In my last posting I talked about the need for organisations to have the people with the right skills and the role that the CESG Certified Professional scheme plays. This time I thought I’d step back a bit and talk about GCHQ’s wider security mission and its role as the National Technical Authority (NTA) for Information Assurance. As someone who has been in this space for longer than I care to mention I sometimes forget that not everyone is in the same place and it’s sometimes good to paint the bigger picture.
I think everyone by now must know about GCHQ’s intelligence mission from books, television, films and newspapers. What many don’t realise is that GCHQ also has an information security mission that some will know as CESG. Whilst the two missions were enshrined in law through the Intelligence Services Act in 1994, their history goes back over ninety years to the end of the First World War, when the inextricable link between code makers and code breakers was first forged.
National Technical Authority for Information Assurance
When I joined CESG in the late 80s its role hadn’t changed since the Second World War. That role was to provide the equipment to protect the most sensitive government secrets. Today CESG provides a wide variety of the ‘tools’ (largely through industry) you need to reduce risk and harm to your information and information-based systems. At the heart of CESG is its role as the National Technical Authority for Information Assurance, providing definitive, authoritative and expert-based advice and guidance in all aspects of Information Assurance. CESG’s role as the NTA provides for information security practitioners what the National Institute for Health and Care Excellence (NICE) provides for medical practitioners. NICE provides guidance on the most effective ways to prevent, diagnose and treat disease and ill health; CESG provides guidance on the most effective ways to reduce the risk to information and reduce the harm when those risks become reality.
CESG says “NO” – no, it doesn’t
CESG provides a variety ‘tools’ that you can use to reduce risk and harm, but at the end of the day, it’s the risk owner who is best placed to judge how to apply these tools. The ‘Authority’ in NTA refers to us being authoritative in the subject rather than being a policy or policing organisation. Often I hear people say “CESG has said we can’t do x or y”, which always puzzles me as what we provide is guidance and it is for you to apply it pragmatically to meet your risk appetite.
Information Security to Cyber Security
Information Security is the discipline/process of managing your information risk and reducing the harm when those risks are realised. Information Security continues to be used in the private sector, whilst, in the public sector, in the late 90s we started to use the term Information Assurance (IA). Whilst I was around in those days I wasn’t privy to the rationale but I believe it was introduced to emphasise the need for confidence that risks were actually being managed. It wasn’t just a case of having good security measures but also having the evidence that they were actually effective – that was the ‘assurance’ bit. I tend to use the term that best chimes with my audience as, in reality, I see the two as being synonymous.
Cyber Security is all about managing information risk in cyberspace. HMG has effectively been part of cyberspace since the Government Secure Intranet was built in the mid-90s, connecting Government departments to the emerging Internet in a consistent way for the first time. It wasn’t long after that we started to see the first attacks against the connected systems and so began HMG’s first forays into Cyber Security. In the years that followed we have seen an ever increasing number of attacks not only against HMG systems but private sector systems as well. The publication of the ’10 Steps to Cyber Security’ was HMG’s concerted attempt to raise awareness of the cyber threats to the private sector. Applying the Information Security/Assurance discipline to organisations’ information systems is the way to manage information risk in cyberspace. GCHQ, through CESG, provides the tools that enable you to do that effectively.
The Tool Set
CESG provides intelligence on the capabilities of potential attackers; guidance on how to mitigate the risks these attackers pose; consultancy on the application of the guidance; standards that define ‘what good looks like’ for the people, products and services that you rely on to secure your information and systems; and, last but not least, a mark of quality (certification) that helps you recognise the things that meet those CESG high standards (and, for people, this is where the CESG Certified Professional scheme sits). These tools will help you to manage the risks you face today and into the future.
I’ve strayed from the skills agenda a little but, hopefully, I’ve provided you with some context around GCHQ’s role and demystified some of the jargon for those of you who may be new to the world of Information Assurance and Cyber Security.
Chris Ensor
Deputy Director, National Technical Authority for Information Assurance