GCHQ should split into separate defence and attack units, says expert
The UK's rhetoric about leading Europe in cyber security is just political posturing, says Professor Ross Anderson, and GCHQ will continue to hack and steal as much as it can
Government listening agency GCHQ should be split into separate attack and defence units, reporting to the Cabinet via different government ministers, according to a leading security expert.
This would allow the body responsible for defence to operate more openly, and would make other public and private organisations more likely to collaborate with it, according to Professor Ross Anderson, professor of security engineering at the computer laboratory, University of Cambridge.
"The problem is that the UK government has demonstrated repeatedly that it's not trustworthy," said Anderson. "The Snowden documents made it clear that the British State is more interested in exploiting stuff than protecting it. If you find a vulnerability in Windows, do you report it to Microsoft and protect 60 million Brits, or do you keep quiet and exploit a billion Chinese, a billion Indians and around 100 million Russians? From a GCHQ perspective it's a no brainer," he argued.
Anderson went on to discuss the significant funding levels supposedly poured into cyber defence by the UK government in recent years, claiming that the majority was set aside for attack.
"The last government talked about some big numbers budgeted for cyber security. Of the £600m originally given, the police got £5m to £10m, more than half went to GCHQ, and most of the rest went to the Ministry of Defence. This isn't cyber security as we understand it, but GCHQ chasing other people's stuff."
He explained that mirroring the German system where government agencies responsible for cyber defence and attack are separate would be an improvement.
"If I were a legislator I'd split GCHQ into offensive and defensive parts, reporting to Cabinet via different minsters. The defensive people can then basically work with clean hands and pure hearts on things like protecting smart grids. Britain has nothing like that currently. That means when it comes to, for example, security standards for autonomous vehicles, there is nothing in Britain or the rest of Europe that's relevant."
And because GCHQ is known to be focused on cyber attack, Anderson stated that it is unlikely to find help from outside organisations when attempting to define those standards, making it ultimately less likely to succeed in its more defensive role.
"If GCHQ were to call [external organisations] and ask them to come round and show them their secrets, [the outside organisations would] find excuses. If you're a multinational company like GE or Mercedes, you don't want to deal with a stupid little organisation in some silly little country with three to four per cent of world GDP, when you know it's an offensive body."
Anderson continued: "For the UK to talk about its cyber security strategy is basically political posturing. GCHQ will continue to hack and steal as much as they can, and the rest of world just gets annoyed at us."
He cited 2015's Belgacom hack, where GCHQ hacked into one of Europe's most critical telecommunications firms as an example of the agency tarnishing Britain's reputation abroad.
"Eventually there will be consequences. Looking at the Belgacom hack - half of our laws get made in Brussels, so wiretapping the parliament that sets those laws, and the commission that supports it was a crazy thing to do. If Nicola Sturgeon had hacked BT to spy on Westminster, it would be the same," he said.