Here, Jeremy Fleming writes about the unparalleled opportunities and challenges we face as the world becomes ever more digitally connected. With the globalisation of technology, Fleming explains how GCHQ will continue to work with businesses, technology companies, academia and privacy groups alike to protect the public from real-world and online harm.
We have entered a new technological age, one that will fundamentally change the way in which we live, work and interact with each other. This new digital landscape will undoubtedly transform lives and economies as data analysis, Artificial intelligence, 5G, the Internet of Things, quantum computing and many other technologies still being developed permeate all areas of human endeavour.
These changes will bring huge benefits to us all. They will transform healthcare, create smart, energy-efficient cities, make work lives more productive and revolutionise the relationship between business and the consumer. They also bring risks that, if unchecked, could make us more vulnerable to terrorists, hostile states and serious criminals.
Making sure the balance is right requires new partnerships and different ways of working at a global level.
The key to securing the benefits of this new age lies in the way in which we secure personal information and new technologies from those seeking to do us harm. In the past, we have often seen security bolted on to technology as new risks emerge. For an environment where the cycle of development to deployment is accelerating, and where our dependence on overseas technologies is increasing, this approach no longer works.
New systems – and, indeed, their supply chains – need security built into the earliest stages of design if we’re to protect liberties, ensure public confidence and counter threats to internet freedom.
GCHQ has always played a prominent role in this space. Now, it’s the mission of the National Cyber Security Centre (NCSC) – part of GCHQ – to make the UK the safest place in which to live and do business online.
This is an enormous challenge, but less than two years after its formation we can already see how its leadership role is making a difference to the cyber health of the nation. Since the NCSC’s inception, we have been critical in responding to and reducing the harm from more than 1,000 cyber attacks perpetrated against the UK.
It’s also increasingly clear that, as the world becomes ever-more networked, we need to work even harder with businesses, technology companies, academia and privacy groups to protect the public from both real-world and online harm.
We need honest, mature conversations about the impact that new technologies could have on society. This needs to happen while systems are being developed, not afterwards. In doing so, we must ensure that we protect our right to privacy and maximise the tremendous upsides inherent in the digital revolution.
This isn’t easy. However, I can see it taking shape in some key areas. There’s already an important public debate about the exceptional circumstances when law enforcement and the intelligence services should access encrypted communications – something we know has potential technical solutions in most cases.
Principles within reach
We believe some principles allowing industry and Governments to demonstrate responsible access that protects privacy are within reach.
These do not require unfettered access for Governments through so-called “back door” or global “skeleton key” schemes. They do require public debate and close, open co-operation and agreement with technology companies. When these solutions exist, they also require modern legislation and strong oversight to maintain public confidence.
We now have that in the UK where the Investigatory Powers Act is world-leading in the oversight of exceptional access requests, with legal authorisations jointly signed by a Secretary of State and an independent Judge.
For this kind of approach to succeed, we must work more closely with partners. Not just those here in the UK, but also across Europe and the globe. We – and our allies – all face the same challenges.
The globalisation of technology is here and we need to learn to deal with it. Critical technologies – for example, in 5G – are increasingly likely to come from China. The British Government recently published its national security and investment White Paper on foreign direct investment into the UK and we’re looking at how we can better manage supply to our Critical National Infrastructure (CNI).
We must ensure that processes represent industry Best Practice so as to avoid real risk to the UK’s CNI. We need to consider early, robust and fair solutions to the global challenge of balancing investment, trade and security.
Just as our adversaries are not constrained by international boundaries, so too we must make sure that our legislative and technology arrangements are able to keep pace. The ability for countries such as the UK with strong privacy protection to request a user’s data held by US communication companies on serious criminal and terrorism grounds – the Cloud Act – is an excellent example of what’s possible.
This is just one step towards agile security. As a nation, there’s still much work to be done to respond to the challenges to come. Stepping up to that responsibility, GCHQ will continue to build on our world-class understanding of technology to inform Government policy and protect the UK. We will continue to harness the nation’s full diversity of thought and talent and demonstrate the kind of ingenuity that has defined GCHQ and its constituent people for almost 100 years.
By working with partners both here and abroad, we can be prepared for the unparalleled opportunities that the new data-driven world will bring.
Jeremy Fleming is Director of GCHQ
*This article was originally published in The Sunday Times (12 August 2018) and on the GCHQ website (on the same date)