chocolate doughnut on white background

The new National Cyber Centre

12:12 23 November in Cyber security, Incident Response

Speaking last week at GCHQ in Cheltenham, the Chancellor announced the creation of a new ‘National Cyber Centre’ (NCC). You can read the full text of his speech here, and some highlight factoids here. I recommend at least reading the highlights, though there is a lot of additional ground in the speech to so if you have a free ten minutes, read the whole thing as it contains some interesting stuff.

I’m not going to critique the whole speech here, and a lot of the detail is yet to be made public. The new Cyber Security Plan to be released next year will presumably fill in some of the blanks. However something that jumped out as me as being big news was the creation of the new NCC. To quote the relevant portion of the speech:

“We need to address the alphabet soup of agencies involved in protecting Britain in cyberspace. 

As the threat has emerged, so have they. Now we need to bring more coherence to our efforts, so that businesses know there is a single place they can go for advice and help. Today I can announce that in 2016 we will establish a single National Cyber Centre, which will report to the Director of GCHQ.  The Centre will be a unified source of advice and support for the economy, replacing the current array of bodies with a single point of contact. The Centre will make it easier for industry to get the support it needs from government. And make it easier for government and industry to share information on the cyber threat to protect the UK.

Reporting to GCHQ will mean the Centre can draw on the necessarily secret world-class expertise within this organisation. 

But the Centre will also have a strong public face and will work hand in hand with industry, academia and international partners to keep the UK protected against cyber attacks. And over time, we will build several important capabilities in the new Centre. It will give us a unified platform to handle incidents as they arise, ensuring a faster and more effective response to major attacks. And we will build in the National Cyber Centre a series of teams, expert in the cyber security of their own sectors, from banking to aviation, but able to draw on the deep expertise here, and advise companies, regulators, and government departments.”

The point about alphabet soup and unclear responsibilities is a good and valid one, and something I have gripped about before both on this blog, and in articles at RUSI. I will also say that it is always easy to be on the outside looking in, and to find the faults and point fingers. I used to be on the inside, and uninformed commentators always bugged me.

So, my first impressions of the plan for an NCC.

It’s definitely a good idea to have cyber security be overall the responsibility of one government department, and to have a single point of reporting and centre for outreach. When I worked for government a common complaint from industry contacts was the lack of clarity of who did what, and there were fewer responsible agencies at the time. Also capitalising on the expertise that sits in GCHQ is a good idea. There will be a lot of people responsible for cyber defence both in the critical national infrastructure and outside of it who would welcome closer working relationships on that level.

The devil of course is in the detail. What does this mean for CERT-UK? Is it to be absorbed by the NCC or to continue to exist alongside it? And what about CPNI, who also provide cyber security advice but more significantly have lots of existing, well established and productive relationships with many companies across a range of sectors.

Moving these functions into the NCC is not of course an insurmountable problem. Doing so without breaking things that work might be a challenge, and it seems a shame to throw away the work done with the newly established CERT.

However, I do have some deeper reservations. Let me open by being clear – I am a supporter of GCHQ and support the work they do. I think they have been grievously miscast as villains by many in the media following the Snowdon leaks. That’s not to say I don’t think we need a review of legislation, or that I think sweeping collection of information is automatically a good or necessary idea.

From reading reports based on the Snowdon leaks you may think GCHQ is some freewheeling agency where anything goes, and information is accessible by anyone. That is very clearly not the case. GCHQ is an intelligence agency, and takes safeguarding the information it holds and accesses it has very seriously. And therein lies the problem. GCHQ is great at working in the shadows. Stepping into the limelight, and taking the role as lead cyber agency will be a new, and significant, challenge (and indeed may require legislation change) and not one that will obviously play to the agency’s strength.

Secondly, some people may have concerns about sharing information with what is primarily an intelligence agency. Some, even most, of theses concerns will be unfounded, but for some may be legitimate. GCHQ is an intelligence agency if you in the UK, and a partner if you are an ally. If you fall outside those categories you might consider GCHQ a hostile intelligence agency. It is after all their remit to spy, and that remit is broader than just collecting intelligence on threats (this is true of SIS also). So sharing information with GCHQ might be problematic for companies who aren’t UK headquartered or who have significant interests in other countries.

I don’t want to knock the NCC too much. Bold ideas are rare in government, and getting departments to relinquish remit a challenge (especially when that remit is cyber, the one area getting funding). However if the NCC is to meet the ambitious goals laid out by the Chancellor then GCHQ is going to have to be prepared to make some significant cultural changes. The luxury of extending the walled garden and only dealing with those with the right clearances and need to know will no longer be available. It will be interesting to see how this idea evolves, and what it means for the current non GCHQ agencies with a cyber remit.

Thanks for reading. Any questions, find us on twitter, or use the contact form.  Also if you liked this post why not share it on Twitter or LinkedIn using the link at the top?