Digital Competition: The UK’s Cyber Response to Online and Real-world Threats

Dr Robin Niblett CMG

Ladies and gentlemen, welcome to Chatham House and to this members’ event, which I’m delighted to be hosting from 10 St James’s Square. It makes a change, in my case, it’s been a while since I’ve been able to do one of these for our members from this venue. And it is a particularly important and special event, and one of the reasons we wanted to be able to host it in person here at the building. The title, as you all know, is Digital Competition: The UK’s Cyber Response to Online and Real-world Threats.

I’m delighted to have with us Jeremy Fleming, Director of GCHQ and General Sir Patrick Sanders, the Commander of UK Strategic Command. I will introduce them a little bit more in a minute. What I want to just remind you is that this event, as you all know, is on the record. It is being recorded, as well, for our own purposes. There will be the opportunity therefore to tweet away on social media from it, as you want, using whatever hashtag you want, but ours is #CHEvents. We will be running this as a kind of conversation between the three of us on the stage, and my colleague Patricia Lewis, Research Director and Director of our International Security Programme, who I’ll also introduce in a minute. And after the four of us have had our conversation through the first 25 minutes or so of this hour we have set for the meeting, I will then want to take questions and comments from you, our audience. And let me just say, please use the ‘Q&A’ function on your Zoom screen. Do not use the “Chat’ or other mechanisms. They won’t be the ones that we’ll be drawing on, and then I’ll bring in questions through that second half.

If I may welcome you again here to Chatham House, Jeremy, Sir Patrick. Great to have you with us in the building. The timing of this, we’d always wanted to talk about the changing nature of cyber threats to the UK and to our allied nations around the world, but the announcement, in November 19^th of the new National Cyber Force, which really brings the two of you together in your domains in GCHQ, in UK Strategic Command and the Secret Intelligence Services to create what you will describe in a minute. We’ll talk about some new capabilities or a new organisational focus, I suppose, on the centrality of the cyber risk to the United Kingdom, to our interests nationally and internationally. That really is the hook moment, the hook point of this conversation.

And what we’ll want to discuss today a little bit with you is what’s driven this latest adaptation and this latest announcement, I suppose, as well, though I’m sure the communications of this announcement will have been half of what’s gone into the mix. Why now? What’s the nature of the threat? And what’s changed? What kinds of capabilities are you starting to be of aggregate, to bring together? The balance of defence and what is being discussed more and more, these offensive capabilities that the UK appears publicly to have put itself forward as possessing. And, I suppose, in the end, we’ll want to get into a little bit as well, some of the legal dimensions. What’s the legal framework in which you’re operating? Which, as we know, is so critically important for the licence, the political and popular licence to be able to operate.

So, with those words of introduction, I’m going to kick off and just remind everyone, as I turn first to Jeremy and then to Sir Patrick. Jeremy Fleming, Director of GCHQ, a career, if I may put it, pretty much a career member of GCHQ, that worked quite a bit with MI5, doing all of their preparatory work for the London Olympics, who worked a lot on the counter-terrorism side of things, was involved in the response to the nerve-agent attack in Salisbury, the WannaCry released by cyber actors. So, somebody who brings from his MI5 side a really deep interest and knowledge of the technology dimensions that are so central now to his role leading GCHQ. So, Jeremy, great to have you with us.

Let me bring the first question to you. What’s changed, or what is changing the most in the threat environment, that is defining why this new national cyber force has been announced? Is it that something has changed, or is this more of an evolution of the threat environment that the UK’s trying to respond to? Over to you first.

Jeremy Fleming

Well, thank you, Robin, and good afternoon everyone. It’s fantastic to be here at Chatham House in person, and great that so many people could join us today. We really welcome this opportunity to have a conversation about what is a very, we think, exciting, but also fast-moving domain. And this is an opportunity for us to flesh out a bit the announcement of the – of a couple of weeks ago, but also, we hope, with likeminded individuals, academics, people from business, and of course, the media, to have a more developed conversation, that gives us our licence to operate in this space.

So, you asked about the threats and how they are developing. Of course, GCHQ celebrated its centenary last year, about the same time as Chatham House, I note here this morning. And it’s a century of working in deep partnership with our military colleagues, but it’s also a century of exploiting technology, of developing a technology of making sure we can counter our adversaries’ use of technology. And of course, what we’ve all seen in society, in our private lives as well as our business, our professional lives, on a geopolitical level, we’ve seen an explosion in the way in which technology affects our way of life, the way in which, particularly in the last few years, cyber has become a term of art.

And so, as we sit here in 2020, 100 years after the creation of GCHQ, we are contesting and operating in a new domain, the cyber domain. And the way in which we look at that is to build out from an understanding that what’s happened with technology and what’s happening with cyber is fundamentally a good. That we can operate as individuals, as communities, as businesses, and between our countries, is an amazing thing and it fuels our prosperity, it fuels the geo-economy. It fuels our ability to interact with states across the world, and we have to defend that at all costs. That sense that, whatever we do, we need to defend the advantages and the advances that come from that technology.

But of course, wherever you get those advances, you also get adversaries who are seeking to do us harm. And it is the case that criminals, terrorists, extremists and hostile states are all seeking to take advantage of this domain, and what we’ve seen during this latest pandemic is an acceleration of that, if you like. The National Cyber Security Centre, part of CGHQ, charged with making the UK the safest place to live and do business online, is dealing with about 60 incidents a month. That’s a slight uptick, over the last couple of years ago, but in the last nine months, 200 of those incidents during that period have had some sort of coronavirus-related angle to it.

So, the domain is changing very quickly, and we need now, as a nation, to be building out from the success of our defensive posture, to make sure we can take advantage of all those benefits that come from technology, but also, in extremis, be able to contest cyberspace. And the announcement made a couple of weeks ago is the latest evolution of the UK’s response to that. To be a responsible cyber power, we need to defend the digital homeland, we need to be able to disrupt and compete in cyberspace. We need to do that in accordance with international law, internationally agreed norms, and we need to do that in partnership with the military today, with business, with academia, and with our allies internationally.

Dr Robin Niblett CMG

In terms of the way that the threats have changed, if I can come back to one quick follow-up question to Jeremy. You mentioned there’s been an acceleration, obviously, of the importance of the cyber domain to our prosperity. Inevitably, then, it attracts the threats to the security as well. From your perspective, before I bring it round to General Sir Patrick, the relationship with the military side in particular may strike many people who follow this less closely as new, in the sense that the reporting of GCHQ’s role tends to be more in the space of it being almost the other arm of MI6. That somehow, it’s that capacity to surveil, to watch, but be very much in the shadows. And as we see so much more of the military on our screens, historically and in the present day, is there some shift going on in your mind? You said this was an evolution, but is the connectivity with the Ministry of Defence, with our military forces and our armed forces, somehow part of the change of the threat as well?

Jeremy Fleming

Well, GCHQ has always done three things. It’s collected intelligence, largely foreign intelligence, against the most prevalent national security threats of the day. It’s tried to help others make use of that intelligence, and our relationship with the military has always been fundamental in that regard. You know, wherever the military deploy, we’re there alongside them and always have been, for 100 years. But also, we’ve had a role to defend the nation’s secrets and of course, you’ll have seen a lot of that almost in folklore. The way in which the Bletchley story has been told is as much about encryption as it is about decryption.

But what has happened because of the way in which technology has evolved and the way in which cyber as a domain has evolved is that GCHQ’s role to protect information has become a much more public-facing thing. And so, the National Cyber Security Centre is part of GCHQ and yet, the vast majority of its work is transparent and open. We have a public-facing mission, unlike more or less any other intelligence agency and that mission is to inform the public, to inform business, to help the country make cyberspace a safe place for us to operate and live our lives.

But of course, we still have the harder end of threats that we need to deal with and our relationship with the military is morphing right across that spectrum. So, through the NCSC, we’re working with Patrick and his people to defend the military infrastructures and assets, which depends so critically on information. But we’re also working in deep partnership with the military in that sub-threshold space, and that might be in Syria, where we’ve talked about our role in disrupting Daesh media in public. It might be across a whole range of other national security operations and, you know, the National Cyber Force is not a traditional military-only capability in the same way that Patrick will talk about his military capabilities have evolved too. It’s operating across the spectrum of national security, from serious organised crime to high-end war fighting and the military and military partners are there alongside us, across that whole spectrum.

Dr Robin Niblett CMG

You know, so, in a way, it’s just less, perhaps, of an evolution than some people might have thought and I’m sure, if we went back into the Cold War era, you would have found all sorts of different connectivities or more, not talked about, but nonetheless, connectivities.

And let me turn to General Sir Patrick Sanders, Commander of UK Strategic Command, just to complete the introduction, having served in the field in the bulk of the main military operations we would all be familiar with, from Northern Ireland, to Kosovo, Bosnia, Iraq and Afghanistan, most recently, but also, a lot of key staff commands as well, directing staff at the Joint Staff College and a Political Military Advisor to coalition forces in Iraq. And obviously, you’ve also headed up more recently operations and have served as Assistant Chief of Defence Staff in the Ministry of Defence. So, you bring both that in the field role that we’ve just been discussing with Jeremy right now, but also, this co-ordinating role. And I suppose, in the UK Strategic Command, it’d maybe be helpful if you let our audience know a little bit about its key roles, and in particular the role that you were playing as the kind of leader of the cyber domain for defence, managing those kind of joint capabilities for the three armed services.

I’d love to know, from your perspective, the way in which the cyber domain has increased in its relevance, in terms of the co-ordination role that you need to play for the armed forces. What’s become different, do you think, in the last year? And what are you most worried about, looking two years ahead, in terms of the threats that you’ll be able better to address jointly?

General Sir Patrick Sanders

Yeah, I mean, thanks, Robin, and thanks again. I echo Jeremy’s comments about how good it is to be here and be here physically, which makes a nice change. And I’m just going to pick up on the second question you asked Jeremy before I ask – go back to what you asked me. And Jeremy and I were stood, about a year ago now, at the National Memorial Arboretum, celebrating GCHQ’s centenary. And standing there together, I was struck by how many of the GCHQ personnel were wearing campaign medals. Now, I spent most of my operational – or most – a good chunk of my career, on operations, and I can’t recall an operation that I was on where I didn’t have a GCO, a Government Communications Officer, alongside me, and providing an absolutely vital bit of support, whether it’s intelligence support or whether it’s effects, information effects, to the campaigns. So, the point, you know, the idea that we are in some way distinct or divided and this is a new thing is kind of for the birds. We’ve been working together for a very, very long time, right from the start, in fact, and it’s a critical partnership. And so, this establishment of the National Cyber Force is a natural evolution of an already very, very strong partnership, bringing those two distinct operational cultures together in a really positive way.

I mean, you asked about the threats, and I don’t just worry about the military threats, and I worry just as much as Jeremy does about some of them around serious and organised crime, because the NCF is a joint endeavour, and so we’re bringing joint capabilities towards that. But the threats, if I add to sort of Jeremy’s opening comments around how we’ve evolved defensively, I mean, I think the thing that’s changed for me most, as you look over the sweep of the last few years, has been the intensity and the range and the scale. And cyberspace is now not only the most contested domain that we operate in, but it’s one where there is a state of permanent, perpetual confrontation. And that’s a very deliberate strategy by our opponents, particularly some of the hostile states that we face, where they no longer see the world divided into peace and war in binary terms. They think of pursuing their own strategic advantage as a continuum, starting with operations in cyberspace at one end and nuclear war at the other. And they operate fairly easily up and down that continuum, and cyberspace presents them with the most active, the most direct vector to pursue strategic advantage.

So, our response to that has been, as much as we can, to establish the right norms of behaviour, Jeremy’s points around us being a responsible cyber power where we respect international law, also to build our defences in the way that Jeremy describes, with the National Cyber Security Centre and its equivalent in the MoD and Strategic Command. But that’s not sufficient. You can’t hide behind digital walls. You can’t hide behind a digital fortress. You’ve got to be able to get at threats at source. It’s easier to get at the archer than it is the arrows and, in doing so, and it’s why we’ve announced it, also to contribute to deterrence.

And then the second thing that’s changed is, of course, cyberspace has become a domain of operations, and NATO declared that back, I think it was, in 2016. And so, we have to, when we’re thinking about military operations, be able to exploit cyberspace, defend ourselves in cyberspace, but crucially, integrate effects in cyberspace along with what we do on land, in the air and sea, and increasingly, in space as well.

Dr Robin Niblett CMG

And you mentioned deterrence, which obviously has been at the core of all security strategies for so long. It gets associated in the Cold War lexicon with that capacity for ultimate nuclear deterrence, the ultimate punishment, if you see what I’m saying, or the ultimate form of defence. When you look at the cyber domain and you talk about deterrence, and it’s in a world where you’re not dealing with conflict suddenly happening and then ceasing, as you say there’s a permanent, persistent presence of the threat, what – how does this deterrence change in this environment, and where does the Strategic Command and the partnership with the National Cyber Force change the aspect of deterrence? Is it because you’re, as you said, able to get out there and get to the archer? If you’re getting to the archer, what does that mean, I suppose, to the extent you can share this with us, in practical terms? Is it being able to send signals? Is it disrupting, is it degrading capabilities that are technical? And to what extent does it then start to blend together the human with the technical? ‘Cause obviously, in the end, military forces are quite kinetic.

General Sir Patrick Sanders

Let me start, and then I’ll – Jeremy can offer a more intelligent answer. But when we think about – so when I was at Sandhurst, we were taught the three Cs of deterrence: communication, credibility and capability. You had to be able to communicate that you had a capability and make sure that you had a dialogue with your opponent. That’s part of what we’re doing here today. You have to have a capability and you’ve got to be able to use it with credibility. To that, I’d add a fourth C, which is competition. Because in this era of constant competition, if you’re not engaged persistently, you’re not engaged forward, you’re not deterring. So, we need to demonstrate that we’ve got the capability, that we’ve got the will and the intent to use it in the right circumstances, and then, under the right conditions, show that through communication or through demonstration.

But deterrence doesn’t come purely in a single domain. It comes from the blending of all of the domains, and as I’m sure Jeremy will go on to say, it also comes from applying international law. There has to be a cost to acting illegally, unlawfully.

Dr Robin Niblett CMG

Yeah. Jeremy, let me bring you in, and I’ve got a follow-up question on international law, and then I’m going to turn to Patricia and get some of her comments. Over to you, Jeremy.

Jeremy Fleming

So, Patrick’s doctrine of deterrence, of course, for quite a lot of our history and quite a lot of our understanding, at least my understanding is, has been about how that applies at the sort of top end of military confrontation. And what we’re seeing in the cyber domain is a different approach to deterrence, and we are all frankly still learning what that means and how effective it is, using that brilliant structure that Patrick has set out there. What we can see is that cyber capabilities are not exquisite red buttons. They’re not things that you keep stacked away in a cupboard, that you will use only in particular circumstances. We want and are operating in cyberspace below the threshold to have an impact on our adversaries, to protect our digital homeland. And from my perspective as a non-military person, the way in which we use these capabilities is going to ultimately determine the way in which we have any deterrence.

But of course, the exact operations that we mount, many of those, in fact most of them, will always be secret. You know, this is it. There is a point here about this being an intelligence and defence partnership and so, the details of the operations we expect largely to be secret and that’s why avowing them in public has happened so seldomly. But we do want to have a conversation about the sorts of things that we can do and will be doing in cyberspace to encourage that sort of debate, and because without that, we don’t think that we’re going to have our licence to operate. So, the National Cyber Force will be involved and is involved in disrupting criminals, extremists and terrorists, imposing cost to them on their actions. It will be and is involved in counter cyber operations. So, where adversaries are seeking to harm our interests or might be themselves prepositioning in critical infrastructure for assault. We will try and counter those cyber operations. Not just using cyber capabilities, using the whole of the full box available to the UK. We will be involved in counter misinformation where it meets a threshold. And we will be involved in countering the activities of states where their individual acts are not reaching the threshold for a response or for force, but where the aggregate effect is causing us harm. And, of course, we’ll be involved in every step of the way alongside the military where there’s a military conflict. And it’s that spectrum of effects that goes from defence right to offence that we would seek to be involved in and taken together, we hope will give some deterrence, too.

Dr Robin Niblett CMG

Well let me – thanks for those answers. Let me bring Patricia Lewis in now and Patricia, known to, I think, you all at Chatham House, is our Research Director for Conflict, Science & Transformation, and also Director of our International Security Programme, was the Deputy Director and Scientist in Residence at the Centre for Non-proliferation Studies at the Monterey Institute and the Director of UNIDIR in Geneva for quite a while as well. Patricia, why don’t I get you to come in with some comments and responses to what you’ve heard so far, and I’ll pull off those for a few more questions before turning to our audience. I can see a lot of quite good questions coming in already. Over to you, Patricia.

Dr Patricia Lewis

Thank you very much indeed, Robin, and thank you Jeremy and Patrick. Very important that this is, we’re having public debate and it’s on the record so early after the announcement, and we’re really grateful for that. I wanted to just address a few points for the purposes of providing a little bit of challenge and concern. But the first of these is the communication, which is so very important, as you’ve said. We’ve been doing, at the international level, the UK’s been carrying out so much good work, for example at the UN, in the Group of Governmental Experts, the Open-Ended Working Group and so on, and also at the OSCE and NATO. And we’ve been looking at, in the Commonwealth particularly, cyber capacity building and going much wider than that. We’ve been putting the emphasis on responsible behaviour, and all of this is forms of package that I think many countries can get behind. How does this, and how do we ensure that this announcement and this new – or it’s not new, but now that it’s newly open, if you like, it doesn’t undermine those efforts? How do we make sure that this is part of the same conversation? Are we looking at, for example, cyber capacity in these types of skills, as well as in defensive skills? So – and how does it impact on our influence, in these – in this regard?

I just wanted to address the legal issues as well and I know that we’ve been really behind the phrase that international law applies in cyberspace. But as we know, the word ‘apply’ is very much about implementation, and the application of law in cyberspace is there as a principle, but in practice, of course, it’s evolving, in terms of what that actually means. In terms of our national laws, of course we have a number of them, such as the Investigatory Powers Act, that apply nationally. But what about the international application and Codes of Conduct, in terms of legal and ethical oversight for these types of activities? And connecting with that as well, the civil-military teams, which yes, we have a lot of experience of civil-military teams in other domains, but what’s the difference in this domain? And, you know, this can be quite – this can lead to quite sticky legal areas for civilians, and what’s the thinking about how this might be different and how we might need to address that going forward?

And then my final point is on deterrence, and I really like the way that you’ve constructed it and talked about it. And if we look at the NCSC we’ve got, you know, their deterrence by denial, or you can also say, you know, resilience is a form of deterrence. We make sure that we’ve got the defence in place, we’ve got the resilience networks as a form of, you know, don’t even bother to try and attack us. So, that’s a really important form of deterrence. And you’ve talked about now, about this sort of more engaged and active, forward, if you like, deterrence by countering, deterrence by action. But this is a highly networked, complex environment that we’re in, and there can be several unintended consequences from any action in a highly complex environment, which is highly networked and so, what are the risks of all of this? How are we gaming the risks? How are we thinking about them? Particularly when it comes to any unintended consequences as a result of the action. Thank you very much.

Dr Robin Niblett CMG

Patricia, great points, and you’re getting to a number of the important questions here, which I can imagine also some of our audience out there want to get to as well and I do want to come back and bring these through to you. Maybe, as Jeremy had the last word, I’ll turn to Sir Patrick first on this front. This move from, if I can start right at the end of Patricia’s remarks there, moving from deterrence by denial to deterrence by action, and the risks of spill-overs. There’s been, even at the time when it was revealed, the Stuxnet operating capacity to intervene in Iranian operating systems ended up having a backlash effect, as I understand it, as some of these technologies got out or some of these systems got out into the system. Are you worried at all, to Patricia’s point, that moving from deterrence by denial to more overtly deterrence by action in the networked system carries risks, and how are you dealing with them, I suppose?

General Sir Patrick Sanders

So, I’ll sort of blend two of Patricia’s points together, ‘cause I think they allied. When we apply force in cyberspace, we’re guided by the same principles as we are when we apply kinetic force and that is: military necessity, if it’s a military target, proportionality, discrimination, and humanity. So, the idea that we would construct some kind of a cyber weapon of mass destruction, which is kind of what you’re alluding to, and use that indiscriminately, is directly counter, not only to international law and the sort of authorities that we would be given under political oversight in the UK, but it’s contra to our values and it’s counterproductive. We are trying to establish norms in cyberspace. So, discrimination, proportionality, are enormously important. And, you know, you – Patricia talked, I think very helpfully, about what a difficult domain this can be to operate in, because it’s so fast-moving and shifting, but the amount of preparation it takes to get after an operation. You know, you can’t overstate it. It requires an enormously sophisticated degree of intelligence and capabilities and software development and all the things that we’re bringing together in the National Cyber Force. So, you know, WannaCry, NotPetya, that’s not who we are.

Dr Robin Niblett CMG

Right. Did you want to come in on this as well, Jeremy? ‘Cause I was going to wonder about attribution, one of the most difficult – I mean, some of these things may not be announced, and therefore the attribution element won’t necessarily be a problem, but in some cases, you are going to want to say what you’re defending against, and the attribution element has always been so difficult. People say, “We want to follow international law,” but it strikes me international law can be quite amorphous when we get into the cyberspace. Could you just say a word or two as well about your sense about the risks of deterrence by action rather than deterrence by denial, to use Patricia’s terminology, in how you’re dealing with it?

Jeremy Fleming

Well, let me build on a couple of Patrick’s points and Patricia’s excellent questions. So, the risks of unintended consequences, I think, go back to Stuxnet, and they also go to NotPetya and WannaCry, and those were – those of you who are not afficionados on this might recall that these were attacks in 2017 that had an impact on the National Health Service here, but also, had an international impact globally on commerce. And in those consequences, what we saw were tools that self-proliferated in a way in which I am sure that the states behind them had not intended. And the question is, how do we stop that sort of thing happening? And we, as a nation, our approach to that is as Patrick has set out. So, the way in which we think about capability, the way in which we plan operations, the legal and statutory and oversight regimes behind us, mean that we have a very different starting point to those states, which have released those sorts of capabilities in the recent past. And it is the case that I’m aware of no responsible states who are designing tools that are self-proliferating in that way.

But that said, Patricia, you are right, I think, to point to the risks of that and we have a responsibility to make sure that we demonstrate we are operating in accordance with our frameworks. But also, that we’re managing the risks such that we protect our capabilities properly, such we minimise the extent to which they could be accessed by anyone else, and that we’re very clear about how we would act, including with allies, if that was the case. So, there’s a whole range of new caselaw, which is developing around all of that.

Which brings me – caselaw, which is your second point here, which is, of course, we, the UK, I think, has been very forward-leaning in setting out that international law applies in this context. We have been amongst those states who’ve been prominent in arguing in all of those multinational fora to create internationally agreed norms about the – about cyber and particularly about the use of these sorts of capabilities in cyberspace, and we’ll continue to do that. Coming from a perspective, as we do, as a liberal democracy with values at our core and with a long history of adhering to international legislation. It has to be said that not every state thinks the same way and so, this is a bit of a competed domain in itself. And we need, I think, as nations, to be grouping together more effectively, so that our view of an open, free, fair internet, that can be the basis for cyber commerce, for geo, our global economy, and for the way in which we promote our values, it really has force in international law. And there’s more to do in that regard.

Attribution was the specific point, wasn’t it?

Dr Robin Niblett CMG

Yeah.

Jeremy Fleming

And so, the UK has now, I think again, been at the forefront of calling out hostile state behaviour. We have done that numerous times where it crosses a threshold, and where we think, together with a whole range of other tools at our disposal, law enforcement, sanctions, diplomacy, where it adds to our ability either to deter or to disrupt those as states, and the UK policy is to attribute where we can.

But we also work every day alongside virus companies, antivirus companies. We work every day alongside our big tech, to make sure that what we see and understand about adversaries’ work from our defensive mission is helping them to design better tech for tomorrow or defend their customers better from the sorts of behaviours, which we think cross a line. So, attribution isn’t the only thing, but I think it does have an important role to play in our international response.

Dr Robin Niblett CMG

I could see that in a way, he doesn’t mind – going to questions coming in here, John Milnes-Smith asks about “How will you balance the demands of credibility, communication and the importance of international law as part of a deterrence, with the secretive nature of these operations?” There must – international law, as Patricia was mentioning there, is generally about an open process where the norms and so on can be clearly defined. Do you see a conflict, Jeremy, or how do you manage this conflict between the need for secrecy, in so many cases, and yet at the same time, the statement that you’re abiding by international law? How is that scrutiny provided? How is that – how can one be trusted?

Jeremy Fleming

Yes, well, and part of the reason we’re having this conversation today is because we want to encourage this sort of debate. I am, and I’m sure it’s the same for Patrick, I think that I only have a licence to operate if the public, and particularly if parliament, understand what we’re doing. So, we want to have a more informed debate around all of this.

Dr Robin Niblett CMG

And is there a parliamentary oversight? I mean, is there a particular – do you have an oversight mechanism that it can be specifically relevant to the C Force?

Jeremy Fleming

Yeah, so we do have an oversight mechanism for the National Cyber Force, and its operations will be overseen by the Intelligence and Security Committee, and aspects of it, in Patrick’s domain, will also go up through the Defence Committee as well. But the main oversight for the National Cyber Force is via that route. But our statute, upon which we operate, which authorises our operations, is, I think, world-leading statute. It was argued and was passed with cross-party support back in 2016 and I think I haven’t seen as good legislation or as comprehensive legislation, which covers the whole range of our operations, anywhere else in the world. It means that for an intrusive action, not only do we have to get the Secretary of State to agree to what we’re doing, we also have to get a senior member of the judiciary, as part of the Investigatory Powers Commissioners’ organisation to approve all of that. And, of course, after the fact, the Intelligence Security Committee can scrutinise it as well. So that states operate in secret doesn’t mean that we are not operating in accordance with international law. In fact, we’d say the UK has a long track record of operating those covert capabilities, and that’s what we’re going to be doing in this space.

Dr Robin Niblett CMG

I’m going to bring in a question now from Lewis. I’m just going to warn that I’d quite like to get Kim Sengupta and Gavin Boyle to ask the questions live. So just be ready, Kim, Gavin, in a minute. Let me turn to the – yeah?

Jeremy Fleming

So, I’m going to offer one little bit of colour to Jeremy’s last commentary and of course, there is one area of military capability which we don’t talk about either, but every now and then it reveals itself, and that contributes to a deterrence. And that of course is special forces and there is – you know, I don’t want to conflate these two organisations, but there is something unique, special, and we’re not going to – you know, we’re not going to talk about what they do, but every now and then you will see a signal coming up, some kind of demonstration of capability, that will contribute to a deterrence in the way that John asked his question.

Dr Robin Niblett CMG

That’s a good follow-up point and actually, I’ll turn to you with a broader question from Aila Cameron, who asks, “The UK intelligence community has been warning that Britain faces state-level threats from Russia and China, especially in cyberspace. You know, what are the characteristics of these two countries’ threats?” She also asks, “What are their purposes?” And you can comment if you want on that. But are there different characteristics to – if I could start with you on this, to the types of threats you’re seeing from Russia and from China?

General Sir Patrick Sanders

Is that for me?

Dr Robin Niblett CMG

Yes, to you, Patrick, yeah, sorry. Starting with you. The easy one first.

General Sir Patrick Sanders

So, I think Jim Hockenhull, the Chief of Defence Intelligence, who’s part of Strategic Command, set this out quite nicely a few months ago, when he described Russia as the acute threat and China as the chronic one. And China, undoubtedly in the long-term being, you know, the greatest strategic threat and so, dealing with the consequences of a Russian behaviour occupies a lot of NATO’s attention and rightly so. It occupies a lot of our attention across the defence and security community and there is a risk of miscalculation. The long-term threat from China depends very much on China’s behaviour, and we would clearly like to have a constructive, positive relationship with China, not least one of trade, but some of the actions that China has taken make that – make us wary. And we need to insulate ourself against some of those threats and the National Cyber Force is part of that.

Dr Robin Niblett CMG

Just one specific thing on China. I mean, again, in the public domain, a lot of commentary about how effectively they are combining new technologies and trying to asymmetrically gain advantage without having maybe to reproduce all of the huge kit and tech that NATO allies produce. Is that – looking at this from the military lens, is that part of your concern as well, and therefore having that support with GCHQ becomes all that much more important?

General Sir Patrick Sanders

Yeah, I mean, I think the way that the Chinese and indeed, to a certain extent, the Russians as well, are approaching or developing their own strategy as a response to the overwhelming military dominance represented by the West, which sort of reached its apogee in the First and Second Gulf War, and while we were engaged in, if you like, nation-building operations and counterinsurgency, they got ahead of us. And they have developed their approach to operating sub-threshold, using all of the levers of power, exploiting things like technology, 5G is a good example, developing military capabilities in space, hypersonics, autonomy. You know, all of these things represent both the technological, but also a paradigm shift in their approach to warfare, if not war.

Dr Robin Niblett CMG

Just to quickly pull in here Patricia ‘cause, wonders of technology, I know she wants to come in, specifically on the China issue, I think, Patricia. Did you want to make a quick comment on that and let me bring you in here?

Dr Patricia Lewis

Yes, in terms of the longer-range threats, if you like, and like the characterisation of China, is that we’re very concerned about China’s activities on trying to re-establish or establish new rules on internet protocol standards, and how that could lead to a different type of internet in which mass surveillance, surveillance of individuals, starts to become much easier for certain types of states, without the legal constraints that we have. And in our journal, the Journal of Cyber Policy, my colleague Emily Taylor, Stacie Hoffman and Dominique Lazanski have talked about standardising splinternet and China’s long-term goal of changing the rules of the way we operate online. Are we paying enough attention to this? Do we see this as a security threat? Or are we just seeing this at the moment as a sort of bid from China to kind of make the world as it wants to, to make its own internet for China? Whereas I think it’s actually going to have a much bigger impact, if we’re not alive to it.

Dr Robin Niblett CMG

Why don’t you come in on this, Jeremy, ‘cause I think this ties into Patricia’s earlier point about all these processes going on in the UN that we may end up getting on the side of. Over to you.

Jeremy Fleming

Well, it’s a very good point, Patricia. Lots of commentary about splinternet, lots of commentary about competing systems. And it is the case that only just over half the world are currently on the internet, and the half that aren’t are in rural China, Sub-Saharan Africa and rural India, broadly and so, there’s a lot to compete for there. And as we look to the future, we see a landscape, which has Chinese technology very prevalent in it, where they are offering, at a good price and from a complete technology stack perspective, solutions to countries right around the world. And I think that this is an area of fundamental strategic competition for Western liberal democracies going forward. And we need to work out how it is we’re going to work with China where we want to and where it’s in our advantage to do so, where it is sovereign-only or with our allies-only capabilities will do, because of the security issues underpinning it. But in the middle, where it is, we’re going to enable a connection, so that the internet doesn’t splinter. I mean, the whole point about this technology landscape is that it connects the world. It underpins commerce. It encourages co-operation and communication. So, I think that as Western allies and as the UK, we need to focus much harder in this area. I mean, interestingly, this is one of the themes from the Integrated Review, which I hope will still see the light of day after Christmas. And that sense of the UK playing a really fundamental role in setting the rules for the next generation of technology, I think that there’s a lot to play for in that space.

Dr Robin Niblett CMG

Lots of questions coming in here and I’m going to just fire them off, and we’ve got at least 15 minutes to go. Gavin Boyle, are you there? Can you ask your question unmuted, turning to Gavin first?

Gavin Boyle

Yeah, can you hear me? Can you hear me now?

Dr Robin Niblett CMG

Perfectly, yeah.

Gavin Boyle

Okay, cool. So then turning a little towards the private sector here, and I understand – and away from just private companies per se, but more strategic assets. Away from the defences controlled and directed by the government, that we’ve been talking about thus far, how would we maintain sustainable confidence in any private sector involvement or solutions, regarding key infrastructure assets? And on this, I’m looking at a couple of examples being the self-regulation model of US domestic banking in Sheltered Harbor initiative, or more commercialised solutions such as General Keith Alexander’s IronNet and IronDome offering to the US energy sector, noting that he is himself ad former Commander of the US Cyber Command.

Dr Robin Niblett CMG

Do you want to go first on this, the private sector getting kind of pulled into this, if you see what I’m saying, first, Jeremy?

Jeremy Fleming

Yeah, so again, I’m not sure I got all of your question there. But let me have a go and come back if we haven’t covered the space here. So, any response in cyberspace from the defensive domain, right up through the stack, increasingly involves the private sector. It is the case that we are working in a domain where the technology industry and environment are spending billions and billions of pounds, dollars, renminbi, every year. And for us to be able to compete, for us to be able to take part in that context, and of course we need very, very strong relationships with the private sector.

The good news is that those relationships are very deep and because of the clout of government and because of the way in which we engage them, we also have a fundamental influence to help them develop capabilities, which not only deliver against our objectives and work to our strategies, but also develop capabilities, which adhere with those international norms. And the prize for them is that when they do it in that way, then they – and this is particularly the case for some capabilities operating in the cybersecurity sector – then they get to point to our Kitemark in the support that they are able to provide for other people. So, government could use its – can and will use its leverage more in this space. I mean, I think that the question is probably much more fundamental about the private sector’s understanding of the threats they face. And there we’ve seen progress, in recent years, in people understanding just how critically their commercial futures are dependent on good cyber governance, good cybersecurity. But frankly, we’ve got a way to go.

Dr Robin Niblett CMG

Do you want to come in on this point?

General Sir Patrick Sanders

Yeah, I really would…

Dr Robin Niblett CMG

Yeah, please.

General Sir Patrick Sanders

…because it’s an opportunity really. So, it’s just to stress the importance of the private sector as a partnership, and the opportunity, I think, in terms of developing sovereign IP, supporting UK prosperity, this represents. And it’s worth noting that of the multi-year settlement that the Defence received, the area that has attracted the largest investment, or second largest, has been the NCF, and the highest – one of the highest priorities in Defence is around cybersecurity. And that is a real opportunity for UK industry to lean into, as long as they’re bringing the right standards with them.

Dr Robin Niblett CMG

And you’re concerned in a way UK industry may become more of a target the more that the UK is, you know, is visibly seen to be operating in this space and looking for the partnership, as you move into a more offensive form of defence, if I can call it that?

Jeremy Fleming

No, I don’t think so, if that question was…

Dr Robin Niblett CMG

It’s coming down the line.

Jeremy Fleming

So, I mean, Patrick will have his own views on this. No, I don’t think so. I mean, there are great opportunities here for the UK. The UK’s cybersecurity sector is also one of the most competent, if not the most competent globally. The UK is ranked number one by some indexes for cybersecurity nationally and so therefore that makes it, I think, a great source of pride, but also, inward investment, economic growth, and the ability for us to project that way of doing business internationally. I would go back to Patricia’s points around the good work that we’ve been doing internationally to help countries build capability. And that is – that’s never the National Cyber Force or the National Cyber Security Centre or UK Government on its own. The UK’s offer as a responsible cyber power with – backed up by a business that does things in the right way for the right reasons, in accordance with international law.

Dr Robin Niblett CMG

There’s a question here. Ron won’t mind if I ask it for him, Ron Freeman asks, “Comment on Chinese infiltration of UK firms.” Now, and what he means by that is there’s always been a comment about that, at some point in the Director of GCHQ’s kind of tenure. And I’m wondering whether you would be indicating to our audience that you sensed this has been rising, declining, flattening? It’s a pretty important test.

Jeremy Fleming

I’m always very wary of, you know, up and down type questions. But it is the case that the UK has called out Chinese activity in cyberspace against our interest. It is the case that the UK has called out Chinese activity, which has led to the theft of our IP and has therefore caused us economic as well as national security damage. And here, in the UK, we are of course very concerned when we see any activity from any state that is going to cause us that sort of damage, and the way to respond to that is to make sure that we have really focussed on defending our digital homeland, such that it is harder for any state to operate in the UK or against our interest. And we will still call out activity whenever it crosses a threshold for us.

Dr Robin Niblett CMG

But as the political relationship has got a little worse, let’s say between China and the rest, can you point your finger in the direction that things have stayed flat, got worse, or got better?

Jeremy Fleming

Well, if anyone had any doubts about the rise of China, then what we’ve seen, over the last nine months, is the extent to which China is making so much more of the world’s weather nowadays, if I might put it that way. And of course, the UK wants to have a relationship with China that allows us to work with them where we can, to have a secure and profitable trading relationship. But equally, at times, our security and our vital security interests are in play here, and we want to have the sort of relationship where they both understand that that is not acceptable, but also, where they are sure that the UK will take action, if we see it.

Dr Robin Niblett CMG

I mean, you’ve given me – you’ve answered the question. I’ve raised it simply ‘cause I remember when Barack Obama supposedly, did the deal with China that would lead to a reduction, and the reports were that there was a reduction, but it was picked back up again, and people are going to watch these things very closely. In any case, let me bring Gordon Corera in, from the BBC. Gordon, hopefully you can unmute and you’re there? It says ‘noted’, so I think Gordon is there. Gordon, can you…?

Gordon Corera

Yeah, hopefully you can hear me, thank you. I wanted to ask how will you decide who authorises operations? Because GCHQ reports to the Foreign Secretary, the military obviously through the Defence Secretary. How will you decide when a Cyber Force operation gets authorised by which senior official? And then just a brief follow-up to Jeremy, if he’s seen anything or can say anything about any UK impact to this quite large hack of the US Government that’s just emerged in the last few days.

Dr Robin Niblett CMG

I think I’ll start Patrick on the first bit while Jeremy thinks about the hack answer.

General Sir Patrick Sanders

So, it’s a joint authorisation. Both Ministers are accountable. Both Ministers are equally responsible. The legal construct that is used, the legal framework that is used, will depend on the nature of the operation, whether that’s the Intelligence Services Act or whether it’s the Law of Armed Conflict. But it’s a – you know, this is a distinct operational entity. It’s neither wholly slave to the MoD, nor wholly slave to GCHQ, and both Secretaries of State have authority over it. So, so far, and we’ve been doing this since April, I don’t think we’ve had an issue.

Dr Robin Niblett CMG

Perfect. Second part of the question, maybe, Jeremy?

Jeremy Fleming

So, the second part. Gordon, thanks for the question. Then, I think you’re referring to the news from the US over the weekend about the serious compromise of a company called FireEye, and then the announcement this morning that a number of US Government departments have been affected by a cyber compromise. But of course, these are both serious events, and I’d like to start by commending FireEye and its partners for the way in which they have been so open and quickly open about the attack that they’ve suffered, but also, on the front foot about their response to it. And if anyone listening here needs to understand that better, then there’s some excellent advice on the National Cyber Security Centre’s website this morning, which builds on the FireEye’s response.

So, in terms of the UK’s vulnerabilities, then of course we are working at pace with US partners in government and in the private sector to understand what this means. I haven’t seen any news as yet, Gordon, on the extent to which any customers of FireEye or the particular instances, which have affected US Government have been affected here and have had an impact here in the UK, but obviously, we will continue to work very closely with them. And if we do, we will work very quickly to make sure that the most up-to-date advice is out there.

I have to say, at the base of this and at the base of any cyberattack, as you know, is an exhortation to everyone, whether you’re an individual or a business, to make sure that you have patched your software, that you’re really clear about where you backup, that you’ve been very careful about your passwords. We’re boringly consistent in saying that, but it is the case that if you get those bits of advice right, then you protect yourself from most of the sorts of activity we see from hostile states, let alone most, nearly all of the activity we see from criminals.

Dr Robin Niblett CMG

Let me bring in – I’m keeping an eye on time – Joyce, Joyce Hakmeh, can you come in with your question? I know you’re in there somewhere. Joyce, over to you.

Joyce Hakmeh

Thank you, Robin. My question is really in relation to the inclusion of fighting organised criminal groups as part of the mandate of the National Cyber Force. So, what roles will the National Crime Agency and other, you know, bodies dealing with organised crimes are you foreseeing in this initiative? And what checks and balances are you envisaging for clarifying authority and decision-making between the different involved bodies? Thank you.

Dr Robin Niblett CMG

This is the National Crime Agency, you know, with a – how you manage fighting organised criminal groups, within the mandate of NCF and what role for the National Crime Agency? What are the checks and balances, the decision-making between those bodies?

Jeremy Fleming

Shall I start on that?

Dr Robin Niblett CMG

Yeah, okay.

Jeremy Fleming

So, GCHQ, as part of its mandate, can operate in support of the National Crime Agency, in relation to serious organised crime, and it’s a very important part of our mission. Every day of every week we are working alongside law enforcement to try and disrupt those criminals. Everything from serious and organised crime groups through to globally organised paedophile rings and that part of our work is really, really important. It is the case, increasingly, that the National Cyber Force’s operations could play a role in that process, alongside, of course, the existing law enforcement and judicial processes. But they can help to disrupt those criminals and that might be denying access to a mobile phone or a particular bit of infrastructure. It might be on undermining their network such that they can’t store and promulgate dreadful images, sexualised images of children, for example.

And we’ve long experience of working alongside the judicial process. The processes are exactly the same for the National Cyber Force as they are for the rest of GCHQ. It means there’s a law enforcement lead, we operate to their priorities and it means that our activities are – continue to be overseen in the way that we’ve already described. And to the extent to which our involvement can be made public, then we do, and we have in the past talked about intelligence’s role in relation to disruption of serious and organised crime, and I hope that in relation to the National Cyber Force, we’ll be able to do that in the future too.

Dr Robin Niblett CMG

I’m rattling through here, so we don’t go too far over time. Kim Sengupta, you’ve been waiting very patiently, and if you ask your question, could you flip it and ask the one to Sir Patrick first, so that, you know, it would be good to get his voice in on one of these issues, then you, Jeremy can follow-up on the second part of it. Over to you, Kim.

Kim Sengupta

Thank you very much, Robin. Patrick, you mentioned this briefly before, but it’s really to do with the military’s involvement on protection vis-à-vis the pandemic. Nick Carter mentioned back in May, I think, that the 77^th Brigade are countering COVID-related disinformation. Is there anything you can add to that, Patrick, from the point of view of what you guys are doing, and just how serious this problem is? And the question for Jeremy, Jeremy you mentioned that something like 200 incidents have taken place, pandemic-related, in the last nine months. Can you expand on that if possible? I mean, what are we talking about? Are vaccines being targeted, for example? Are some of these attacks state-sponsored? Thank you very much.

Dr Robin Niblett CMG

You go first on the COVID disinformation.

General Sir Patrick Sanders

Hi Kim. So, on 77^th Brigade, I mean, let me just, first of all, dispel a little bit of misreporting over the weekend, which suggested that 77^th Brigade were directly interacting with or investigating British citizens who might be involved in spreading or fuelling anti-vax propaganda and stories, and that’s just not the case. 77_^th Brigade don’t do that. But they have been involved in supporting the Cabinet Office in seeing where there might be involvement from overseas, and they play an important contribution to that. I think, at the risk of sort of straying into what Jeremy might go into, you know, we know that most of the anti-vax propaganda is actually being self-generated inside the UK. There is some being filled from overseas and, you know, we – I mean, I enjoy standing on Speakers’ Corner and listening to some crazy opinions, and there’s no shortage of crazy opinions on the internet, and long may that continue, sort of. But where these things are being fuelled from overseas, then there we will take action and if the NCF has a part to play in that, it will.

Dr Robin Niblett CMG

Jeremy, to your part of the…

Jeremy Fleming

From our perspective, we have a long history here. The best way to deal with misinformation is true information and in this context of the pandemic, I think that’s especially important. Kim, you asked particularly about what we’d seen and the way in which threats have manifested themselves during the pandemic, and we have seen serious criminals, actually pretty basic criminals as well, and right up to states, seeking to take advantage of the situation, interested in the production of the vaccine, now very interested in the supply chains around the vaccine. But the majority of it is in people trying to mislead members of the general public such that they can steal money. And, you know, that sense of the, you know, the criminal undertones of this, you know, where would you go to get a test? Where would you go to make sure that you were most up-t0-date? Where would you go to secure your family? You know, this playing on fears in the way in which criminals always do, and serious criminals make a business from, we see that.

One aspect of this that is, I think, increasingly reported, which is worth mentioning, is the increasing prevalence of ransomware. So that has coincided with this period of the pandemic, and it is worrying. So, we’ve seen criminal groups going after government services, and certainly internationally, and there are some aspects of it here in the UK, where denial for a ransom is an effective business model for them. And we, as a nation and globally, and it’s one of those areas where we need stronger international norms and stronger international law, and again, the National Cyber Force can be in and around that space.

Dr Robin Niblett CMG

So, we probably answered Hugh Jenkins’s question on this, which is about the impact of all of these threats on independent actors. So, Hugh, I going to, if you don’t mind, park your question. We’re kind of over time already. I wanted to get, just get three sort of little things together. They won’t be little, of course. But – ‘cause there’s a question here, a very important one, I think, by Rich H. Rich H., if you don’t mind, I’ll ask your question for you, just to be – for the interests of time, and then I’m going to ask a Brexit question. And then, Patricia, you will have a little closing thing, and then, if there’s anything left for you to say, we’ll say it. We shouldn’t be more than three or four minutes.

Rich H. “As NCF’s mandate includes domestic as well as international targets, is there a possibility that military personnel could be part of a targeting chain on UK citizens or domestic police part of targeting foreign citizens? Is the need to operate in the information space moving beyond the boundaries of existing law?” I think that’s clear. But you’re frowning, Patrick, and I was going to go to you first. As the mandate, is there a possibility that military personnel could be part of a targeting chain on UK citizens? Was the first part of the question.

General Sir Patrick Sanders

So, I’m simply going to refer back to the legal framework that we operate under. The NCF is targeted. Well, the NCF will conduct its operations and its activities under a legal framework that operates under parliamentary scrutiny and political scrutiny and political authority. So, it will – any NCF activity will be legal and ethical.

Dr Robin Niblett CMG

Do you want to come in on that, or was that the answer you would give as well?

Jeremy Fleming

Well, I mean, I reject the targeting chain language in the question, but I completely agree with how Patrick answered.

Dr Robin Niblett CMG

Okay, question made. The bigger question that I had was on Brexit. Deal or no deal, and I’m not asking you to answer that question, but whether there is a deal or there isn’t a deal, what are the implications as you’re aware of, in terms of data sharing? And as I’m trying to piggyback this as a time for Patricia to come in, the UK as it’s moving out of the EU, emphasising a lot more, even more than usual, its role within NATO. Is there some sort of bridge there that the NATO contribution we’re making on increasing cyber capabilities, I don’t know, might somehow compensate for what we may be losing, in terms of some of the data sharing? Maybe I’m over-conflating things here. I’ll start, Patrick, with you.

General Sir Patrick Sanders

I mean, I think that, you know, it’s no secret that the UK is one of the two leading powers in defence and security in Europe, and that regardless of the outcome on the 1^st January, that won’t change. And our relationships with our European partners, and a few in particular, is strong enough to withstand any of the strain and tension that may arise as a result of that. And I’ll let Jeremy speak for the specifics about data, but certainly, when it comes to all the defence and security aspects that I’m involved with, those links will not change, and they will be, if anything, well, they will be as strong. And of course, NATO is the critical, but not the only vehicle for using that.

Jeremy Fleming

But national security has never been a competence of the EU. I mean, that in a legal sense. And so, that is the case that today we are operating even more closely with our European colleagues than we were at the point of the referendum, and we do that because there’s great national self-interest in close co-operation, and I fully expect that to be the case 1^st January, deal or no deal. The specifics around data adequacy, this is an important issue. We need to reach an agreement with the EU around data adequacy. It is the UK’s position that our arrangements, and obviously because they have been developed whilst we were in the European Union, are adequate insofar as the EU is concerned, going forward and we just need to nail that down. But I think that can be a relatively straightforward thing.

More broadly then, of course, we look to a future where, much as Patricia’s earlier question indicated, you know, there is room for a global accommodation on where we go on data and where we go on the standards underpinning this. And the UK wants to be in there shaping that, alongside the United States, alongside the European Union, and certainly in that liberal, likeminded, democratic way that has been our hallmark forever.

Dr Robin Niblett CMG

Patricia, did you have a last comment before we kind of wrap this up?

Dr Patricia Lewis

Well, I mean, apart from to say thank you so much for allowing us to have, in the spirit of an open debate, a continuation of that. And I just wanted to say, just to get the perspective that cyber defences remain vital and paramount and this NCF is in addition to NCSC, it’s not instead of. These two things kind of operate side-by-side, and one doing defences and one doing more forward, active engagement and you know, with GCHQ as the mothership, if you like, behind it. I hope you don’t mind being described in that way and I think that that’s really important, that we – that this expertise has been developing for quite a while and getting it out there in the open and talking about it is vital. And it will be really important, going forward, to keep this communication open, to keep us talking about it so that we get it right, because otherwise, we do run a risk of undermining our communications in the norm-setting and behavioural-setting that we’re doing in the UN and other forums. So, thank you for the opportunity to be able to get this discussion going so soon after the announcement of NCF. Thank you.

Dr Robin Niblett CMG

Thanks, Patricia. Patrick, any last thought or comment from you? Anything that we’ve not covered here?

General Sir Patrick Sanders

Just, I mean, one really simple comment, and as Jeremy and I sit here onstage, and I’m wearing a, you know, brown suit for effect, so that you can see the military aspect of this. While we’re talking here, and for the last nine months, we have got a team, a combined team, of military and GCHQ people operating constantly, daily, in cyberspace, whether it’s on military operations or against other targets, to keep the UK safe, and they’re doing an incredible job.

Dr Robin Niblett CMG

Thank you. Jeremy, last comment.

Jeremy Fleming

This is the latest evolution in the nation’s cyber power and the way in which Patricia put it, building out from that defensive posture, giving the UK options, but critically doing that in a way which adheres to and leads the way in defining cyber norms. I think it’s a really exciting thing for the nation, and I think that the UK will be a safer place as a result of it.

Dr Robin Niblett CMG

Well, let me join Patricia in saying thank you both very much for taking the time to come and join us to share publicly your thoughts with Chatham House members and our other guests. We really appreciate it. It’s a good way to, as Patricia said, get this debate really publicly out there, and we look forward to, you know, drawing on this for our own work in this space, which as Patricia mentioned, is extensive. For me, one of the big takeaways or reminders, as this is not my area, is the extent to which this is a continuation of what’s been going on for a long time. We’re in a different security environment now, but this integration, of our various forms of intelligence capability and military, not just out, but to defend as well, is really incredibly important and the next stage. So hopefully, the things the UK is doing in this space will really set some interesting patterns and structures for others to follow as well.

So, thank you very much indeed. Normally, I’d say a warm hand of applause, but what can I do? Patricia and I are the only ones we can see at the moment, apart from a few folks here in the room with us, very, very distanced, I might add. But thank you very much. Thanks to all of our guests, to our members for being with us today. We appreciate very much the time you’ve taken to come and join us and see you in the new year, in some shape or form, virtually or in practice. Thank you.

Jeremy Fleming

Happy Christmas.

Dr Robin Niblett CMG

Happy Christmas.