GCHQ 'genuinely surprised' at scale and scope of cyberattacks against UK

The man in charge of cybersecurity at Government Communications Headquarters (GCHQ) says that it does not have the resources to "put a large cybersecurity umbrella" over the UK.

Ciaran Martin, who is one of four director generals at GCHQ and the only one in the public domain, addressed the opening day of the InfoSec conference in London and said that despite claims the organisation is carrying out widespread surveillance it would be impossible for his or any other organisation to stop all cyberattacks.

Martin said that the spying wing of the UK government was surprised by the level of attacks taking place against businesses in this country.

"For obvious reasons we can't and won't publish the list of organisations we have cause to look into and work with over the years [but] we have been genuinely surprised by the extent and variety of UK organisations subject to intrusions," said Martin.

From Enigma to Snowden

GCHQ is 96-years-old and Martin described the organisation's changing role from helping develop cryptography at Bletchley Park at the same time as the enigma code was being broken, to helping shape government reform that followed the loss of child benefit discs from HMRC in 2007 with 25 million personal records on them.

Martin said the role today has evolved into a more general one and the group has received a significant amount of additional funding to facilitate this.

Martin touched on the huge controversy caused over the last 24 months following the explosive revelations from documents leaked by former NSA contractor Edward Snowden, which showed the far reaching capabilities of GCHQ to monitor online communications.

Martin said the growing intelligence role which GCHQ has been involved in has been the source of well-known controversy about privacy, but said that he "can't and won't talk about that in any detail".

Following the election of the Conservative government last month, home secretary Theresa May immediately outlined her plan to bring in the Data Communications Bill (also known as the Snooper's Charter) as a matter of priority and in the Queen's Speech last week "set out the processes for considering legislation on the proper powers for national security and law enforcement in this area".

Martin attempted to reassure those listening by saying that "everyone at GCHQ, everyone working there is acutely conscious that we are entrusted with very significant powers and we use those powers extremely carefully," Martin said.

The GCHQ website has been subject to unsuccessful and partially successful DDoS attacks in recent years, and Martin admitted it was "uncomfortable" when these attacks happen, but added that the public-facing website "is not an existential information security risk" for GCHQ.

Protect what is most important

Speaking about the continuing threat from cyberattacks against some of the UK's critical national infrastructure, Martin said that GCHQ's job was to "render those attacks as irrelevant as possible. And this in essence is now our core approach".

While Martin said it was worth "making it that bit harder" for hackers at the end of the day, "a capable and determined hacker will always have a decent chance of getting in". The most important thing for any organisation's approach to cybersecurity is to work out what is most important and "trying to protect it to the very highest degree that you can".

Martin added: "I have lost count of the number of times we have gone in an organisation at their request and we've told them: 'Work out what you care about most' and this has a huge and helpful impact."

As an example, Martin referenced the GCHQ website which has been subject to unsuccessful and partially successful DDoS attacks in recent years, and Martin admitted it was "uncomfortable" when these attacks happen, but added that the public-facing website "is not an existential information security risk" for GCHQ.