The highly secretive world of government-led hacking is slowly opening up. UK officials have revealed that an offensive hacking group has been working against criminals and hostile state activities since April this year and is working on new incidents every day.
Dubbed the National Cyber Force (NCF), the group is made up of an unspecified number of people from signals agency GCHQ, the Ministry of Defence, foreign intelligence agency MI6 and the Defence Science and Technology Laboratory. The creation of the NCF was first mooted two years ago, but has only just been completed as part of a defence spending review to give forces an extra £16 billion during the coming years.
The public acknowledgement of the NCF is the latest effort to introduce some transparency around the activities that the UK undertakes in the digital world. In 2016 the country’s National Cyber Security Center, an offshoot of GCHQ, was created to help protect businesses and infrastructure. However, the NCF has been set up for an entirely different purpose: it was created to go on the offensive.
Instead of focussing on defensive measures, the NCF will be involved in proactive attacks. It will look to defend the UK by disrupting the activities of those groups and nations it deems to be sufficient threats – and is likely to include Russia and China, which have both targeted the UK during the coronavirus pandemic. “It brings together intelligence and defence capabilities to transform the UK’s ability to contest adversaries in cyber space, to protect the country, its people and our way of life,” Jeremy Fleming, the director of GCHQ said in a statement on Thursday.
So what exactly will the NCF be able to do in the name of defence? That’s where things get more opaque – while the group’s main mission is being publicly revealed, its work will still remain secret. Staff from all of the NCF’s members are scattered around the UK and take part in joint operations co-ordinated by the force’s leadership. Government ministers say the force could have up to 3,000 people working for it in the next decade and that it is growing fast.
In a number of hypothetical scenarios, the government says the force could interfere with terrorists’ phones to prevent communication with their contacts; help to stop the spread of child sexual abuse online; and protect UK military aircrafts under attack. Officials refuse to comment on the work the NCF has done since April, citing operational sensitivities and the need to launch unexpected attacks. However, they say the NCF will use behavioural science to disrupt the activities of hostile groups.
As one member of the Five Eyes intelligence group, which also includes Australia, Canada, New Zealand and the United States, the UK is one of the most sophisticated actors in the world when it comes to cyber operations. The creation of the NCF is a way to show other countries that its efforts are ramping up and follows an increased amount of proactive activity by the US. Efforts will differ from the tactics used by Russia, China and North Korea, which have a history of conducting cyber operations for financial or political gain.
However, it’s likely that a large part of NCF’s role will focus on hacking. Under UK law, government hacking is allowed. But privacy advocates are concerned about government agencies’ lack of transparency and the scale of their operations. Courts have previously ruled that GCHQ data collection violated people’s human rights.
At the end of 2016, politicians passed the Investigatory Powers Act (IP Act), dubbed the Snooper’s Charter at the time, which allows the use of ‘equipment interference’ by intelligence agencies. In short: hacking into computers, networks, phones, servers and more can be allowed by law. In theory, it can include entire communications networks or be focussed on specific individuals.
This hacking could be done through software vulnerabilities – those that have been publicly disclosed by security researchers and new unknown ways of getting into devices – plus the use of human spies who can physically access devices. MI6 has networks of covert agents stationed around the world.
GCHQ has increased its use of equipment interference since the IP Act was passed. The law allows mass hacking as part of “bulk interference” when warrants have been granted – although this type of bulk hacking can only be used against “overseas” information or equipment. At the end of 2018, GCHQ said it needed to conduct more bulk interference due to “operational and technical realities” – intelligence sources told The Guardian it was because of greater uses of encryption. The hacking could be used to gather information for investigations, stop people communicating or for degrading and damaging physical systems.
The UK has been conducting offensive cyber attacks for years but only one has ever been publicly revealed. In 2016, the government announced that it had been launching disruptive attacks against the so-called Islamic State. At the time defence secretary Philip Hammond said the effort was part of the National Offensive Cyber Programme and was part of efforts to cause “damage, disruption or destruction”. GCHQ’s Fleming revealed a little more about the attack in 2018 saying Islamic State equipment was destroyed and the group found it “almost impossible to spread their hate online”.
GCHQ’s past history of hacking efforts was revealed in documents leaked by NSA whistleblower Edward Snowden. They refer to the UK’s “computer network exploitation (CNE)” efforts. Slides list three ways of conducting effective operations: degrading someone’s communications to slow networks down, “bringing down” web browsers and “changing users’ passwords on extremist websites”. However, the UK has historically looked to deny any blame pinned against it, including reports that GCHQ hacked into a telecoms agency in the summer of 2013.
The emergence of the NCF follows an increased amount of activity by US cyber forces. In recent weeks, hackers working for the US Cyber Command reportedly disrupted the operation of Trickbot, the world’s largest botnet, which is believed to be controlled by Russian cybercriminals. US forces allegedly hacked the servers controlling the botnet and added faked data into the collection of passwords and financial details that its owners had amassed. Cyber Command is also believed to have attacked Russia’s propaganda machine, the Internet Research Agency, during the 2018 mid-term elections, turning off the agency’s internet access .
It is unclear whether the UK will follow the US’ tactics. However, officials say the NCF’s actions will staff inside the law and be proportionate. Its activities are governed by the Intelligence Services Act as well as the IP Act, and government ministers will be required to sign off on the launch of advanced attacks.
The NCF may reveal more about its operations in the future, but publicly announcing its existence may make other countries consider boosting their own cyber capabilities. This has the potential to reshape the future of the internet. “A more secure digital environment is the best guarantor of safety and security for Western countries in the digital age,” Ciaran Martin, the former head of the National Cyber Security Center said last week. “We weaponise the Internet at our peril. We militarise the Internet at our peril.”
Matt Burgess is WIRED’s deputy digital editor. He tweets from @mattburgess1
More great stories from WIRED
🇹🇼 Taiwan didn’t enter a national lockdown. Here’s how it beat Covid-19
🏥 Ransomware was blamed for a hospital death but investigators couldn’t prove it was the cause
🎅 The festive season is coming and these companies have some weird Christmas party ideas
🔊 Listen to The WIRED Podcast, the week in science, technology and culture, delivered every Friday