The Diplomat‘s Ankit Panda spoke to Conrad Prince, the United Kingdom’s cyber security ambassador, on a range of issues, focusing broadly on the UK’s cyber security priorities in the Asia-Pacific and globally. The interview addresses UK concerns about the Hinkley Point C project, UK-China relations, bilateral cyber cooperation in the Asia-Pacific, and the UK’s second cyber security strategy.
The Diplomat: I want to begin our conversation with the ongoing debate in the United Kingdom over the potential energy security risk of Chinese involvement in the Hinkley Point C nuclear power station. The issue was thrust back into the headlines after the May government decided to reevaluate the project after Nick Timothy, a political adviser, alleged that former Prime Minister David Cameron had “[sold] our national security” to China. Could you discuss the validity of concerns that China could leverage the involvement of state-owned China National Nuclear Corporation to bake in vulnerabilities into the plant’s computer systems?
Conrad Prince: Following a comprehensive review of the Hinkley Point C project, the Government has decided to proceed with the first new nuclear power station for a generation. Nuclear is an important part of our plan for a 21st century energy system that will power homes and businesses with reliable, low carbon electricity. The UK is open for business and we continue to welcome foreign investment from all countries, including China. Any inward investment needs to meet appropriate legal and regulatory standards and requirements. Where any national security concerns may arise, the Government assesses the risks and mitigation to provide greater certainty for investors.
The construction of Hinkley Point C will be under the close scrutiny of the Office of Nuclear Regulation, which is independent of the industry and Ministers. It has the power necessary to halt construction or require amendments to any part of the plant if at any point it is not completely satisfied with the safety of any part of the reactor and its associated construction. At the same time, we will undertake reforms to the Government’s approach to the ownership and control of critical infrastructure to ensure that the full implications of foreign ownership are scrutinised for the purposes of national security.
In October 2015, the United Kingdom and China signed an important cybersecurity pact during Chinese President Xi Jinping’s visit to the country. Can you describe how, roughly a year on, that pact has panned out for the UK?
The Joint Statement between the UK and China affirmed that:
“The UK and China agree not to conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information, with the intent of providing competitive advantage.”
The statement helps underpin our objective to make the UK the most secure place in the world to do business. We abide by this statement and expect the Chinese to do likewise.
China has made similar statements with the United States while similar language was also included in the G20 leaders’ communiqué. We welcome this strengthening international consensus of a new norm of state behavior. We continue to work with China on a range of cyber security issues, including through forums like the UK-China Security Dialogue, and it is in both China and the UK’s interest to build confidence in cyberspace as a safe environment for our citizens and companies.
Beyond China, what are some of the other cybersecurity-related initiatives London is pursuing with partners in the Asia-Pacific region?
The UK values its bilateral cyber relationships in the Asia-Pacific region. With Singapore, for example, we signed an MOU in July last year signalling our commitment to work together towards a secure cyberspace that supports innovation as well as economic and social development for both countries. Under that agreement six new joint cyber security research projects have been launch valued at £2.4 million.
Furthering this cooperation, I led a delegation of 12 UK cyber security and smart technology companies to Singapore’s inaugural International Cyber Week in October and was honored to have been invited to deliver a keynote speech by the Singaporean government on the UK’s approach to cyber security.
In addition to Singapore we also have cyber cooperation agreements with Japan, Malaysia and the Republic of Korea. We also maintain close cyber relationships with Australia and New Zealand.
Our bilateral efforts are supported by the work we do with partners to build better cyber security through capacity building. The purpose is to share knowledge, build working partnerships to strengthen cyber security and support this with practical projects. Our capacity building program allows us to support innovative solutions to global cyber security challenges that we hope others will adopt and support. Work with partners in the Asia Pacific region is an important part of this global effort where UK efforts include:
- supporting cyber security capability reviews through the Oxford Global Cyber Security Capacity Center and who are working with the Government of Victoria in Australia to establish a new regional Oceania Center in Melbourne;
- developing better metrics for cyber vulnerabilities through Cyber Green, a global initiative which we are pleased is gathering support in the region, specifically from Singapore; and.
- the delivery of workshops in July 2016 enabling Parliamentarians from 14 Commonwealth countries in Asia-Pacific to understand how to implement, scrutinize and promote cyber security within their respective countries.
Private organizations and governments alike have increasingly wrangled with the advisability of “hacking back,” or pursuing an offensive approach to cybersecurity. Former Defense Secretary Philip Hammond’s 2013 remarks that the UK was “developing a full spectrum military cyber capability, including a strike capability” were the first time a country had acknowledged the pursuit of offensive cyber strike capabilities publicly. What can you say about London’s willingness to pursue retaliatory cyberattacks and the value of an offensive cyber capability more broadly?
It is important to put these comments into context. Alongside the opportunities an ever more connected world brings us are the challenges vulnerabilities in those connections bring. There are daily reports of cyber security incidents – the numbers have become numbing – and the costs, never mind the impacts, are often to the tune of billions of dollars.
If we are to tackle the asymmetry between attack and defense, then we need to establish deterrence in cyberspace.
We need to not just defend ourselves against attacks but also to dissuade those that would do us harm from targeting us in the first place.
Establishing deterrence includes making ourselves a difficult target, so that doing us damage in cyberspace is neither cheap nor easy; building global norms, so that those who do not follow them can held be to account for acting outside the boundaries of acceptable behavior; and making sure that whoever attacks us knows we are able to hit back.
We need those who would harm us to know that we will defend ourselves robustly. And that we have the means to do so. In short, we need to address the idea that there is impunity in cyberspace.
This is why we have announced that, as part of our new national cyber security strategy, which I will come onto in a moment, we are developing core national defensive cyber capabilities to tackle those who genuinely merit the description of Advanced Persistent Threats. There is naturally a limit as to what I can say here, but we have already announced that this includes the maintenance of the UK’s status as a sovereign cryptographic nation. Another is our development of lawful and carefully governed offensive cyber capabilities to combat and deter the most aggressive threats.
We will also be pursuing the principle of ‘Active Cyber Defense’, which is the principle of implementing security measures to strengthen the security of a network or system to make it more robust against attack. This involves making it significantly harder to attack UK internet services and users, and will include activity to tackle phishing, block malicious domains and IP addresses, and other steps to disrupt malware attacks. It will also include measures to secure the UK’s telecommunications and internet routing infrastructure.
Finally, what’s your sense of the viability of an international regulatory regime for cyber issues? For instance, we have the Non-Proliferation Treaty and International Atomic Energy Agency to uphold a framework for addressing nuclear issues. Given the difficulties associated with monitoring and verification in the cyber realm, and the ease with which governments can attain plausible deniability, do you see any path forward in this regard?
Although it is increasingly difficult to remember a time when the internet was not central to our lives, in many ways cyber is still a new and emerging consideration in foreign policy.
The cyber landscape is different from many other traditional foreign policy issues: geography has less relevance; infrastructure is largely owned by a private sector who also drive innovation and development; the voice of civil society ensuring freedom and openness is applied to states and corporations in equal measure. Whilst attribution is commonly cited as being difficult, it’s by no means impossible.
There is a huge difference in levels of understanding of the seriousness of the cyber threat in different countries. National solutions need to reflect local conditions. But they also need to draw on international best practice.
Securing the unambiguous agreement of all countries that existing international law applies in cyberspace was a significant step, but in truth we are very much in the early stages of exploring international cooperation in this area.
It’s important and right that we have a vibrant debate about what the future should hold. There are lots of models out there to examine – the development of nuclear arms control mechanisms is one, but there are others, such as the way we scrutinize development of chemical weapons, or how the financial world tackles anti-corruption through the Financial Action Task Force, for instance.
The development of these mechanisms in other areas took many decades to evolve, and I think we are only at the beginning of our journey. Given the many unique facets of cyberspace, I think previous experience is a useful guide, but ultimately we need to find unique solutions for our unique issue.
Tell us a bit about the UK’s second national cyber strategy and its salience in the Asia-Pacific in particular.
The UK the Government will be setting out next month a new ambitious cyber security strategy to tackle the threats we face. The National Cyber Security Strategy will be supported by £1.9Bn (approx $2.4 Bn USD) in new investment.
This program includes the FCO’s Cyber Security Capacity Building Program which has a proven track record of building cyber resilience around the world. This year we are spending £3.5m to support 35 projects benefiting some 70 countries. I mentioned previously some of the work this program has funded in the Asia Pacific region. We want to do more. Our call for project proposals for the next UK financial year (i.e. April 2017 to March 2018) will go out in mid-October and anyone is welcome to contribute proposals via their local British Embassy or High Commission.
Key to this is the new National Cyber Security Center, the NCSC, which has just taken legal form this month. It will be part of GCHQ bringing together the capabilities already developed by CESG – the Information Security arm of GCHQ – the Center for the Protection of National Infrastructure, CERT-UK and the Center for Cyber Assessment, allowing us to build on the best of what we already have, whilst significantly simplifying the current arrangements. The NCSC will be led by Chief Executive, Ciaran Martin and will have a team of approximately 700 people.
The NCSC is a public facing organisation and much of its work will be International. The NCSC will work with a wide range of partners internationally including in the ASEAN region to help improve the UK and its partners’ cyber security. The NCSC will be sharing threat information with international partners including the network of CERT partners across the world to improve our shared defenses.
Indeed, I and the delegation of cyber and smart technology companies visiting International Cyber Week in Singapore this month, am looking forward to meeting with colleagues from the ASEAN region and beyond, to discuss and compare the issues and challenges facing us, and how we might work more together.