Case study A8/9
GCHQ
Action/anomaly detection
Cyber-defence
In 2016 a European media company suffered a major, destructive cyber-attack. Through
the analysis of bulk interception data, GCHQ was able to link this attack to other
compromises in the same sector and to explain what had happened. Further information
then suggested a possible imminent threat to the UK from the same cyber attackers
during the UK election period. GCHQ deployed a capability to protect government
networks from this cyber attacker, and media organisations were briefed to enable them
to protect their networks. Since then, a particular UK media company has been alerted to
a compromise by the same attackers and has been able to clean up its networks. The
combination of the analysis of communications data obtained through bulk interception
data and work with international partners helped to prevent the UK from suffering a major
attack similar to that on the European company.
To achieve the same outcome without the use of bulk powers, GCHQ would have had to
place sensors on the computers of thousands of potential victims, which would not have
been practical and would not necessarily have been effective. Since there had been no
reason to believe that the UK media company would be selected for a cyber-attack, the
attack would not have been detected by targeted means. It is possible that commercial
anti-virus companies might have been able to provide some defence against the attack,
if the media company had had appropriate software installed. However, as in the
previous example, a commercial provider would not have been able to provide advance
warning or identify the overseas attackers. Further, whether or not a business has
protection against such an attack depends, inevitably, upon whether that business has
chosen to buy cyber-defence products.
Cyber-defence analysts use bulk interception to detect attacks; attacker infrastructure is
located across the world and changes constantly. In addition, attackers have a wide
range of targets – governmental, military, economic, industrial and commercial – and
GCHQ cannot predict in advance which entities will be targeted or when they will be
targeted. GCHQ therefore cannot provide adequate cyber-defence through targeted
means.
GCHQ estimates that 60% of those victims whom it has identified as having been the
subject of cyber-attack did not know that they had been targeted. Since some companies
may choose for commercial reasons not to publicise the fact that they have suffered a
cyber-attack, and since GCHQ cannot say that it has identified every victim, the true
percentage of all victims may be different.
164