Martin, the opening keynote at the conference, spoke at speed of change in the threat landscape and business cyber-security strategies, while promoting GCHQ as the “cyber defender of the last resort”, tasked with protecting the UK's critical national infrastructure.
He opened the conference by saying that, like the character ‘Sully' in the animation film ‘Monsters Inc', the role of the “furiously scary” individual “had fallen reluctantly” upon the GCHQ, in terms of evaluating and warning of cyber-threats.
He also said that while he and his agency are regularly accused of spreading hyperbole over the cyber-threats, the risk is very real and facing UK businesses on a daily basis.
“People said that we were talking up the threat to keep relevant, like the Millennium bug, but let me say that everything I say today is based upon fact,” said Martin.
“In the last government we were talking about what could happen with cyber-security, but we're talking about what is happening on a daily basis,” he added, continuing that the transformative technology had given rise to a ‘social and economic boon' but also great opportunity to cyber-criminals.
“Absolutely everything we do at GCHQ is in the pursuit of better cyber-security, and it's about being realistic on the challenges facing businesses.” He added poignantly, given Edward Snowden's leaks and the recent furore over David Cameron's comments over encryption: “It's absolutely not our aim to slow down or shut down the march of technology.”
On cyber-crime tactics, he said that everyone from hactivists to hackers and nation-states were interested in using the web on everything from stealing money and power to releasing propaganda, although he admitted that use of cyber for the latter had caught the agency by surprise. “We didn't, if I am honest, really think about propaganda as a motive [for cyber-attacks].”
“Money, power and propaganda aren't exactly new concepts, but are more proof that while technology might be transforming lives, it's not completely changing human nature,” added the GCHQ chief, who said that the breadth of attacks, from rudimentary DoS attacks to customised malware and ‘highly-sophisticated ‘ransomware was making life difficult for law enforcement.
On nation-state involvement, Martin swerved the topic of GCHQ's surveillance activities but did say that while his agency was subject “to clear justifications” under the law, “the same can't be said of all countries worldwide.”
The GCHQ director general was more forthcoming on security awareness, citing the government's £860 National Cyber Security Strategy, the 10 Steps to Cyber Security Guide and Cyber Essentials. He also praised the work done by the year-old CERT-UK and stressed that some of these steps, whilst they may seem basic, were absolutely essential.
GCHQ's own Red Teaming work, said Martin, revealed that companies were often getting these wrong and he admitted too GCHQ had learnt its own lesson following a spate of DDoS attacks. He added that GCHQ couldn't possible protect the whole of the UK, although he did say they would prioritise protecting national infrastructure, especially as the government moves to digital services.
Martin only faced one question in his presentation, the burning one on GCHQ surveillance and its impact on a second tech company leaving the country, and while he tiptoed around the subject, he appeared to suggest that agency staff are well aware of the privacy implications of their work.
“Everyone in GCHQ is acutely conscious that we are charged with significant powers under the law, and we take those powers very seriously,” said Martin in the presentation.
Pressed on the departure of a second UK firm over fears over a ‘Snooper's Charter' law, and whether the UK government is a threat actor, he said: “What I would say on that, as I said in my earlier remarks, is that there will be extensive parliamentary debate on the topic so I am going to quote other people and what they said.” (ie that surveillance had not negatively impacted the UK tech economy).
After the event, Jacob Ginsberg, senior director of products at Echoworx, chose to focus on GCHQ's security initiatives in comments to the press.
"Users are only human, and herein lies their unpredictability. Technology by comparison seems much more controllable. People will make mistakes and the best approach is to make it really easy to get it right. A 'secure now' button combined with strict email security policies, protecting against human error, simplifies the process of email encryption and reduces vulnerability. This approach means that everyone within an organisation will be able to communicate securely.”