It is widely acknowledged that Britain has some of the world’s finest cyber capabilities. GCHQ is a global leader in those dark arts, and its offshoot, the National Cyber Security Centre (NCSC), is making that expertise available to businesses and others in need of help with their digital defences.
All the more shocking, then, that our political leaders seem so utterly clueless. They have pledged to make Britain the ‘safest place in the world to be online’, but instead are running around like stars in a digital age ‘Carry On’ movie.
Exhibit number one is Matt Hancock. Whitehall has been busy sweeping ministerial offices in search of cameras of the type that caught the former Health Secretary’s kiss, seemingly unaware of the extent of the surveillance. Yet this was not a hidden device: it was a CCTV camera, a pretty obvious bulbous node in the ceiling, installed by a government contractor.
Hancock claimed he didn’t know it was there, and we are still none-the-wiser as to who captured the pictures and how. The likelihood is that a disgruntled somebody with access to the feed downloaded it or filmed it on the screen with a mobile phone, but can we be sure it wasn’t hacked?
The cameras used in the health department’s building are made by Hikvision, a Chinese company, with close links to the Chinese Communist party. Around 1.3 million of its cameras are being used in the UK by airports, councils, NHS trusts and government departments. This in spite of UK intelligence agencies pushing for curbs on the use of Chinese ‘smart cities’ technology (an umbrella term for surveillance tech), which they fear could be used by Beijing for espionage, surveillance or the collection of sensitive data.
Hancock and Lord Bethell, a health minister in the Lords, have been accused of routinely using private email accounts for government business, but the practice is believed to be widespread – including in No 10, where Boris Johnson has refused to deny that he too uses a private account. Pressed in a BBC interview, justice secretary Robert Buckland agreed that communicating this way was a ‘huge security issue’ that could potentially allow hackers to gain access to government communication. Elizabeth Denham, the Information Commissioner, is said to be ‘looking carefully’ at the issue and considering further action.
It has also been revealed that foreign secretary Dominic Raab’s mobile phone number could easily be found online – as could Boris Johnson’s as recently as April, having been available there for 15 years. For a sophisticated adversary, merely knowing a number can be enough for secretly inserting spyware to eavesdrop and plunder the contents of a smartphone.
Perhaps ministers are not being properly advised by our cyber sleuths, though that seems unlikely. A more plausible explanation is that they have a separate agenda – that they are less concerned with hackers crouching over screens in some Moscow or Beijing cyber bunker than they are with evading legitimate democratic oversight of their activities.
This would seem to be supported by the widespread use of encrypted messaging. WhatsApp has been widely adopted in Westminster (and is not as secure as some assume; it has been hacked), and Signal is catching on fast, giving ministers the added tool of self-destructing messages. More than a third of Johnson’s cabinet, including Rishi Sunak, Priti Patel, Michael Gove, Grant Shapps, Robert Jenrick, Gavin Williamson and the Prime Minister himself have reportedly downloaded the app, which allows the user to set messages to be wiped automatically after a chosen period of time.
The government is facing a crowd-funded legal challenge from the campaigning groups Foxglove and The Citizens. They say the use of these apps could be in breach of the Public Records Act, since it makes it impossible for messages to be obtained later under freedom of information requests or on orders from a judge. Ministers are legally required to conduct government business through official channels so that records can be kept by civil servants and decisions scrutinised.
Much hinges on the definition of ‘government business’, which is not always clear cut. It is also not clear who determines what this includes. This was much easier in the days of memos typed out in triplicate and phone calls made through clunky switchboards, with civil servants sitting at the ministerial elbow. Times and tech have moved on, but it is foolhardy to allow minsters to decide what is, or is not, official business.
The most pressing concern is the pending public inquiry into the government’s handling of Covid-19 pandemic and the thorny issue of alleged cronyism in the handing out of billions of pounds of contracts with little or no due process. There is a real concern that the paper trail may have been muddied by the use of private accounts and messaging apps – indeed, that may well have been the intention.
All of which will no doubt bring a wry smile to faces of Britain’s cyber adversaries. It will come as no comfort that an International Institute for Strategic Studies report recently suggested that China’s cyber capabilities might not be all they are cracked up to be. They don’t need to be – not when they are dealing with our hapless, scheming ministers, who seem intent on doing half the job for them.