Thursday, 19 November 2015

UK cyber counter attack programme

Chancellor's speech to GCHQ on cyber security - Speeches - GOV.UK:

"And part of establishing deterrence will be making sure that whoever attacks us knows we are able to hit back.
We need to destroy the idea that there is impunity in cyberspace.

We need those who would harm us to know that we will defend ourselves robustly. And that we have the means to do so.

This is the fifth element of the plan.

Thanks to the investment that we have made during the last Parliament, just as our adversaries can use a range of actions against us, from the virtual to the physical, so we are making sure that we can employ a full spectrum of actions in response.

We reserve the right to respond to a cyber attack in any way that we choose.

And we are ensuring that we have at our disposal the tools and capabilities we need to respond as we need to protect this nation, in cyberspace just as in the physical realm.

We are building our own offensive cyber capability – a dedicated ability to counter-attack in cyberspace.
We have built this capability through investing in a National Offensive Cyber Programme.

The Programme is a partnership between the Ministry of Defence and GCHQ, harnessing the skills and talents of both organisations to deliver the tools, techniques and tradecraft required for the UK to establish a world class capability." 'via Blog this'

Monday, 16 November 2015

Privacy, encryption and the draft Investigatory Powers Bill #IGF2015

From the official transcript (corrected into English):
GABRIELLE GUILLEMIN:  I would be curious to hear from Chris Marsden who is Professor at Sussex University of what he thinks of the debate in United Kingdom when the investigative powers bill was published recently. 
CHRIS MARSDEN:  So I promised... by the way I was expecting to have people start throwing things at me.  I am only telling you what is going on in the UK but I am not responsible.  I promised I would divide this talk up in the good, the bad and the ugly.  
Let's start with the good.  This will be the shortest part.  We are actually having a debate in the UK and the current investigative powers bill is going in front of joint Parliamentary Committee scrutiny.  It is the response to a previous attempt to introduce a piece of legislation under the last Government that was actually vetoed by the junior coalition partner. Since this May we have a majority Government for the Conservative Party.  It has now been reintroduced in a different way.  You can see what the junior partner thought of it if you look up ‘Nick+Clegg’ online.  
We are having a debate and that's a very good thing. It is a 300 page Bill and there are lots of explanatory memoranda as well.  It is almost Patriot Act length, someone was commenting to me earlier.  Think of it as the UK Patriot Act, 14 years later.  
I should say the other element which I think is very important is that the Joint Scrutiny Committee (which considers the draft bill before it is actually introduced as a Bill in to Parliament) unfortunately doesn't seem to have taken advantage of the expertise that was available from the Scrutiny Committee that considered the previous failed Bill from three years ago, and there are no members of that previous Committee on the new Committee which is to say the least a shame.  For instance, the Intelligence and Security Committee of Parliament which is now Chaired by the former Attorney General of the country, is actually conducting its own shadow scrutiny investigation.  So we are shining light into dark corners.  
That's the good.  
The bad and I could go through a very long list but we only got five minutes.  So I should make it relatively short.  
There is no effective judicial review in a way that people would think of judicial review in the rest of the world.  So as things stand judges will have the ability to examine warrants for their reasonableness but not factual check on what the warrant contains.  And that's not full judicial review as it were. That's maybe a more of a matter problem of judicial oversight.  But I think that's probably the major bad.  
But there were many others. One of them is that there is as you may well know and the Chair stated in introduction, the Prime Minister has said he doesn't want there to be end to end encryption which doesn't have a back door for the security agencies.  There are problems with that, in that the British economy which if you start interfering as it were in the strong encryption products the UK has a very strong IT industry and there are a lot of companies that upset by what is still a draft scrutiny power that may or may not be introduced.  Tim Cook of Apple has been outraged at the ban on full encryption suggested.  
There will be problems for cloud providers and the financial services industry too.  And it has been suggested that this may be a major issue for as it were UK PLC, the UK economy as well.  I realize this is a rights based discussion we are having but Governments respond very well to that kind of thing.  
I have one minute.  
Let me quickly say, you know the new James Bond film has come out.  On the bad side I should tell you in Britain we think that the security agencies are a combination of Enigma code breakers, Alan Turing and Austin powers and if not James Bond and there has been quite a substantial publicity push, I repeat that, publicity push by the security agencies around the film and the publication of the draft bill.  Do not expect the British as we always call them the Great British Public to push back hard about this bill.  Activists have been outraged and some Members of Parliament outraged.  Sysadmins are outraged even at a local level.  Do not expect the general public to be outraged.  They like James Bond and they think he is a tremendous fellow.  
On the ugly, a year’s data retention costs will be extremely high.  There was a meeting, a Committee of Parliament, on Tuesday.  Government predicted the data retention cost would be somewhere in the order of $300 million, using universal currency (we have a currency but no one talks about it anymore).  The actual cost is basically exponentially higher at least according to the ISP and this will affect the one thing that the British people do care about in their broadband connections, the price.  That is the one possibility of there being a more general outcry of the bill.  
The other thing to say are about the data retention element of the bill: it will only retain metadata and not content. Two issues with that. Metadata is content. If you have access to all of someone's metadata you can make a very, very good approximation of what they want.  Content, of course, is relatively useless in security services unless you are very targeted because it is extremely expensive to analyze.  But the other part is to say that the ISPs think it is extremely difficult on a limited budget to separate metadata on a budget. That will be an interesting challenge if it were to come to law.  
I know this is audience that looking at the primary materials, section are the gagging clauses. One is a kind of Snowdonian engaging clauses and the other two are blanket clauses anything that the intelligence agencies don't do that is absolutely outrageous will be legal.  See sections 65, 66 and 71 of the Bill.
One final thing to say is UK Government will have to declare this Bill is consistent with both the European Convention on Human Rights and obligations as a member of the European Union under that Convention as it is incorporated in European Union law, but in terms of whether we will be members of either or both by the time this bill comes in to effect, watch this space.  
Much greater minds have contributed to my contribution this morning.  I spoke to Jon Crowcroft who is a professor at Cambridge, and many other academics who are deeply involved in trying to explain to Parliamentarians about what is involved.  Two people you should read. First and I almost take this draft bill as kind of the final insult, kind of postmortem insult, to Casper Bowden who has been one of the heroes of this debate.  He died in July of this year.  He wrote about the compatibility of mass surveillance with the European Convention on the Human Rights and he has been advising the European Parliament on this for 15 years. The second is my coauthor on our book where we talk about default encryption. His name is Ian Brown and he is a professor at Oxford.  And if you have read anything by Ian and Casper, you will be much more educated than with what advice I have given today."