In this part, high-level executives of GCHQ, MI6, BAE Systems and the RSA reveal some information about attempted data breaches and cyber attacks targeting their organizations as well as powerful businesses.On the outskirts of Cheltenham in South West England sits GCHQ. For decades it’s been Britain’s global eavesdropper, listening in to communications. In the modern world that means spying on others and defending the UK in cyberspace.
– Hello, I’m from the BBC. Here’s my passport and the driving license.
We pass high fences topped with razor wire under the gaze of surveillance cameras, and through the gates into GCHQ’s heavily secured headquarters. Obviously it was just days before revelations from an American whistleblower raising questions about its activities.
I’m now heading into the CDO, the Cyber Defense Operations area of GCHQ. A sign on the door reads: “Defending the UK one bit at a time”, I think that’s a reference to computer bits. There’s also a sign on the door saying: “Caution. BBC recording here. Keep all conversations to unclassified.” This is the place where information comes in from classified sources, and also from unclassified sources, and where GCHQ tries to take a rounded picture of what threats the UK is facing in cyber space, and to try and work out what to do about them.
Diligent workers, some remarkably young, sit in front of computer screens. Numbers in green scroll across the face of one monitor. Larger, wall-mounted screens have been blanked out for our visit. So, from this unique vantage point, what does GCHQ see happening to Britain?
– The area that’s of particular current interest is the nation state activity against businesses. This is, if you like, a game changer. This is industrial espionage on an industrial scale.
Sir Iain Lobban is GCHQ’s director. In many cases companies don’t even know they’ve been breached until GCHQ tells them.
– We have seen a couple of companies which have been penetrated over a period of 12-18-24 months.
– So the bad guys have been inside their networks for up to two years, moving around, potentially stealing information?
– That’s right.
– What kind of secrets are being stolen?
– Across the range, I think we started a couple of years ago thinking that this was going to be about the defense sector, but really, it’s any intellectual property that can be harvested, if you like, and put out there.
– And this is being done by other states?
– This is being sponsored by some other states.
– The finger is often pointed at China for this.
– So I’ve heard.
– The Americans say it’s China, they’re quite public about this. Do you know who it is?
– I see where this discussion is taking place. Yes, we know who it is.
– And you’re sure you know who it is?
– Yes, we’re sure we know who it is. I want to say something about attribution. Attribution can be very hard, and it’s very difficult to do attribution in real time but over a period you can build up a pretty strong idea of where the attribution is.
– So you are confident that you know who it is, but you don’t feel you can say who it is at this point?
– I can’t say who it is to you.
– But you do know and you are confident about that?
– Yes, I do.
So, Britain’s intelligence services aren’t saying. But there are clues. Some of the top targets are defense companies, several of which have been involved in building America’s state of the art stealth fighter, the F-35. Washington is spending a staggering one and a half trillion dollars on the project. But what if another country got hold of the designs?
Nigel Inkster, a former deputy head of Britain’s intelligence agency MI6, now works at the International Institute for Strategic Studies in London.
– A lot of material, a lot of intellectual property has been extracted from the databases of the US and other western countries. What we don’t know, of course, is how effectively this has been utilized. There are some areas where there are grounds for thinking that it has been, a case in point being China’s very rapid development of stealth technology in aircraft, which may well be the product of cyber espionage. They have been producing prototypes of aircraft that look suspiciously like the F-35.
Efforts to steal the designs of the F-35 date back to at least 2007. The attacks have been increasingly ingenious, looking for the weakest link in the supply chain. Recently the defense contractors are thought to have been targeted through RSA, the makers of a device that allows their employees to log on to their company networks remotely from home or a hotel. Art Coviello, the RSA’s chief executive:
– In our case they were looking to exploit information from us to attack others. The way they got to us was they attacked a company in our supply chain, and they took over their email server and sent our employees legitimate-looking emails from legitimate people within that supplier organization. So, naturally, our employees opened it, and inside was a malware payload that was then able to fan out across our infrastructure.
– What was that like, as the head of the company, to be attacked like that and have to disclose? I mean for you personally.
– Well, since I was around from almost the start of the company, it’s almost like having a baby just pulled from your arms, and it was very personal.
– What was the damage for you as a company?
– Well, our corporate parent took a charge of 66 million dollars in the second quarter of the calendar year of the breach. I think we recovered some of that eventually. But make no mistake about it: it slowed us down for a good 6-9 months.
Art Coviello is unusual in admitting to being a victim of a cyber attack. I’ve approached dozens of companies, including some who I’ve been told have been breached, but none wants to talk. They only offered bland statements about taking cybersecurity seriously. Owning up can be hugely damaging to your reputation and your share price. Defense companies like Lockheed Martin, the US arm of kinetic, and Britain’s BAE have all been reported to have been attacked. They won’t talk about those claims. But BAE itself does help protect companies through its subsidiary called Detica; Martin Sutherland is Managing Director.
– I work within BAE Systems. BAE Systems is a defense firm that earns over approximately 20 billion pounds a year. The thing that underpins the economic value of BAE Systems as a firm is that it has leading edge, often national security level intellectual property. The design of the Typhoon aircraft, the design of some of the marine capabilities that we have, and so on, are highly protected and highly valuable.
– And people want those?
– And people want those. So, BAE Systems is under constant attack. In terms of events on our network it runs into billions. But last year, 2012, there were 92,000 attempts at attacks, of those 339 were what we saw as very sophisticated attacks.
Read previous: Under Attack: BBC’s Study of Contemporary Cyber Threats
Read next: Under Attack 3: Who Spies on Whom?