SIGINT agencies face a paradox in confronting the cyber security challenge. One the one hand, they possess some of the rare pockets of cyber security expertise that sit within government. The traditional mission of SIGINT agencies has involved intercepting electronic and telephone communications — an experience that has also given them rich insight into how systems can be defended. This means SIGINT agencies are often seen as the natural choice for governments delegating cyber security responsibilities.
At the same time, however, SIGINT agencies typically lack both the strategic outlook and organisational culture required for cyber security. Unlike the game of espionage, cyber security requires a far more open and communicative response. Government organisations responsible for cyber security must publicly engage with three sets of stakeholders: the general public, businesses and adversaires.
With the majority of cyber security threats targeting businesses, it is vital for SIGINT agencies responsible for nation-wide cyber security to work closely with the private sector. These public-private partnerships involve a number of dimensions. Joint public-private cyber simulation exercises provide useful learning opportunities for states seeking to develop preparedness for significant crisis situations. SIGINT agencies bring a wealth of experience and insight to these situations when they are willing to engage.
Government cyber security entities also represent a source of advice for the private sector. The most effective communication strategies for imparting such wisdom will also tailor the interaction based on the firm at hand. While cyber security fundamentals are often universal, a different set of challenges and expectations naturally exist for a large multinational when compared to a small business that employs under ten people. Government cyber security communication must therefore be multi-tiered with messages packaged and delivered through various channels.
In addition to working with business in a broad sense, SIGINT agencies should also work directly with the cyber security industry. Various SIGINT agencies have developed information sharing partnerships with other domestic stakeholders, providing all members with better threat intelligence and useful examples of best practice. As the then Chief of NSA’s Tailored Access Operations, Rob Joyce helped to clarify the approach of offensive nation state operations, and crucially the measures that can be introduced to improve defences at a cyber security conference in 2016. The cyber security industry would only gain from similar embodiments of leadership.
I Want to Live Like Common People
Communication with the public is also increasingly important. The general level of cyber security awareness is still too low. To improve the security of nation-scale, reducing the low hanging fruit can go a long way in raising the bar for attackers. Public awareness campaigns or the introduction of basic cyber security education in school curricula can go a long way in correcting the imbalance.
This opens up broader questions related to how the government cyber security remit should be delegated. While cyber security awareness campaigns with adverts plastered on the side of buses might be important, it is not a process familiar to the spooks of Cheltenham and Fort Meade. Governments therefore face a number of policy choices: they may seek to refresh the strategies of SIGINT agencies in order to develop a more public facing outlook, delegate the task of public engagement to other government organisations or even create new government departments and organisations entirely. Even when SIGINT agencies aren’t the primary organisation communicating with the public in this way, they are likely to still play an important supporting role. It is therefore increasingly inevitable that SIGINT agencies will be involved with public messaging in some capacity.
The need for a departure from the traditional SIGINT mentality has been recognised most clearly in the UK. In 2016, the UK government established the National Cyber Security Centre (NCSC). The NCSC remains part of GCHQ, but is a distinct identity, and crucially one that is more far more publicly facing and approachable. The centre has given several senior GCHQ staff a greater platform to engage publicly and this has led to an appreciable difference in public engagement with a number of NCSC staff now appearing at conferences and writing blog posts that articulate the centre’s vision in an informative, yet entertaining manner. The NCSC deserves credit for its clear messaging strategy in the aftermath of serious cyber incidents and data breaches. The WannaCry ransomware outbreak provides a case in point with the NCSC issuing statements and advice to the press, businesses and public alike both during and after the incident.
While the UK model of creating a new centre that exists within a SIGINT agency has proved a success, it represents one of the many ways to proceed and may not be an appropriate model for other states. Ultimately, however, the utility of SIGINT agencies’ cyber security expertise will be severely handicapped if it remains in a top secret drawer.
Name and shame
Governments and SIGINT agencies must decide when and how to publicly attribute state perpetrators of serious cyber attacks, a topic I have discussed before. SIGINT agencies have long attributed cyber attacks internally — the decision to go public is therefore based primarily on political calculations, rather than due to the level of certainty over the perpetrator’s identity. States have a range of options in relation to attribution including staying silent, publicly declaring the responsible state and even announcing the responsible state in addition to releasing more detailed technical information about the attack (or conversely only releasing technical information without the accompanying political attribution). Attribution strategies should be based on an assessment of the likely trade-offs and outcomes of the various options at hand, a topic that remains underanalysed.
Western governments are also attributing in tandem with each other — a variety of Five Eyes and European states all attributed both WannaCry and NotPetya worms (to North Korea and Russia) at the same time. These coalitions offer some prospect for developing international norms surrounding what constitutes unacceptable behaviour in a way that previous norm-building exercises have largely failed to achieve.
While calling out and revealing an aggressor’s offensive capability may raise the stakes in itself, it can also lay the foundation for further action. This has included the indictment of hackers behind an attack as well as the introduction of sanctions. The European Union (EU) could also soon begin to exercise its diplomatic clout in responding to cyber attacks: in 2017 the European Council agreed to develop a framework for a joint EU response to malicious cyber attacks that will make full use of measures within the Common Foreign and Security Policy, including restrictive measures if necessary.
Public attribution is a topic of rising importance and one increasingly landing on policymakers’ agendas. SIGINT agencies therefore find themselves in unfamiliar territory with public attribution claims putting them centre stage in newspaper headlines. Even when public attribution claims are made by other government entities (e.g. foreign offices, state departments or executives), SIGINT agencies inevitably become key protagonists in the following reporting.
The public facing side of SIGINT agencies is therefore growing in importance — going beyond a PR issue to one featuring centrally in a government's cyber security and foreign policy strategies.