On Wednesday, January 28, 2015 PS21 hosted a roundtable of the record discussion in London with former GCHQ official John Bassett, also a founding member of the PS21 International Advisory Group. The event was attended by more than 30 people including current and former UK and foreign officials as well as representatives of the insurance, banking and technology industries amongst others.The discussion itself was off the record, primarily to allow those currently working for companies and governments to express themselves freely.
“It was very useful and very engaging,” said Frances Hudson, investment director and global thematic strategist at UK insurance and pensions firm Standard Life. “What I particularly liked was the range of perspectives and viewpoints. “We had former spies, academics, people from my industry and they all bought something different.”
It was, most participants agreed, a great start to PS21’s London operations.
“What I really like is the idea of being ever so slightly feral,” says Bassett, former head of GCHQ’s London and Washington stations. “This is something that pulls together people with a wide range of operational experience…and also those who are the future leaders. It seems to me it’s like a bubbling cauldron. Everyone who was there got really stuck in and made a real contribution.”
Below,PS21 executive director Peter Apps summarises some of his key takeaways from a frank and wide ranging discussion.
There are still considerable gaps in our conceptual framework. Many of these ideas and types of attacks are now far from new but we still don’t necessarily have good waves of classifying them. What activity by nationstates is unacceptable in cyberspace? Is accessing information secretly just about okay if limited (espionage?) but not widespread (intellectual property theft?)?
Overall, cyber attacks by nation against nation are proving at least somewhat corrosive to international relations. At the end of the day, all nations should probably shoulder some of the blame for this (Stuxnet, after all, was one of the first shots of this kind of warfare). Historically, signals intelligence agencies have operated in near total secrecy and that is simply no longer possible in the same way, no matter how much they might want it.
Companies are unquestionably taking this more seriously. They are looking for insurance, conducting their own research into the field to look for both opportunities and threats. In many jurisdictions including the UK, there is no legal obligation to disclose significant data loss and so they probably do not. In general, the ability to build new systems has advanced faster than the ability to protect them.
But at the end of the day, some of the largest firms such as Google are in fact as powerful as any nationstates including the US when it comes to cyberspace. Indeed, one could argue we haven’t seen companies as powerful or geopolitically important since the East India Company. When Google deals with China, it does it more as a nationstate would than a private firm.
Geopolitical tensions may be rising around the world but overall most states buy into and benefit from a globalised trading/Internet system. Interestingly, the most destructive state-linked cyber attacks have been from the two nations — Iran and North Korea — that have been most heavily frozen from the international system.
We understand far too little about what motivates actors in cyberspace, whether it is these large companies or individual hackers. Is it a lack of moral direction, a belief in a cause or simply a frustration with the rest of the world that drives them? there certainly seems to be a willingness to go the easy targets and some institutions — perhaps such as tobacco companies — might be seen as fairer game than others.
Indeed, for all the focus on governments when it comes to cyber, perhaps they are the least capable institutions of dealing with it. Different departments have yet come by and large, to come together on it. For the private sector, it’s often perceived as a matter of buying one’s own protection, finding insurance. But the genie is not going to get back in the box and they are going to have to learn.