mission and that public-facing responsibility to try and make the UK a really safe place to live and do business online means that we have to be different. We have to partner in different ways, we have to operate at different levels of classification, we have to engage the public, business and our international allies in different ways and that has been a complete sea change in how we see ourselves [to say] and organise everything from the numbers of us that are declared to be able to talk in public right through to the technologies we’re using to engage with the public and to reduce the threat. So it feels like a very different place than just four and a half years ago. Of course, agencies like ours are always driven by the threat and so as primarily a spook for most of my career then of course I’m interested in and I like talking about the threat and the changes to come, primarily because of the way in which the world is so dependent on technology now, but perhaps more importantly because of the way in which threats manifest themselves. And it is the case that in every area of life then you are much more aware of the way in which cyber plays out. Here in the UK the crime you’re most likely to suffer is a cyber-crime and we’re not set up to deal with that if you’re in a boardroom then the risk that is very close to the top of your risk register if not at the top of your risk register is likely to be a cyber risk now. And if you are thinking about international alliances and partnerships and you were thinking about where our future prosperity comes from then you’re going to be worried about the way in which those who seek to do us harm are shaping the world in their image, and so there’s a, if you like, a convergence of the threats, the technology and the way in which that affects all of our lives that means that we have to run really hard not just to keep up with all of that but to try and get ahead.

SK: The British defence secretary recently spoke about GCHQ’s new £5 billion digital warfare centre and noted that it’s going to be capable of launching offensive cyberattacks that very few nations can launch. This is such a timely issue right now particularly as countries look at being more aggressive and taking the offensive in cyber attacks as businesses look at trying to protect themselves and figuring out what role they have in protecting themselves and what role the government plays, and I think this is true around the world. How are you seeing this investment in particular impacting that mission, and are there lessons out of this that you think can be applied in other countries as well?

JF: The UK at a strategic level has an ambition to be a world leading responsible cyber power and we’ve chosen those words very carefully and if you’re interested about it you can look at the UK’s Integrated Review and really delve into that but in essence what we mean is that we want to be world class at defending our digital homeland with our allies and that’s the protective mission. We want to have a role in projecting western liberal democratic values and approaches to technology, we want to shape the rules of technology for tomorrow and ensure that they’re in our image rather than in another’s image, and the final leg of that that approach is that we need to have the ability to contest in cyberspace. So in your question then you, and I don’t completely recognise the quote but I will contest the language, so the UK is not building a cyber warfare centre, and there’s real danger I think in over militarising with due respect to all of my military colleagues on both sides of the pond that is real danger over militarising the cyber domain. Cyber is about prosperity and economic advantage primarily. It’s the place where we live our lives. But that said, there is a place for western democratic liberal nations in a properly authorised overseen foreseeable way to be able to contest cyberspace and in the UK we’ve been doing that for decades. That’s been part of GCHQ’s mission for decades and we need our policymakers and, in some aspects of the mission, our military leaders to be able to bring cyber capabilities into play. Now the announcement was about the development of our new headquarters for a partnership between intelligence primarily GCHQ, but also MI6, and defence and that’s going to be in the north of England just north of Manchester, in a place called Samlesbury. The money isn’t quite as eye watering as you said, but it is pretty close and we have an ambition to significantly increase our ability to contest cyberspace across the whole spectrum of national security work. Now that isn’t all disruptive there are elements which could be disruptive but there are lots of other elements of cyber operations of offensive cyber which are about shaping the landscape and I’ve talked about some of those in public most notably the way in which we worked with American partners mainly but also a range of other partners to denigrate and disrupt Daesh’s media operation on the battlefield in Syria and beyond.

SK: We’ve been talking a lot here about ransomware and the very real impact that ransomware has not only on businesses but as part of the greater economy on national security as well. It’s fair to say that contesting ransomware attacks in cyberspace has not been hugely successful. Everyone is trying to figure out how to deal with this more effectively. Are there things that you’ve learned there that you feel like may give you ideas on how this threat is evolving in the future and what better ways there might be to contest it. On the diplomatic side we’ve seen sanctions that haven’t been hugely effective other things we’re not considering?

JF: So the lessons we get from ransomware are firstly I think that the reason it is proliferating – we’ve seen twice as many attacks this year as last year in the UK – but the reason is proliferating is cause it works. It just pays. Criminals are making very good money from it and are often feeling that that’s largely uncontested and as international players here is intelligence organisations and for those who are present here as well from law enforcement organisations, we’ve got to get our head around what this means and we have up until quite recently left a lot of this playing space to those criminal actors in effect to proliferate and to make a lot of money. But the second lesson is it’s not rocket science to defend against this sort of stuff we know that if you do fairly basic cyber security, if you are really clear at an organisational level about things that you need to protect and if you are very diligent in implementing the guidance of your cyber security professionals and your technology partners then you’re going to protect yourselves or at least make you harder than competitors and therefore you won’t be as much of a target so you know there’s a sort of a general lesson it’s a really boring lesson we hack on about it a lot in the UK. Back up your data, make sure you’ve got your admin right, sorted out, make sure your passwords are properly protected exercised all of this, work out where your thresholds are have thought in advance how you would respond if you were approached for ransom, all those sorts of things, it’s just basic stuff. Do that but beyond that then it’s clear that we have both got to design the technology better and that’s quite a strategic thing to do to make it less vulnerable but as an international partnership with like-minded allies we’ve got to make sure this pays less and you know , I can see in the policy debate on the on the US side and I see the policy debate here and you quite quickly get into the ways in which criminals profit you quite quickly get into cryptocurrencies and how those are regulated and controlled and then there’s a bit of this, the pointy end of the spear, which is, well for those that you are finding hard to get to then you go after, and there’s been some really good examples there in the in the US side. And I’m pretty clear from an international law perspective and certainly from our domestic law perspective you can go after them but there’s a lot of things here that need to go fall into place to make that happen and we’re quite a long way off really addressing the profit model which is making this just so easy for criminals to exploit at the moment.

SK: OK let’s talk about China. China and Russia are other two issues we’ve spent quite a bit of time focused on lately what is the top priority for you right now given the threat that China poses in the cyber realm in particular?

JF: No-one on this call thinks that you can close your eyes and ears to the rise of China. China’s rise is a fact of life and it’s altering the geopolitics in the region and the world and so we all need to sit up and pay attention to that and I think policymakers, commentators, academia, media have all understood that now. In fact that’s one of the real takeaways from this period during the pandemic that’s format very much front and centre and of course we all hope for a world where we can safely coexist with a China that’s safe and prosperous and that we can trade with effectively and we can benefit from the trade side of the equation and so the upsides from the from the relationship I think we’ve probably all those nations the US as well as us here in Europe benefited from over the last several decades but the question is where does that go and of course we have entered a new era of really strong geopolitical competition where the threat feels much more real from China and China as an organising feature if you like of how we think about relationships and trade as well as security that’s definitely here to stay. Now when China oversteps the mark then the UK has been pretty quick to call them out and we’ve done that especially in the cyber domain actually over several years and our experience is not necessarily that it’s changed behaviour but it certainly is a dialogue that we need to have with China. But I prefer to shape the debate around where we’re going in the future. I think there is some genuine choices for us all as nations in how we approach the threat which is probably beyond any single one of our nations including the might of the US and in my particular domain I spend a lot of time thinking about what the implications are of a shift in tech to the east. Now that’s not all about China, it’s primarily about China, but it’s not all about China but the Indo-Pacific region. I have talked in public about what I call a moment of reckoning and the moment of reckoning is, at least in the way that I think about it, when we have an opportunity to come together as like-minded western liberal nations to make sure that the technologies on which we all rely, encompass our values, are secured by design, have been subject to the standards and regulations that we approve of because we think that they do promote our prosperity and our values and if we don’t then we are entering a period where as one actually American leader said to me quite recently if you think that the changes we’ve seen from coronavirus are significant wait till you see the way in which machine learning and AI is going to affect our labour markets and I know we’re all thinking about this but those smart city projects that that are all getting off stocks now those data centre and cable projects that we know are already down there or are about to be delivered the way in which data as a commodity has so come to the fore, if we don’t get our heads round all of those trends then it won’t be a western and largely in the past American Silicon Valley type model it’s going to be a very, very different model. And a final word on that you know none of us of course on this call are I think naive enough to think that there was ever a nirvana where this is all perfectly simple. There was probably a single Internet right at the point when Vint Cerf and Bob Kahn and others were designing it but pretty soon after that it was a proliferation of technologies and domains and approaches and we definitely have a complex a very complex set of internets and technologies today and so it’s not straight forward task to bring order to that but I think we’ve got to try or at least work out where we most care.

SK: Yeah and I think you know you touched on AI which is obviously so important and we’re going to be talking even more about that during this conference but a former senior Pentagon official made some headlines recently I think by telling the Financial Times that China has already won the AI battle. It’s obviously a bit pessimistic and I wouldn’t expect you to share that view, but I would follow up with a question by saying you know some people do believe this. How do you feel about it and do you think there are some steps that should be taken by Western countries and those countries that share a certain set of values more quickly than things are perhaps developing right now?

JF: Yeah well I don’t subscribe to that, actually! But I think it’s a helpful device to get people to think about where you could get to. It’s very useful in reflecting on where we’ve come to think about if you like the stages of the threat we face and I think probably if I was to paraphrase some of the media commentary about the threat that was posed then quite a lot of that was situated in the ‘you need to safeguard your core secrets in your IP because it will be stolen’ and of course there’s some of that that’s gone on, historically it’s gone on and I’m sure it’s still going on today but of course we’re faced with a set of adversaries now that invested very heavily in their own research, have made major investments in skills, have procured capabilities in a perfectly legitimate way globally and have won the trade battle because the products have been pretty good and so when you’re thinking about where we need to go on AI then we’ve got to think about it with that sort of sort of backdrop and China by more or less any measure is doing well in the development of AI capabilities. But so are some other countries and you know what we have to hang on to I think is that it is our, I keep saying this, but it is our western democratic liberal way of doing this which becomes a market differentiator, becomes a different offer and it becomes a different proposition if you like for our citizens but also those who might be persuaded to think about going to a different system. So I think there’s a lot around all of this, just one final comment on this which is that we’ve been doing lot of thinking here in GCHQ about this and we published some work we’ve been doing with a think tank on how we can use artificial intelligence in government work and particularly in intelligence work where of course our legacy of how we use data and how we approach privacy and security is in a way in a world way before artificial intelligence and machine learning and what we’re trying to say is that there is a way of doing this work which has our values and systems to the fore but which allows us to take advantage of those capabilities to safely keep the country safe, to connect up our citizens to make sure that we are working with our allies and there’s loads in that and I wish that there was a broader public debate about actually.

SK: Let’s just touch on two more things here before we let you go. One is, you brought up the importance of alliances we’ve talked about the Five Eyes, how important that has become and how technology is impacting that relationship. What can you tell us about that about how technology is impacting the work of the Five Eyes and then how the Five Eyes can turn around and share some of that information with other countries that aren’t included in that group?

JF: Well it’s a good question. Five Eyes [have been] bedrock of security for several generations and I’m extremely proud for it always to have featured in my career, 30 years in intelligence, and as I sit here in GCHQ the relationships we have with American partners and Australian, Canadian, New Zealand has never been more important and there’s life in the old alliance yet! But it’s never been an exclusive relationship so it’s never been a relationship where we’ve sat down and said now we’re going to do everything at Five, we can only do things at Five. It’s a relationship of like-minded nations who have mostly shared the same objectives not always but mostly shared the same objectives definitely have shared the same core values and have operated together bilaterally or severally or very occasionally at Five, I mean the recent history and our work on counter terrorism is sort of the exception rather than the rule because of the way in which that threaten has manifested itself. And so if we look forward then of course we need to make sure that that alliance is bang up to date and that it is doing the things that we know we can do to safeguard each other’s countries and the good news for me is that it absolutely is. It is of course really interesting to us in the UK that we are the only non-Pacific nation. It doesn’t mean within the Five Eyes and it doesn’t mean that we don’t think that we are massively relevant to the way in which that region is playing out and indeed that region’s reach virtually and globally and digitally and from a technology perspective but you know that when you think about those partners and of course it’s massively relevant to the next stage. Technology has to a degree always being at its core and if you look at the history of GCHQ’s relationship with its American partners then it’s always been about technology. So what we’ve got to make sure is that the next generation of technology is really relevant to the tasks we face and that means trying to [replacing threat relevance around all that]. The second bit of your question was what can we do to spread that and in the same way that Five Eyes has never been exclusive then none of us have been only faithful to Five Eyes we have this broad network of relationships whether it’s for us in Europe or in parts of the world where the UK has always had a presence or it’s for the US as you look to the Pacific and beyond or Australia as it looks up or Canada as it looks up, you can go through the entire list here and I think if there is a task for us to do it’s to make sure that when we stand back from that new lattice of relationships that it really looks like it’s fit for purpose for the next generation of threats that we face and that probably means some different types of tests and probably for the first time it means reaching into some of these resilience and cyber security issues which you’ve been [indistinct] today and Cipher Brief has spent a lot of time talking about.

SK: So alright let’s get to in closing here let’s get your thoughts for the future where are the strengths that need to be built on immediately and where are the biggest challenges?

JF: So strengths…I do think that as the sorts of nations we are we should remain confident in our strengths, our way of life, our legal systems, the way in which we exercise our governance and our governments. So that sense of having a really strong offer out there I completely believe that still and I think that we’ve got to make sure that we are confident as we tell that story to the rest of the world. And there is a bit of a challenge around that actually because there are swing states all over place who are perhaps wondering which way to look and we need to make sure that our offer is very clear and that’s obviously not primarily a security offer, it’s a prosperity offer, it’s a way of life offer, it’s a partnership and it’s a values offer, and it’s a security offer but it’s a package.

I’m very confident that we are credible in this space so I think the work that I’m seeing accelerating very strongly in the States around cyber security is really impressive. I think the work that we and a number of European partners have done puts us in a good position and our challenge now is to make sure that that really is leveraged – that we are keeping up, having invested so heavily in those sorts areas, that we’re keeping up with that we’re thinking about where it should go next and for me that is in the strategic space. It’s around making sure we’re designing in technology from security into technology from the start it’s that we’re shaping the world and the standards world and the regulation world so that it is able better to implement our values. But in the shorter term we’ve got to sort out ransomware and that is no mean feat in itself. We have to be clear on the red lines and behaviours that we want to see, we’ve got to go after those links between criminal actors and state actors and impose costs where we see that, and beyond that I think we’ve got to make sure that we are doing all we can to de-simplify this and to take as much of it out of the hands of citizens as we can so that they can enjoy living in a safe and secure online world and when it happens of course that’ll make it more prosperous, too. So that range of channels around here I’m not gloomy about the threat environment and I think I should finish there. I don’t subscribe to the ‘it’s the worst it’s ever been the world’s going to end’ argument. What I do believe is that the pace of change and the extent to which technology and cyber is at the heart of it is unprecedented and we obviously have to make sure that we take account of that. Sorting that out isn’t anymore the preserve of spy agencies or niche security organisations it’s a genuine public, private and international partnership and getting that right is probably the single most important thing we could do.

SK: Sir Jeremy Fleming I want to thank you so much for taking the time to share thoughts with us.