The problem with GCHQ’s Cyber Incident Response scheme
Earlier this week the UK’s primary electronic spy agency, GCHQ, announced the launch of its pilot Cyber Incident Response scheme. This worries me.
Firstly, I have doubts about a spy agency taking the lead over a criminal issue. Spies spy; and that’s what GCHQ does and is good at. If it wants to increase its cyber stance, all it can do is increase its spying capabilities. That means more spying on more of us – which is what the Communications Bill is all about; spying on all innocent UK citizens in the hope of catching a few criminals.
Surely criminal issues should be dealt with by some arm of the police? Perhaps focused on the Met’s Police Central eCrime Unit (PCEU)? But a comment from Ross Anderson of the Cambridge university computer lab puts government priorities into perspective. “In the UK,” he told me, “the extra £640m promised for cyber-security mostly went to GCHQ, and most of the rest to the MoD. Yet GCHQ admits that they can’t hire anybody useful. Only £5m a year went to the police, where it might actually do some good in terms of catching crooks.”
The next problem is that I just don’t get it. What is this scheme all about? “‘Cyber Incident Response’ services provide access to organizations certified by CESG/CPNI to respond effectively to cyber incidents,” explained Chloë Smith, the minister for cyber security. Does this mean that all of the companies not certified are not capable of responding ‘effectively to cyber incidents’? That is clearly rubbish. But other security companies cannot complain because GCHQ controls one of the largest procurement budgets in the world, never mind the UK – so they will fear being excluded in the future.
There are four ‘certified’ companies so far. You can guarantee that GCHQ did not evaluate all of the available companies and conclude only these four are able ‘to respond effectively to cyber incidents’. Instead it invited applications for certification. So we come down to a few select companies large enough to afford the GCHQ certification process, and preferably with an existing relationship with spy agencies. What we get is government endorsing a few companies – and I am absolutely certain that government should not be endorsing its favourite vendors above the others. That just reeks of a cosy relationship that will promote corruption.
Finally, who are these four companies? Well, for a start, only two are basically British: Detica and Context. Of the others, Mandiant is out-and-out American, and Cassidian is European. Detica belongs to the UK’s primary military hardware company, BAE. Cassidian is part of Europe’s primary military hardware company, EADS. Mandiant is already in bed with the US Secret Service (it is the company called in by the Secret Service to take over the forensic response to South Carolina’s Department of Revenue breach). I know less about Context, but it has offices in Cheltenham enough said. Put bluntly, these four companies seem more likely to provide services to GCHQ than to companies suffering a security incident.
The UK’s Cyber Incident Response scheme isn’t just wrong; it is very, very wrong.