A few comments, in context, on:
Sir Iain Lobban's valedictory speech - as delivered
Full transcript of the speech given by Sir Iain Lobban, Director GCHQ, at the Cabinet War Rooms on 21 Oct 2014.
Weirdly, the GCHQ website no longer seems to support the use of https:// SSL / TLS encryption at all, unlike Security Service MI5 and Secret Intelligence Service SIS / MI6
In the middle of the summer, when I resolved to give this talk, the following events were taking place around the world:
- A commercial airliner flying at over thirty thousand feet over eastern Ukraine was shot down with a sophisticated surface-to-air missile system, with the loss of 298 lives, 80 of them children
- Fierce fighting on the ground continued after Russia's annexation of Crimea
- ISIL advances in Syria and Iraq continued, treating local populations with devastating savagery, and the video of the beheading of the first western hostage spread across the internet
- the American, Canadian and British embassies suspended operations in Tripoli due to armed clashes between Libyan militias in the country
- the National Crime Agency carried out further arrests of predators involved in child exploitation
- thirty-five adults and children, one of whom died, were discovered in a lorry, illegally trafficked from Afghanistan
- £100 million pounds-worth of cocaine was seized off the coast of Ireland
- Nearly 200 cyber incidents against the UK's networks of national significance were detected and responded to.
As my teams pivoted to tackle such intelligence and security requirements, and I marvelled yet again at their dedication and tenacity, I decided I wanted to use the occasion of my departure from this post to reflect publically on the profession to which I've devoted the past 31 years: to explain why people like me are motivated to do what we do. After all, it's sometimes called the second oldest profession in the world, and like the oldest, you tend not to talk about it as a career choice. But that's exactly what I want to do now. That career choice is one of the best decisions I've ever made, and I want to tell you why.
I also want to think aloud about the place of intelligence in national life, which makes this exactly the right place for this final public speech. Has there ever been a politician who was so comprehensively focused on intelligence, and on the policy and processes underpinning the production of intelligence, as Winston Churchill?
I joined GCHQ in what felt like the dark days of the Cold War. The majority of my early postings in the department were focused on the Warsaw Pact: a massive challenge. And as I leave, once more we look towards and beyond the Urals. Perhaps I needn't have bothered... Certainly the bookends of my career illustrate how the world continues to be a dangerous and unpredictable place.
But there's a longer timespan in which we should situate the work that GCHQ does today.
UK Signals Intelligence celebrates its centenary this year. There was no Sigint organisation in this country on 4 August 1914, but in November 1914 the First Sea Lord, Winston Churchill, issued a Charter. That Charter prescribed the operating model for Room 40, the section in the Admiralty which had started producing intelligence from intercepted and decrypted messages, would operate. Churchill oversaw the birth of British Sigint, and was instrumental in the creation in 1919 of GCHQ, under its former name of GC&CS.
In another dark time, a sparkling generation radiated their genius from dingy huts at Bletchley to defend a beleaguered nation against the Nazi onslaught:
- They sent the intelligence to leaders right here in these War Rooms
- Just as today, GCHQ continues to supply our National Security Council with the intelligence necessary to make the right strategic decisions.
It was here that Churchill applied the lessons he had learned during the First World War about keeping the use and the protection of Sigint in balance: intelligence is of no use if you can't use it, but it will quickly disappear if those using it do not protect its source.
In his Charter for Room 40, Churchill proposed that his Sigint staff should study intercepts, past and present, and compare them with what actually happened in order to penetrate the German mind. This process of traffic analysis was further developed at Bletchley Park, where analysts built a picture of hostile activity by analysing communications for patterns, connections and abnormalities.
- Today, we continue to look for the patterns, connections and abnormalities that indicate of illuminate hostile capability and intent.
Bletchley Park saved the lives of numerous seamen and the shipping, materiel, and other supplies criss-crossing the Atlantic and the Arctic, all the while stalked by enemy submarines, providing intercepts on which evasive action could be taken. They kept those vital supply routes open.
- Today, we continue to use intelligence to safeguard the electronic networks on which our trade, our finance, our way of life, now depend.
By June 1944, Sigint could tell General Eisenhower about the German Order of Battle in Normandy, about German perceptions on where the Second Front would be opened, on German intentions to respond to it, and on the success of his deception plan.
- I am not going to tell you the details of the way we support the UK military today, but let me assure you that our aim is to ensure that every British or allied Commander has the same complete Information Superiority that Eisenhower had. The stakes of our mission today engage life and death as compellingly now as they did then. We are fiercely proud of the work we do to support troops in the front line, foiling attacks on British and allied forces deployed anywhere in the world.
But today's ask is in some ways broader than that of Bletchley Park:
- With our partners at Mi5 and SIS we apply all our skills to keep our streets safe from terrorists
- We work to stop the spread of destructive weapons across the world
- We strain sinews to locate hostages imprisoned in dark and dangerous places, tragically not always with success
- With the National Crime Agency we battle serious and organised crime
- We counter internet fraudsters and their malware to save the taxpayer hundreds of millions of pounds.
We counter internet fraudsters and their malware to save the taxpayer hundreds of millions of pounds
GCHQ appear to be spectacularly unsuccessful in this regard, given the estimates of billions of pounds of attempted internet fraud each year.
Perhaps this is because the same "phishing" and malware techniques used by fraudsters seem to be used by GCHQ themselves, according to the Snowden revelations.
How many malware authors and distributors have been prosecuted and convicted in the UK ? Almost none. How many were caught by GCHQ ? Zero.
How many foreign cyber attackers have been extradited to the UK ? Zero
And we also battle to save something upon which nobody can place a value: we strive to protect our children from terrible abuse.
Wars, terrorism, fraud, child sexual exploitation - nothing new in that, you might think. Until you recall that we're witnessing the biggest migration in human history. In the six years since I took up this post, almost one and half billion people have joined the enormous exodus to the internet. That's a doubling of the people accessing information and communicating online. There are over six and a half billion mobile subscribers in the world, nearly two billion active social network users.
We all know that the beautiful dream of the internet as a totally ungoverned space was just that - a beautiful dream. Like all utopian visions, it was flawed because it failed to account for the persistence of the worst aspects of human nature. Alongside the amazing benefits - the comprehensive information, education, health, the communities of interest, the commercial opportunities and efficiencies - there are the plotters, the proliferators and the paedophiles. From what we know of ungoverned spaces in the real world, do we really believe that the world would be a better place if the internet becomes an ungoverned space where anybody can act freely with impunity?
the other impractical utopian vision is the myth that the state can or should provide absolute security.
Those who would do us harm don't want to be found. They choose certain routers or applications to hide in the darkest places of the internet. We have to enter that labyrinth to find them. We work to crack their defences. We have to understand what adversaries seek to do to us, and dedicate ourselves to preventing them from realising their plans. And the vast majority of those criminal threats to the UK are posed by groups or individuals based overseas. So we need strong intelligence and cyber capabilities to identify them and, where international law enforcement doesn't work, to disrupt them directly. This combination is increasingly essential.
where international law enforcement doesn't work, to disrupt them directly
"Disruption" is particularly evil concept, as it does not seem to require any actual evidence or proportionality or regard for collateral damage to the innocent or an appreciation of the economic damage to the UK.
But how to find them in the first place? We used to map the frequencies of the Warsaw Pact's naval, ground, and air forces, just as our predecessors at Bletchley Park tracked the frequencies used by U boats and panzer divisions. But now most of the time there's no tell-tale frequency to intercept, and our adversaries use a diverse range of complex comms methods. Unfortunately, there's no 'badguy.com' for us to log onto and to find terrorists or serious criminals: instead we have to search for them in the vast morass of the internet.
N.B. of course there is already a is a badguy.com domain name and website registered, but hopefully GCHQ are not targeting it "just in case".
Again, I reach back to the First World War. The reason that there was no Sigint on 4 August 1914 was that the members of the Royal Navy's signal staff who had, from time to time, looked at foreign use of radio, had looked at random messages and had found little or nothing of interest. When they saw a message saying "Proceed to Grid 1596 by 0830 hours" it was dismissed as of no interest. It was only the collection and examination of many such messages that led to an understanding that such items were like tiny fragments of a mosaic: Sigint's job is to reveal the big picture. In the first few weeks of the war, those in Room 40 began to look at what today we would call the network,
focussing on the bigger patter of message traffic which produced intelligence about German intentions.
Today, of all the communications out there globally - the emails, the texts, the images - only a small percentage are within reach of our sensors.
- Of that, we only intercept a small percentage
- Of that, we store a miniscule percentage for a limited period of time
- Of that, only a small percentage is ever viewed or listened to, as permitted by our legal framework, and self-evidently, constrained by resource.
TEMPORA snooping on fibre optic communications cables - "full take" cached for 3 days, "metadata" stored for 30 days, as revealed by Edward Snowden, appears to contradict these claims.
We access the internet at scale so as to dissect it with surgical precision. Practically, it is now impossible to operate successfully in any other way. You can't pick and choose the components of a global interception system that you like (catching terrorists and paedophiles), and those you don't (incidental collection of data at scale): it's one integrated system.
That process has other benefits beyond obtaining the intelligence needed by our nation and its allies. By understanding the technicalities of obtaining intelligence, we can help government, businesses and citizens to protect their systems and their data. And by understanding trends in both the technology itself and how it's used, we can help to build the kind of skilled workforce that our country will need in order to flourish in the future.
It is the duty of the state to protect its citizens and to develop a system of capabilities to ensure that its protection is as complete as it can be: the question becomes how we use that system in a way that is consistent with the law, and with values you and I are determined to uphold.
It's a process of intelligence-gathering laid down by law, pored over by parliament, inspected by independent commissioners and under the supervision of a Tribunal. And we wouldn't have it any other way. We've even implemented certain internal safeguards beyond what is required. We've done so because we want to belong to a society that can have confidence in its intelligence services. And so, even when we hear fellow citizens saying things like: "I don't mind being watched because I've nothing to hide" or "I don't mind because it's the price of security," that's depressing for us. The people who work at GCHQ would sooner walk out the door than be involved in anything remotely resembling 'mass surveillance'.
"mass surveillance" does not mean total blanket surveillance i.e. billions or trillions of events a day. It is still "mass surveillance" if only hundreds or thousands of people are caught up in it directly or indirectly.
I want to make it absolutely clear that the core of my organisation's mission is the protection of liberty, not the erosion of it. And that presenting our activities as some sort of binary option - security or privacy - is to represent a false choice: we are committed to doing our utmost to deliver security at the same time as protecting privacy to the greatest extent possible.
GCHQ's compliance regime, like those of our sister Agencies, is supported by a strong culture and ethos of personal accountability. My staff undertake mandatory policy and legalities training before they can access operational data. And we underpin all this internally with a series of processes to uphold not just the letter, but the spirit, of the relevant laws and policies. We respect privacy and take utterly seriously our obligations under Article 8 of the European Convention on Human Rights. We actively seek to minimise intrusion into everyday lives, working in accordance with the principles of necessity and proportionality. By definition, the acquisition, aggregation, usage, sharing and retention of information involve varying degrees of interference with, or intrusion into, the privacy rights of individuals. So those activities can only be undertaken if judged to be necessary in the interests of our statutory purposes - national security, economic wellbeing, or the prevention and detection of serious crime - and proportionate in what we seek to achieve.
This is perhaps the most interesting part of the speech, which seems to contradict the repeated questioning of the witnesses giving oral evidence in public to the Intelligence and Security committee last week about "balance" and "is privacy engaged at the point of collection ?" :
- And so, even when we hear fellow citizens saying things like: "I don't mind being watched because I've nothing to hide" or "I don't mind because it's the price of security," that's depressing for us.
- And that presenting our activities as some sort of binary option - security or privacy - is to represent a false choice: we are committed to doing our utmost to deliver security at the same time as protecting privacy to the greatest extent possible.
- By definition, the acquisition, aggregation, usage, sharing and retention of information involve varying degrees of interference with, or intrusion into, the privacy rights of individuals
Why did the ISC waste so much time on these topics, when even Sir Iain agrees with the human rights activists and lawyers and academics on these points ?
Those principles of necessity and proportionality are fundamental to the functions and ethos of the Agencies, and are critical components of the legal framework within which the Agencies strictly operate. They are applied within every investigation, and are subject to multiple layers of scrutiny and controls.
From the Snowden revelations, it seems that none of this applies
to NSA or other 5 Eyes partners (Australia, Canada and New Zealand) when they target UK citizens in the UK or overseas, or their internet or telecommunications traffic routed in transit overseas. They then share the raw data or the processed analyses with GCHQ and other UK intelligence agencies, in secret, with little or no effective UK oversight.
On top of that, GCHQ has an Ethical Framework, setting out our approach to ethical decision-making, applying objectivity and professionalism to those principles.
So why doesn't GCHQ publish this "Ethical Framework" so that the public can be reassured ? Surely this does not contain any "sources and methods" details ?
It's not for me to act as a cheerleader for the system of oversight and scrutiny that apply to GCHQ and my sister intelligence and security Agencies. But I will say that it is the most coherent and well-developed system of which I am aware in relation to such agencies around the world, with its triple lock of:
- Authorisations by a Secretary of State
- Informed, rigorous scrutiny by the Intelligence Services Commissioner and by the Interception of Communications Commissioner - and I commend Sir Anthony May's 87-page open report from April this year to the interested reader
- Review by the parliamentary Intelligence and Security Committee, as strengthened by the recent Justice and Security Act.
2013 Annual Report of the Interception of Communications Commissioner (.pdf)
And that triple lock is supplemented by the Investigatory Powers Tribunal which can hear, and indeed is hearing, legal challenges against our activities, with access to secret material.
This "triple lock" is worse than useless for investigating real or imagined abuses of the system against individuals or groups - it is all too secret and relies on public trust in government bureaucracies which simply does not exist.
And some things do need to remain secret. Let me reflect on the relationship between the intelligence profession and the journalism profession. That relationship may be complex, but let me be clear: we may get frustrated when our efforts are undone, our enemies advantaged, and our integrity questioned, but we're not frustrated by the free press itself. We do what we do precisely to safeguard the kind of society that has a free press.
Why can't GCHQ and the other intelligence agencies have official spokesmen, just like in the USA, to correct the misreporting in the press ?
"Neither confirm nor deny" is a counter-productive policy which literally insults the intelligence of the public, fuels conspiracy theories and destroys public trust, not just of GCHQ but of the UK government in general.
I wonder if it's worth musing upon the shared motivations between our professions. I don't just mean the mutual concern with sources and methods. I mean something more fundamental: at the height of their professions, intelligence officers and journalists both care deeply about knowledge; we are scrupulous about the integrity of the analysis that our reporting depends upon; we both seek the truth; and to get it, we both have to shine a light into dark and often dangerous places, places where we aren't exactly welcome. The difference is what happens to the truth we find. For journalists, the public interest is served by publicity itself; for us, the public interest is served by some things remaining secret.
Over my three decade career I've spent about half of it in roles where it's been necessary to consider whether, and if so how, to use Sigint, to employ it outside the ring of secrecy, to 'disclose' it. The trick is to release the facts so action can be taken if necessary, but to avoid risk to the sources and methods involved. These are, for the most part, very finely balanced judgements made by deep professionals with an instinctive feel for what needs to be released so it can be used, at the same time as applying structured tests so as not to throw away the fragile 'edge' of knowledge secured by intelligence penetration. Back to Churchill again! It's crucial that the targets whose communications we seek to exploit for the purposes of our national security do not know what we can and can't do.
Presumably Sir Iain is talking about the Police and (secret) Courts and the censored RIPA Commisioners' and Intelligence and Security Committee reports when he talks about disclosing Sigint "outside the ring of secrecy" because GCHQ has never bothered to give any useful information to the public, even at a general policy level, without exposing any tactical details.
Secret does not have to equal sinister. The idea that it does is perhaps inspired by the portrayal of uncontrolled intelligence operations in popular films and TV programmes. The reality is more mundane, but contrary to what you might expect, it's also more inspiring. GCHQ staff are drawn from the British population. Yes, we have people with diverse skills and talents, and geniuses from our past, like Alan Turing, remind us that neuro-diverse conditions can frequently unlock exceptional contributions. But basically they are normal, decent human beings - people who spend their lives outside work shopping at Sainsbury's or the Co-op, watching EastEnders and Spooks, listening to Radio 4 and TalkSport, drinking in pubs, wine bars and Cotswold tea rooms, and worrying about their kids, the weather, the football, cricket, and rugby, and what to have for tea. They give their time to charitable causes and help children in local schools.
N.B. No mention of Geoffrey Prime the KGB Communist spy, who was not detected by GCHQ counter-intelligence, but by the local Police ,who arrested him for paedophile sex attacks on local children in the Cheltenham area.
"Prime constructed a system of 2,287 index cards bearing details of individual girls; each card contained information on their parents routines and detailed when they were alone at home"
Imagine what such a cunning spy and paedophile could do with GCHQ insider access to the internet, regardless of any laws or internal policies.
It is the potential unauthorised abuse of powerful state surveillance systems by corrupt or fanatical privileged insiders which is the worry and which is not alleviated by "neither confirm, nor deny" or "it's all legal with oversight" platitudes.
Outside work, we are the people that the inhabitants of Cheltenham, Gloucester and the surrounding area regard as friends, neighbours and customers. We don't suddenly lose our souls the moment we swipe into the Doughnut. My staff are ordinary people doing an extraordinary job.
...Ordinary people, but their extraordinary job can demand extraordinary sacrifices.
Sometimes those sacrifices are economic. My staff choose public service even where they possess astonishing skills prized by the market.
Sometimes those sacrifices are social. Intelligence professionals can't share the details of their work with family and friends. Imagine having no chance to share the good days and download the difficult days. And the same goes for the gratitude of the wider population: it's a rewarding form of public service, but more often than not, the thanks are received behind closed doors.
Their enemies don't stop, so neither can they - the analyst who misses their Christmas dinner to rush in for an urgent task; the teams mounting a 24/7 operation to find a fellow citizen taken hostage overseas. They miss sleep and family commitments over days, weeks and sometimes months, working against the clock, trying to save someone they've never met. They scour far-flung networks for clues and identifiers, feeling the thrill of a breakthrough and, sometimes, despair if they are unsuccessful and people are harmed. One of my saddest duties is to talk to teams devastated by such an outcome.
And the psychological sacrifices can be severe. Like the police or the military, British "spies" have to deal with the worst of human behaviour. Have no doubt that dealing with that is emotionally arduous. They have to look at some highly disturbing images of grotesque things being done to children, at graphic videos of beheadings. They examine such things carefully for clues to the perpetrators. You can imagine the potential effect of looking at such images day-in and day-out, and so we have mechanisms to support people in these roles. I can assure you viewing of such material at GCHQ is not taken lightly. We do it because our job is to protect your loved ones.
So I believe - passionately - that intelligence and security work in the United Kingdom is a noble profession. It helps good decision-taking. It can prevent wars and disrupt the proliferation of weapons of mass destruction. It does prevent terrorist attacks. It pursues criminals who threaten the most vulnerable. A monument in the National Memorial Arboretum honours those who have dedicated their careers to the pursuit of Signals Intelligence.
And, as I complete my own journey from Iron Curtain to Final Curtain, and give way to a distinguished successor waiting in the wings, I cherish my choice of career. My colleagues and I joined the intelligence services to protect others from those who would do them harm. That has always been the passion of our profession. It was our passion when we resisted the Wehrmacht, the Kriegsmarine and the Luftwaffe; it was our passion during the Cold War when we wrestled the Soviet machine; and it's our passion today.
Back to Winston Churchill: he was responsible for two momentous decisions which transformed GCHQ, and which mark it to this day.
- He personally approved the proposal to share every single one of Bletchley Park's secrets with the United States, a decision which led to what is the most enduring intelligence partnership in history.
- And he personally answered the urgent appeal made to him by Turing, Alexander, Welchman and Milner-Barry for more resources: "Action this day: Make sure they have all they want on extreme priority and report to me that this has been done". This decision transformed GCHQ: it became the organisation it is today, enabled by technology to produce intelligence at scale and at pace.
And even earlier than that, when he became Chancellor of the Exchequer in 1924, he demanded access to Sigint reporting, writing to the Prime Minister, Stanley Baldwin: "In the years I have been in office since Room 40 began in the autumn of 1914, I have read every one of these flimsies and I attach more importance to them as a means of forming a true judgement of public policy in these spheres than to any other source of knowledge at the disposal of the State". He shared our passion, and our predecessors recognised it and responded to it.
When I joined GCHQ, there were still veterans of Bletchley Park working in Cheltenham. They had worked alongside those who had started Sigint in 1914, learning not just how to do their jobs, but learning too why they did their work the way they did, and how GCHQ had grown and adapted as new sources became available, or productive sources were turned off. I learned from them, and eventually, as the Director of GCHQ, have had the responsibility of ensuring that the thread of continuity that links us to our past continues to extend into the future.
I won't pretend that I've enjoyed every minute of the media attention, but the only thing worse than being in the eye of the storm would have been to be anywhere else. Had that been so, I'd be unable to bear witness now to my fellow professionals, ordinary men and women whose integrity has been insulted time and again, and whose response to such provocation has not been a noisy retort but a quiet resolve - a resolve to continue doing extraordinary things for others. I will miss them, the friends who made the same career choice: their skill, their sacrifice, their silence.
I said this to the parliamentary committee in a closed evidence session, and I'll say it again now:
- My staff are the embodiment of British values, not a threat to them.
Most current GCHQ staff are probably not a threat to British values, but the automated infrastructure of snooping is a huge threat to us all, including such privileged insiders themselves.
- What if an extremist government takes power ?
- What if a weak government fails to prevent the ponderous bureaucracy from sleep walking us into a repressive surveillance state on autopilot, as officials and politicians try to deflect blame and protect their budgets and empires, by seeking to "leave no stone unturned" in their surveillance activities ?
What will Sir Iain Lobban do next ? Will he enjoy a quiet retirement or will he magically appear as a Director or Consultant in the "revolving door" world of Defence / Intelligence / Lobbyist companies ?
How different, if at all, will his successor Robert Hannigan as Director of GCHQ ?