back to article GCHQ director blasts free market, says UK must be 'sovereign cryptographic nation'

Speaking this morning to CESG's Information Assurance conference, Robert Hannigan, director of GCHQ, declared that Britain was a "sovereign cryptographic nation" and reproached the free market's ability to provide adequate cybersecurity. The claim was delivered to a cybersecurity shindig attended by government employees and …

  1. Anonymous Coward
    Anonymous Coward

    and page 2 talks about their work with the FBI

    "pioneered a world leading approach to declassifying threat data and sharing it at scale with commercial partners."

    Does this mean that they charge for access to UK traffic when the FBI wants to see it?

  2. Anonymous Coward
    Anonymous Coward

    Forgive my Britishness

    But most of this seems to come under "You would say that, wouldn't you?"

  3. Anonymous Coward
    Anonymous Coward

    Surprised about not giving away all the 0 day vulnerabilities

    GCHQ is not a funded by my taxes to be the backstop security auditor of all the products and services I use. I refuse to subsidise that, they are there for my protection as well as their more targetted activities but that should not underpin corporate security laziness.

    Yes, disclose the broken, useless 0 days, use some offensively or at least proactively for a time, thats why they are there.

    Encryption does not stop conversations to be tracked even if the content is obscured. I am sure there are enough poor implementations of encryption to side channel or avoid the encryption most of the time anyway.

    Yes I am not happy GCHQ should have free reign to spy on everyone, but I am happy that they can target their "customers" without having to fully disclose all their methods in advance.

    1. the spectacularly refined chap

      Re: Surprised about not giving away all the 0 day vulnerabilities

      GCHQ is not a funded by my taxes to be the backstop security auditor of all the products and services I use. I refuse to subsidise that, they are there for my protection as well as their more targetted activities but that should not underpin corporate security laziness.

      But that is the very essence of government in a capitalist society: to monitor and to regulate to ensure no one takes the piss. Should the government not ensure that the bank you use does not disappear overnight? That the food you buy is safe to eat? That the field next door is not used as a fly tip for nuclear waste?

      These all control commercial activity. What makes encryption and security different other than an instinctive paranoia that fails to appreciate the very role of any government, namely the protection of the people?

    2. werdsmith Silver badge

      Re: Surprised about not giving away all the 0 day vulnerabilities

      "I refuse to subsidise that,"

      So, you are a tax exile then?

      Because otherwise you have no say in the matter. Not even a general election vote can help you with your refusal.

  4. Adair Silver badge

    Re: ...you cannot have all of the following:

    @DavCrav - Very true, but we can have all of these working together:

    1. Transparency (within practical and lawful reason)

    2. Proportionality

    3. Honesty

    4. Trustworthiness

    5. Access to justice (which must be SEEN to be done)

    Unfortunately, when trust is lost and proportionality is a matter of bureaucratic opinion then the whole idea of 'responsible government' starts to look very suspect and shabby. What a mess, and mostly the fault of our collective complacency and the usual problem of an over weening state.

  5. Anonymous Coward
    Anonymous Coward

    Pitiful

    "pioneered a world leading approach to declassifying threat data and sharing it at scale with commercial partners."

    How does that world in some third world country where all the bad guys are screaming, don't use that it's Kaffir technology, throwing away there mobile phone and are going back to whispering conversations over a candle. This is all dreadfully sad, a load of guys who don't appreciate technology but want to destroy large slices of it at the same time, so it suits there own end's and they can continue to spy on OPEC!

    1. Anonymous Coward
      Anonymous Coward

      Re: Pitiful

      Let Boko Haram haram away.

      The locals will duly take care of those motherf*ckers. We have had some episodes along those lines in Europe.

      1. Anonymous Coward
        Anonymous Coward

        Re: Pitiful

        "The locals will duly take care of those motherf*ckers. We have had some episodes along those lines in Europe."

        The trouble with that idea, as demonstrated in Afghanistan, is that sometimes the mofo's are too strong for the locals to deal with. To the point the mofo's become the government. What do you do then, especially if they start getting ambitious about matters outside their borders?

  6. theOtherJT Silver badge

    Left Hand, meet Right Hand

    Good, now we've got the introductions out of the way, do you think you two could go have a bit of a talk somewhere private and then come back and speak to the adults once you're both on the same page please?

  7. Crisp

    I'm not sure that I entirely believe Hannigan.

    "People and business in the UK should use encryption to protect themselves. "

    Good. I agree with that. I don't want someone pinching my credit card number or masquerading as me online.

    " All the government is saying is information needed for national security and serious crime purposes should not be beyond the lawful, warranted reach of the state when the need arises."

    I understand that. But what that means is that the government wants us to have weak encryption that can be broken, or some kind of other method of decrypting the content of a transmission. And they want this method in place without anything that can be described as a "backdoor".

    The fact remains that if the encryption is weak, then it can be broken by anybody. If there's a second method of decrypting the content, then that method can be discovered by anybody. The end result is the same.

  8. Destroy All Monsters Silver badge
    Paris Hilton

    Rebellious colonies forever burdened with shit-tier math!

    "[the] Director was referring to the UK being a world leader in [cryptography] in its own right, in that we do not need to depend on other countries, whether state or industry, to have this capability."

    Mathematics works the same (and possibly even better) in the cindery remains of the British Empire?

    Fancy that!

    Greg Egan may have been up to something with "Luminous" (1998).

  9. captain veg Silver badge

    Do they have internet in prison cells?

    "We are committed to ensuring no part of the internet, including the dark web, can be used with impunity by criminals to conduct their illegal acts."

    I would have thought that the best method of doing that is by locking them up. Which we do. Upon conviction.

    Or did he mean suspects?

    -A.

    1. DavCrav

      Re: Do they have internet in prison cells?

      "I would have thought that the best method of doing that is by locking them up. Which we do. Upon conviction.

      Or did he mean suspects?"

      No, he means criminals. If you are suspected of being a criminal; you might or might not be. But criminals commit crimes, not suspects.

      It's like this: a body is found with an axe poking out the chest. There is a criminal around somewhere, the murderer, and there are suspects. The criminal is a criminal whether or not they are a suspect.

      1. Charles 9

        Re: Do they have internet in prison cells?

        "It's like this: a body is found with an axe poking out the chest. There is a criminal around somewhere, the murderer, and there are suspects. The criminal is a criminal whether or not they are a suspect."

        Not necessarily. The criminal may be the same as the victim: in this case, a Darwin Award Winner trying to play with axe juggling.

    2. Anonymous Coward
      Anonymous Coward

      Re: Do they have internet in prison cells?

      "I would have thought that the best method of doing that is by locking them up. Which we do. Upon conviction."

      To convict, you have to bring the criminal to trial. To do that, not only do you have to arrest him/her but you also have to bring the arrestee to your jurisdiction. Kinda tough to do when the criminal is committing crimes behind the protection of an enemy state that denies they even know the criminal.

  10. Peter Stone

    I see,

    This is the lot, or it's equivalent, that at the time of the Crimean War, used the solution Babbage had worked out to crack Vigenere's Cipher, but never told anyone, or allowed Babbage to publish his method & claim credit for it. Then at the end of the Second World War, gave the captured Enigma machines away, not revealing we had cracked them, and they expect us to trust them??

    1. cantankerous swineherd

      Re: I see,

      plus destroying colossus on Churchill's order iirc.

  11. Peter Stone

    Another point

    Does anyone remember the Clipper Chip/Capstone controversy back in the 90s? They were on about a similar setup using key escrow, & got laughed out of court.

    1. Destroy All Monsters Silver badge

      Re: Another point

      I remember this but I don't remember the laughing.

      Was pretty serious.

  12. cantankerous swineherd

    so if gchq are in the business of protecting the nation, how come they aren't stopping the smart meter bandwagon? or do they think that spying on internet users is going to stop the mass bricking?

    1. Anonymous Coward
      Childcatcher

      "so if gchq are in the business of protecting the nation"

      You might want to read up on this part of GCHQ - https://www.cesg.gov.uk/Pages/homepage.aspx (Just ignore the .aspx bit, I'm sure they are jolly secure)

      They have created a security qualification called "Cyber Essentials" (and Plus) and provided a framework for accreditation etc etc. It's not bad. Download their self assessment sheets and follow them through at home and work (if you can). It's a very good first start.

      If everyone passed that in the UK then all we'd have to worry about is our own govt and assorted agencies. Divide and conquer: simples!

      (No I haven't read the whole article - just got here from /. )

  13. allthecoolshortnamesweretaken

    GCHQ and business

    Why doesn't the GCHQ start 'the next Facebook'? They'd get all the data and could even make money doing so!

    1. Anonymous Coward
      Anonymous Coward

      Re: GCHQ and business

      Why doesn't the GCHQ start 'the next Facebook'?

      = because for job applications for certain roles they have advertised they require a 2:2 from uni!

      1. Anonymous Coward
        Anonymous Coward

        Re: GCHQ and business

        "they require a 2:2 from uni"

        That's a "Desmond" or possibly 1.

  14. fluffybunnyuk

    ummm anyone remember Crypto AG...? no? heres a refresher...

    go to wikipedia and read the Crypto_AG page.

    Do they mean by "helping" its a spin word for fundamentally undermining cryptography standards.

    I dont care i spent 5 years on code to devolve an encrypted data stream to 2 different crytographic outputs... one being my data and the other being my mums peanut pie recipe. I think we know which crypto key I'll be handing over if they come knocking... and if they do i'll up it to somewhere popular for everyone to share. Oops so much for that much vaunted RIPA act people keep quoting...

    1. Anonymous Coward
      Anonymous Coward

      "I dont care i spent 5 years on code to devolve an encrypted data stream to 2 different crytographic outputs... one being my data and the other being my mums peanut pie recipe."

      The trouble with plausible deniability is that your adversary can become wise to it. Much like TrueCrypt/VeraCrypt hidden containers. If the adversary knows you can hide more than one key, they simply won't stop until you disclose the other key, the one everyone knows is the one to the REAL real juicy stuff. Must stink to be using a system capable of deniable encryption and yet not actually using it because you're now in a position where you can never conclusively prove you have something to hide WITHIN the something to hide.

    2. Seajay#

      Re peanut pie

      Just one recommendation, the courts might legitimately wonder why you've spent 5 years protecting your mum's receipe and therefore conclude that you haven't given up the real key and send you to jail anyway. Better to put some really deviant (but not illegal obviously) porn in that sacrificial container.

      Also, if you've been writing encryption software solo, it is probably easily broken.

      1. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Re: Re peanut pie

          "For an example of such a GREAT protocol, see the Perpetual Encryption solution."

          The problem with the theory is that you break the OT part of OTP. One-time pads are secure because you only use them ONCE. By doing that, you create the STRONG cryptographic strength of proving that ANY given ciphertext can be translated into ANY plaintext at any given time. POTP actually reuses pads, and that breaks the strong part of that encryption because a cryptanalyst, armed with all the pads, can run ciphertexts and detect patterns that come about through re-use.

          1. Anonymous Coward
            Anonymous Coward

            Re: Re peanut pie

            Now, having read what I wrote and thinking about it some more, I may be mistaken, but there are other ways to employ a shared pad that may not necessarily be one time but can still be difficult to cryptanalyze because you use the pad inventively. For example, a true one-time pad assumes the simplest of use cases: XOR and iterative one-by-one traversal, but if the pad were used in a non-trivial way (say, start in the middle and step some amount or pattern of amounts, wrapping around) and care was taken to not repeat these methods, I think you could use a pad multiple times, even using individual elements more than once (giving the pad a degree of depth) while still being difficult to cryptanalyze due to the high degree of randomness involved. I will be the first to admit that such a technique would need a considerable degree of refinement and would definitely have drawbacks, but I think it could have its uses in specific circumstances.

            That said, I still call out this supposed Perpetual Encryption as mostly hot air.

          2. This post has been deleted by its author

  15. Anonymous Coward
    Anonymous Coward

    Lots of people use Whatsapp

    They're not looking to get backdoors because that would be impractical and stupid - all the big US services would say no. They're also not looking to ban encryption because that would also be impractical and stupid - the rest of the world would laugh at how the UK had just done the equivalent of bombing it's digital economy back to the stone age. What they are doing is pushing for *end to end* encryption to become illegal.

    The first part of achieving this is that you have to surrender your encryption keys if the authorities demand them. Like it or not, this part has already become law. Unfortunately for HM Gov, this probably won't do them any good if the user of the encryption isn't easily able to provide the keys because an app does it all for them - e.g. whatsapp. So the current push is about bullying these communications platforms to change their services so that they are no longer end to end encrypted, permitting the authorities to tap the comms channel whilst it's unencrypted within the comms provider's systems. So really they're just enforcing the weakening of encryption implementations on these services so that they can intercept with a warrant. This is all very sneaky, but it allows HM Gov spokesfolk to say they're not trying to ban encryption without being caught in a lie.

    Of course, this particular manoevre still needs the comms providers to play ball with HM Gov. Presumably they'll be told they will no longer be able to provide comms to UK citizens if they don't toe the line. It will be interesting to see what these providers do next; do they withdraw from the UK (loss of revenue), disable end to end crypto for all their users (and risk really bad PR for downgrading the security of their non-UK users) or redevelop their service to degrade the security implementation for any comms involving their UK customers at either end (comms decrypted whilst at their server) whilst retaining end-to-end crypto for all other traffic (and incur extra development costs).

    On most matters of cyber security the public will never know (much less care) what the real upshot of the actions of our lords and masters, but this is a rare example of where the impact of legislation really could bite HM Gov on the arse. If the IPB results in use of whatsapp being banned for use in the UK it's going to make waves, as that service isn't just used by the IT savvy folk. Alternatively if whatsapp publicise the change of all UK users subscriptions to their "UK_IPB_downgraded_security_option" and hike the renewal price up by 100% (to help pay for the additional development costs incurred, of course) it could still make things uncomfortable for Dave and his chums without whatsapp having to withdraw from the UK market.

    If you want to help non-IT folk understand what all the fuss is about don't go for the easy (but technically incorrect) line that the Gov wants to ban encryption - just tell them that the Gov wants to ban services like Whatsapp. That tends to get their attention long enough for them to realise that this really does mean that big brother will be watching them.

  16. earl grey
    Mushroom

    This qualifies as "pants on fire"

    The only back door they care about is yours: grease free if you please.

  17. Trollslayer

    Been there

    At GCHQ for an interview.

    It's worse than you think - Yes Minister meets The IT Crowd.

    HR are like frightened rabbits which set off alarms for me, always a bad sign.

    1. Anonymous Coward
      Anonymous Coward

      Re: Been there

      Clearly just from reading the CESG homepage, these guys just don't get it apparently;

      ECTOCRYP® Blue is the next stage in sovereign UK cryptographic development which is what there director is waffling on about..

      This enterprise version with its 19” rack mounting is fully interoperable with ECTOCRYP® Yellow, providing High Grade encryption for strategic and tactical networks.

      ◾Sovereign High Grade SECRET and TOP SECRET

      ◾PRIME Suite A certified to interoperate with other certificated PRIME conformant devices, modules include:

      ◾Base (IKEv2)

      ◾Suite A

      ◾Pre-Shared Key

      ◾Pre Placed Key SA

      ◾Community Separation (CCOI)

      ◾NAT Traversal

      ◾Peer Topology Sharing (Node)

      ◾Advanced Networking (DSCP Bypass, IKEv2 Liveness)

      ◾Encryption of multi-cast communications using Pre-Placed Key (PPK)

      ◾Supports crypto discovery using Peer Topology Sharing (PTS)

      ◾Up to 256 cryptographic keys (PPK, PSK, CCOI)

      ◾> 512 simultaneous Security Associations (SA)

      ◾>1.6 Gb/sec bidirectional IMIX throughput

      ◾Support for remote management

      ◾Crypto Ignition Key (CIK) support; Device Not Protectively Marked (NPM) ACCSEC when CIK removed, easing handling constraints.

      There is a huge difference between Pre-Shared Key and Public-Shared Key and I sure as hell don't like the sound of Pre Placed Key (SA) that implies they want to insert there signed-ness everywhere - With support for remote management, that must means a hackable Linux web-portal on it's ass end somewhere with there own private (SA) which some clever bod will replace with there own (SA) after they've broken in... Stupid is as stupid does! What is a DSCP Bypass? An IKEv2 dear god pay peanuts get monkeys there still playing with IPsec calling it secret, ah bless there little cotton socks!

  18. amanfromMars 1 Silver badge

    Do Spooks Lead with Novel Invented Events or Do Vain Battle against the Spectre of Them?*

    The global cyber security market is not developing as it needs to: demand is patchy and it is not yet generating supply. That much is clear. …. Robert Hannigan, director of GCHQ

    Quite another school of thought/university of life would proffer that necessary virtual protection and APT ACTive supplies and cyber security market developments are doing just fine and dandy, thank you very much, and it is because of the likes of a dodgy puppet/perverse master relationship, which can all to easily be realised in the likes of a servant GCHQ/self-serving corrupt government marriage of convenience which is denying them access to new secrets, which out and exploit all manner of systemic establishment vulnerabilities.

    New gatekeepers are never going to deal equitably, if even at all, with an enemy which be a friend of an enemy and into austere terrorising executive administration, are they? Such would be a monumental folly.

    Trying to maintain and sustain a failed fiat currency invention project which enriches the rich and enslaves the poor, is a recipe for disaster and revolutionary act and it generates mounting trouble and real smart conflicts, way beyond the ken of that which would try to oppose it.

    * And to enrich what/whom?

    1. This post has been deleted by its author

  19. This post has been deleted by its author

    1. amanfromMars 1 Silver badge

      Next Generation Encryption has arrived!!! Secure by Design. Secured by Advancing IntelAIgents

      Our solution is 10 to the power of 2158 times more secure than existing Industry standards, meaning its Quantum Compute & AI secure. …… Perpetual Encryption

      Meaning it is Quantum Compute and AI ready, Perpetual Encryption, which is quite another thing and a wholly different Great Ball Game for Virtual Terrain Team Players and Remote Anonymous Rogue Entities alike?

      Hmmm. And surely just as much an alien sport and exploit export adventure as astute classy assured security protocol, although both of those facilities are invariably poles apart in real world scenarios, and then much more of an APT ACTive Portal to some chosen and a Flying Few ‽ . :-} Poe's Law Rules for Reign in ITs Domains and AIDominions, where Madness meets Genius for a Rumba and Tango :-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Next Generation Encryption has arrived!!! Secure by Design. Secured by Advancing IntelAIgents

        It's just a shameless advertising plug. Perpetual Encryption is based on breaking the most fundamental rule of the One-Time Pad: namely, that you only use it ONCE.

        1. amanfromMars 1 Silver badge

          Re: Secured by Advancing IntelAIgents

          It's just a shameless advertising plug. Perpetual Encryption is based on breaking the most fundamental rule of the One-Time Pad: namely, that you only use it ONCE. …. Anonymous Coward

          Hi, AC,

          How’s it hanging?

          Perpetual Encryption will be very pleased that you make that mistake and do not realise that breaking the most fundamental rule of the One-Time Pad: namely, that you only use it ONCE, is not its base protocol but leading with a better, and beta One-Time Padded message may very well be, for of course, such is probably never to confirmed or denied as fact and practice by those and/or that into utilising it effectively.

          1. Anonymous Coward
            Anonymous Coward

            Re: Secured by Advancing IntelAIgents

            One-Time Pads are the only encryption that are mathematically proven to be robust against cryptanalysis because ANY ciphertext can be translated into ANY plaintext of equal or lesser length. The moment you try to reuse a one-time pad, you break that assurance and can no longer call it a one-time pad. Now, you can re-use a pad in inventive ways, but preventing cryptanalysis of a reused pad is a non-trivial matter and requires its own set of rules and guidelines. It will be neither simple nor all-encompassing nor revolutionary.

            So far as I've read both here, on websites, and a Twitter feed, I've yet to see this technique in any great detail nor any direct endorsements from security authorities (or better, actual use of your technique). So to quote someone who isn't seeing eye to eye, "In English, Einstein!" Or is this all just a load of hot air?

            1. This post has been deleted by its author

  20. veti Silver badge

    It's a challenge

    GCHQ - not unjustifiably - has a lot of pride and confidence in their ability to hack other peoples' security. Basically, anything that's on the market now - they can break, with a minimal amount of effort and occasional cheating.

    So he's saying "Go ahead, use the best encryption you can find/be bothered with. It won't bother us, but it will make things a bit harder for everyone else, which is exactly the way we like it."

    Every so often, someone comes up with a new and clever form of encryption, and then it may take GCHQ some weeks or months of effort to figure out how to break it. That would be a window of opportunity during which you could have real privacy from them, at least temporarily, and that's what the Home Secretary - being, as required for the job, someone whose intelligence compares unfavourably with a dead cane toad - wants to abolish.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: It's a challenge

        No form of encryption can be considered unbreakable. The vaunted one-time pad can be intercepted, and quantum encryption can be stymied by blasting light "noise" into the fiber optics. Anything else can be bypassed by simply finding a way to get the message either before it's encrypted or after it's decrypted. Since our senses can't directly work with encrypted data, it'll have to be decrypted at some point.

        1. This post has been deleted by its author

  21. Irnerd

    As is absolutely reflective in British Society - Drink tea from a cup, use a knife and fork, and obey all the following (plus more) organisations (in no particular order)

    Royal Navy

    Royal Air Force

    Royal Army

    MI5

    MI6

    Constabulary (many many)

    ....

    Bank Of England

    And In 2015 / 2016 - added introduction of

    "Royal Encryption and Cryptography"

    Associating that the Crown will own the keys to the security of customer personal data stored by suppliers of broadband? Something charming [though not sure what] about this naivety.

    Good luck to all participants in that government and commercial relationship. A few more champagnes on ice for that likely successful debacle.

    Tin hats at the ready

  22. Paul Johnson 1

    So presumably the Great Firewall of China will soon be joined by Hadrian's Firewall.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like