Intelligence and Security Committee Russia report/Cyber

CYBER

A sophisticated player

13. GCHQ assesses that Russia is a highly capable cyber actor with a proven capability to carry out operations which can deliver a range of impacts across any sector:

• Since 2014, Russia has carried out malicious cyber activity in order to assert itself aggressively in a number of spheres, including attempting to influence the democratic elections of other countries – for example, it has been widely reported that the Russians were behind the cyber-enabled 'hack and leak' operation to compromise the accounts of members of the French political party En Marche! in the run-up to the 2017 French elections.^[1]
• Russia has also undertaken cyber pre-positioning^[2] activity on other nations' Critical National Infrastructure (CNI).^[3] The National Cyber Security Centre (NCSC) has advised that there is *** Russian cyber intrusion into the UK's CNI – particularly marked in the *** sectors.
• GCHQ has also advised that Russian GRU^[4] actors have orchestrated phishing^[5] attempts against Government departments – to take one example, there were attempts against ***,^[6] the Foreign and Commonwealth Office (FCO) and the Defence Science and Technology Laboratory (DSTL) during the early stages of the investigation into the Salisbury attacks.^[7]

14. Russia has sought to employ organised crime groups to supplement its cyber skills: SIS has observed that "this comes to the very muddy nexus between business and corruption and state power in Russia".^[8] GCHQ told the Committee that there is "a quite considerable balance of intelligence now which shows the links between serious and organised crime groups and Russian state activity" and that "we've seen more evidence of *** serious and organised crime *** being connected at high levels of Russian state and Russian intelligence", in what it described as a "symbiotic relationship".^[9]

15. Russia's cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a matter of grave concern, and poses an immediate and urgent threat to our national security.

Leading the response

16. The NCSC – part of GCHQ – leads on protecting the UK from cyber attack and, as the authority on the UK's cyber security environment, sharing knowledge and addressing systemic vulnerabilities. It is the Government's interface with industry on cyber security and leads on incident response (for example, in the event of a cyber attack on the UK's CNI).

17. However, it is clear that cyber is a crowded domain – or a "complex landscape".^[10] There are a number of agencies and organisations across the Intelligence Community which have a role in countering the Russian cyber threat, and it was not immediately apparent how these various agencies and organisations are co-ordinated and indeed complement each other. The next iteration of the National Cyber Security Strategy must address this need for greater cohesion.

18. Accountability is an issue in particular – whilst the Foreign Secretary has responsibility for the NCSC, which is responsible for incident response, the Home Secretary leads on the response to major cyber incidents. Indeed, there are a number of other Ministers with some form of responsibility for cyber – the Defence Secretary has overall responsibility for Offensive Cyber as a 'warfighting tool' and for the National Offensive Cyber Programme, while the Secretary of State for the Department for Digital, Culture, Media and Sport (DCMS) leads on digital matters, with the Chancellor of the Duchy of Lancaster being responsible for the National Cyber Security Strategy and the National Cyber Security Programme. It makes for an unnecessarily complicated wiring diagram of responsibilities; this should be kept under review by the National Security Council (NSC).

Attribution: a new approach

19. What is clear about the Government's response is that it has now begun to take a more assertive approach. Cyber attribution is the process of identifying and then laying blame on the perpetrator of a cyber attack. The UK has historically been reticent in attributing cyber attacks – as recently as 2010, this Committee was asked to redact mention of Russia as a perpetrator of cyber attacks, on diplomatic grounds.^[11]

20. This new approach was indicated first by the response to the November 2017 WannaCry attack (with a statement by Foreign Office Minister Lord Ahmad condemning the attack) and the subsequent response to the February 2018 NotPetya attack, then more recently when the Foreign Secretary took the step, on 3 October 2018, of announcing publicly that the UK and its allies had identified a campaign by the GRU of indiscriminate and reckless cyber attacks targeting public institutions, businesses, media and sport^[12] – including attribution of the attempted hacking of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Hague.^[13] This must be the right approach; there has to now be a cost attached to such activity. When attacks can be traced back – and we accept that this is in itself resource-intensive – the Government must always consider 'naming and shaming'.

HMG as a player: Offensive Cyber

21. Nonetheless, this is an era of hybrid warfare and an Offensive Cyber capability is now essential. The Government announced its intention to develop an Offensive Cyber capability in September 2013, and in 2014 the National Offensive Cyber Programme (NOCP) – a partnership between the Ministry of Defence and GCHQ – was established.^[14]

22. The UK continues to develop its Offensive Cyber capability. The Ministry of Defence and GCHQ have described it as a "genuinely joint endeavour".^[15] This has led us to question whether there are clear lines of accountability. The Committee was assured by the Chief of Defence Intelligence that:

By executing a joint mission, we [the Ministry of Defence and GCHQ] can move seamlessly between one set of authorisations and another, making sure we're acting appropriately, but those that are managing the capability are able to make that switch and run those operations effectively.^[16]

We expect to be kept updated on how the dual authorisation process is working as the capability itself continues to develop.

23. GCHQ and the Ministry of Defence have in recent years adopted a more open posture on Offensive Cyber,^[17] for example with public references to the successful prosecution of a major Offensive Cyber campaign against Daesh. The issue of Offensive Cyber is addressed in more detail in the classified Annex to this Report.

24. *** – GCHQ acknowledged that*** it would have to broaden its recruitment base, with a shift towards recruiting on aptitude rather than on pre-existing skills. It was also interesting to hear that Defence Intelligence is taking steps to develop and retain these skills through revision of the military resourcing model, which will mean military personnel remaining in cyber roles for longer than the current one to two years. The Committee supports the lengthening of posts as a general principle across the board, not just in Defence Intelligence and not just in cyber. Corporate knowledge and experience are continually lost across Government with such short rotations, and there is a question as to how long an individual needs in a post in order to start contributing or whether they move on just as they are up to speed. We commend Defence Intelligence for being the first to recognise this problem and take action.

International actions

25. Whilst the UK must have its own defensive and offensive capabilities, it must also be prepared to lead international action. In terms of attribution, it is apparent that not everyone is keen to adopt this new approach and to 'call out' Russia on malicious cyber activity. The Government must now leverage its diplomatic relationships to develop a common international approach when it comes to the attribution of malicious cyber activity by Russia and others.

26. There is also a need for a common international approach in relation to Offensive Cyber. It is clear there is now a pressing requirement for the introduction of a doctrine, or set of protocols, to ensure that there is a common approach to Offensive Cyber. While the UN has agreed that international law, and in particular the UN Charter, applies in cyberspace, there is still a need for a greater global understanding of how this should work in practice. The Committee made this recommendation over two years ago in its Annual Report 2016–2017.^[18] It is imperative that there are now tangible developments in this area in light of the increasing threat from Russia (and others, including China, Iran and the Democratic People's Republic of Korea). Achieving a consensus on this common approach will be a challenging process, but as a leading proponent of the Rules Based International Order it is essential that the UK helps to promote and shape Rules of Engagement, working with our allies.^[19]

1. 'Hack and leak' refers to the obtaining of private information by hacking, and making it public.
2. Pre-positioning in the context of cyber activity is the process of exploring and securing an entry point in a network that now, or in the future, could be used to disruptive effect. It is not always immediately apparent whether the intrusion is for espionage purposes or pre-positioning.
3. Critical National Infrastructure (CNI) comprises the facilities, systems, sites, information, people, networks and processes necessary for a country to function and upon which daily life depends. In the UK, there are 13 CNI sectors: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water.
4. The GRU is the Main Intelligence Directorate of the General Staff of the Russian Armed Forces.
5. Phishing—the fraudulent practice of sending emails purporting to be from reputable organisations in order to reveal personal information, such as passwords and credit card numbers.
6. ***
7. GCHQ, Quarterly Report to the ISC, July–September 2018.
8. Oral evidence – SIS, *** February 2019.
9. Oral evidence – GCHQ, *** February 2019.
10. Oral evidence – NSS, *** February 2019.
11. The Committee did not accept this request, and published the information.
12. NCSC, Reckless campaign of cyber attacks by Russian military intelligence service exposed, 3 October 2018, (www.ncsc gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposed).
13. A joint statement was made by the Prime Minister, the Rt Hon. Theresa May MP, and the Prime Minister of the Netherlands, Mr Mark Rutte, on 4 October 2018.
14. The announcement by then Defence Secretary Philip Hammond also included the launch of a Cyber Reserve Unit.
15. Oral evidence – GCHQ, *** February 2019.
16. Oral evidence – Defence Intelligence, *** February 2019.
17. The Director of GCHQ referenced the cyber campaign against Daesh in a speech at CyberUK on 21 April 2018.
18. Intelligence and Security Committee of Parliament Annual Report 2016–2017, HC 655.
19. The UK's position on applying international law to cyberspace was set out in a speech, Cyber and International Law in the 21st century, delivered by the Attorney General, the Rt Hon. Jeremy Wright QC MP, at Chatham House on 23 May 2018.