A few years ago I was given a very good piece of advice about technologists expressing a view on matters of policy: don’t.
“Think of three layers”, was the suggestion of my older and wiser colleague: “a bottom layer of technology, a ‘good practice’ middle layer, and a policy top-layer. Be aware that decisions at the policy layer are driven by all kinds of factors over which you will never have control… and however tempting it may seem to do otherwise, restrict yourself to opinions on the other two layers”. I took this advice to heart, and while I have had the occasional lapse, it has not let me down when I have stuck to it.
So, then, what to say about the UK government’s announcement, last week, of its plans to establish a cyber-security operations centre?
Well, I think there are three questions to ask (even as a technologist…):
1 – is there a pressing need for a cyber-security capability? I suspect the answer to that one is a clear ‘yes’. There’s no doubt that cyberspace represents an element of the Critical National Infrastructure (CNI), just like the transport, water, power, communications, financial and sewage networks on which our country depends. And just like all those other elements, the UK’s cyberspace presence is inextricably linked into the global network. (“Sewage?”, I hear you mutter… “How is the sewage system cross-border?” Ask the Dutch… I read a report that, if the Netherlands couldn’t export the excrement by-product of its bacon industry, the whole country would be ankle deep in pig-poo before the year was out. And with all those greenhouses, they use a lot of fertiliser…).
2 – is the government justified in maintaining/using an offensive cyber-security capability? This one is tricky to answer at the policy layer.
At the technical layer, I have no reservation in saying that I want the security services to know how cyber-attacks work, and even in maintaining significant expertise: after all, they can’t mount passive defences if they don’t thoroughly understand the attacks.
At the ‘good practice’ layer, offensive cyber-security capabilities tend to be restricted to getting malicious sites/services taken off the internet – and that only after going through ‘due process’ with the telcos, service providers, hosting companies and so on. Clearly, the latest policy announcement is based on the assumption that there may be cases where the security services expect to need to go further than that.
- At the policy layer, then, I think it boils down to this: what confidence can we have that those responsible for exercising such a capability are doing so proportionately, justifiably and accountably? In other words, it raises all the governance and oversight issues which have been so much in the political searchlight in recent months. There are established structures (such as the Intelligence and Security Committee – ISC) which are intended to make it possible for those ‘on the outside’ to be confident that those ‘on the inside’ have to at least tell a cleared and trusted few what they are up to. It is quite possible that those structures, though, are effective at providing policy oversight, but not effective at building and reinforcing public trust. For instance, Tory MP Michael Mates, a long-standing ISC member, has recently said that policy-forming documents he saw in the run-up to the Iraq War would “make people’s eyes water” if and when they are made public through the proposed enquiry… and yet, the Iraq War went ahead.
3 – Can the cyber-security team meet the security policy objective, while simultaneously protecting the UK against repercussions from the policy, safeguarding citizens’ use of the internet, and providing sufficient evidence of accountability to maintain the public trust?
In policy terms, the cyber-security announcement does include a statement about the appointment of an ‘ethics advisory group’ to complement whatever other governance measures are put in place. This group is apparently to monitor the ‘proportionality‘ of actions taken under the policy. But the ethical issues don’t stop there.
Supposing the cyber-security folks pre-emptively take down a malicious server outside the UK… presumably they would want to do that in a way which leaves no evidence of the attack having originated in the UK (for fear of reprisals…); perhaps they might consider launching the attack from elsewhere, in the hope that any blame (and retaliation) would fall on someone else.
I think the ethics advisory group is going to have a busy time.