Just over a year ago, Robert Hannigan stepped down as director of the intelligence agency GCHQ. In the time since, cyber security has dominated the British news agenda in way it never has before.
The WannaCry computer virus crippled dozens of NHS trusts within weeks of Hannigan’s departure. Two months later, NotPetya – an even more virulent strain of malware – forced manufacturers across Europe to temporarily shut down their factories. And in recent weeks, the Cambridge Analytica scandal has attracted attention from regulators and policymakers on both sides of the Atlantic.
But despite the elevated status of cyber security in Whitehall and Westminster, Hannigan says he doesn’t miss working in government. “I miss GCHQ itself; I miss the people and the technology. There’s a great buzz about the place. But I did 20 years in government and that’s probably enough and I’m very happy there are other competent people doing it – people more competent than me.”
Hannigan, who now advises the private sector, left GCHQ last spring for family reasons. He had led the agency for less than two years, but was credited with bringing it out of the shadows following the Snowden revelations. Having served in No 10, the Cabinet and Foreign Offices and Northern Ireland, Hannigan was unusually visible for a spy chief. He gave prominent speeches, launched the NCSC and drew up the government’s first cyber security strategy.
“How do you have an enforceable arms control model in cyberspace?”
When it comes to cyber security, the UK and US governments have grown more vocal over the last year. Given the difficulties in attributing cyber attacks, officials tend to shy away from blaming nation states. But in recent months, both the US and UK have officially linked North Korea to WannaCry and Russia to NotPetya. In April, GCHQ and the NSA also joined forces to release a joint technical alert for the first time, detailing Russia’s alleged attempts to hijack internet infrastructure. This was, Hannigan suggests, a veiled warning for Russia: interfere with our systems and we’ll know it was you.
Deterring governments from using cyber weapons, Hannigan says, requires a different approach to conventional weaponry. “In a world where everyone denies everything, how do you have an enforceable arms control model in cyberspace?” Cyber weapons are different to conventional weapons in another important respect too: the challenge of predicting collateral damage. This makes it harder for states such as the UK to retaliate. “When you drop a bomb on something, you know what it’s going to do,” says Hannigan. The same cannot be said of cyber attacks. Once a virus has been released on to the web, it’s impossible to know where it will end up. “I can’t believe, for example, that the Russians intended to take down half the manufacturing companies in Europe,” he adds. “The important point is that they didn’t care.”
After the former British spy Sergei Skripal and his daughter Yulia were poisoned in March, commentators speculated that the UK government would respond by launching a cyber attack on Russia. Hannigan dismisses the idea. “Trying to find cyber responses that target those individuals who are responsible for bad things is quite difficult. Economic sanctions frankly make more sense to me very often. The impact of what the US has done around economic sanctions on those around Putin is far greater than anything else that has happened, greater than the expulsions of diplomats.”
“It’s not surprising that over the years, we have found Russian intelligence services on our networks – what is worrying is the intent has changed”
During a keynote speech at IP Expo Manchester last month, Hannigan warned that the poisoning indicated Russia’s intentions had dramatically evolved. “It’s not surprising that over the years, we and other countries have found Russian intelligence services on our networks,” he said. “What is worrying is the intent has clearly changed. A country that is prepared to use chemical weapons on the streets of a UK town may want to do reckless things in cyberspace.”
There is growing support for an international treaty defining and governing cyber warfare. Microsoft’s Brad Smith called for the creation of a Digital Geneva Convention last year. At the RSA security conference in San Francisco last month, Microsoft took this idea a step further, bringing together 34 tech companies to sign a tech accord promising to protect users and customers from cyber attacks regardless of their origin. The UN’s general secretary Antonio Guterres has also called for new rules for cyberspace.
“It would be good for governments to engage with Brad Smith’s Geneva Convention idea”
Hannigan supports the principle of a treaty, but fears that as a starting point it may be too ambitious. He warns: “If you go immediately for the treaty, you’ll end up just endlessly talking.” Instead, he suggests the process should be divided into sectors where a consensus is likely to be reached: “Start with health, for example, and say ‘we’re going to come up with these ways of behaving with technical infrastructure for health’.”
The initiative could be industry-led, but would need the support of government: “I think it would be good for governments to engage with the tech accord, to engage with Brad Smith’s Geneva Convention idea and to say: ‘well, why don’t we sit down – government and industry – and see what might this look like?’ Make it West and East, make it non-threatening. […] It doesn’t need to be legally binding if there’s no way of enforcing it.”
It’s expected that hostilities in cyberspace will intensify in the coming years. But Hannigan is hopeful that cyber security could, ultimately, serve as a way to bring political leaders together: “That might be massively optimistic, but the internet is so obviously a shared resource and so obviously not owned by any particular government. This could be a place where there is common agreement in a geopolitical context that is otherwise pretty stormy.”
An extended version of this interview was published in Spotlight, the New Statesman’s policy supplement, last week.