CyberWire Daily - CyberWire Pro Interview Selects: Sir David Omand.
Episode Date: December 30, 2021During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a cura...ted selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Sir David Omand, former GCHQ Director, on his book, How Spies Think: Ten Lessons in Intelligence.. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Sir David Omund is visiting professor at King's College London and former director of GCHQ,
the UK government's intelligence and security organization.
He's author of the recently published book, How Spies Think, Ten Lessons in Intelligence.
Sir David Omund, thank you for
joining us. It's a pleasure. Well, let's begin with the book here. What prompted you to write
the book, How Spies Think? I started writing this book after seeing how, first of all, the British
Brexit referendum and then the 2016 US presidential election were being reflected in social media.
And I was getting increasingly cross at the way that I saw this rising tide of half-truths and
distortions trying to persuade us online of what we ought to think and want, not to mention some
outright falsehoods and deceptions,
and not just coming from Russia aimed at widening divisions in society and increasingly setting us at each other's throats.
Well, the book sets up a framework that you all used in British intelligence
that you maintain is useful for all of us as we try to deal with this misinformation quite often.
Can you take us through, I mean, how does someone trained the way that you were approach this sort of information?
I've coined an acronym, SEES, S-E-E-S, for the four kinds of output that rational analysis can give a decision maker.
And the first S in C is situational awareness, facts on the ground,
what is going on, when and where, those sort of questions.
That's an essential first step.
And of course, you can't always trust what you see.
We have to guard against deception. We have to take into account that some of the information
we have is bound to be wrong or it's fragmentary or it's incomplete. But that's the starting point.
But facts on their own tell you nothing. It's only when you explain them, when you put them in a context,
that they actually have meaning for us.
And this can be really quite difficult.
This is E in the first E in C's, the explanation of what you're seeing.
I mean, every defence lawyer knows this.
Here's a simple example.
knows this. Here's a simple example. The fingerprints of a suspect are found on the fragments of a bottle thrown at a police patrol. Suspect is in court. The evidence is produced.
Now, are the fingerprints evidence that he threw the bottle, or did the mob rushing past his front
door simply pick the bottle out of his recycling bin. Two explanations
of the same fact. So getting your explanation right is absolutely key. But if you've got a
good explanation and enough data, then you can estimate how things might evolve. And this is for
the decision maker really what they want to know. It's looking ahead.
It's saying, on the basis of these assumptions, this is what we expect to see happening next.
And this answers questions that start with why or what for. But whilst you're focused on those
first three, situational awareness, explanation and estimation,
something totally unexpected is liable to come and hit you on the back of the head. So I round
off the acronym, the final S, with strategic notice. That is giving the decision makers
some advance warning of things that might come and disturb them,
dangerous developments in the future.
Taken all together, if you have those four outputs,
then you can, I think, take good evidence-based decisions.
Is this at its core of a rational process?
I mean, it strikes me that one of the things that the
folks who are trying to spread misinformation do is try to short circuit that that rational
thinking part of our brains absolutely right absolutely right i mean when any of us have a
decision to take there are two different kinds of thought we have to have in our minds. One is the rational
analysis that I've just been talking about, and the other is emotional. Why did we want to take
the decision? What do we fear and we're trying to avoid by taking a decision, or indeed not taking
a decision? And you have to balance those two, the rational and the emotionally driven parts.
Both are necessary. We try in the intelligence business to keep the rational stuff neutral,
impartial. But we know perfectly well that the elected politicians have a democratic mandate to take a decision.
They have many considerations in their minds.
So that's where you get this balance.
Now, what's happened, I think, particularly on social media,
is that the emotional side has taken over.
Stuff is pushed out not because it's true or likely to be true,
but just because it has the right kind of emotional impact
on the person who's watching or viewing on the screen.
It has that impact.
And so I think it's time to redress the balance.
And that's what the book is about.
It's about saying, whether it's in government or in business or in private life,
just think a little more carefully.
Get the rational analysis right.
And then you're less likely to fall into some of the traps
that are there for the unwary,
particularly the magical thinking.
I want it to be true.
Therefore, it will be true.
Well, no, sadly, that's not how the world works.
You know, the book is full of examples from your career of using this framework to good effect.
Can you share with us any particular examples that stand out to you where approaching a problem this way worked out for the best?
stand out to you where approaching a problem this way worked out for the best? Well, there's one.
I opened the book with one example which I will never forget. I was the person who showed Margaret Thatcher, then Prime Minister of the United Kingdom, showed her intercepts of Argentine naval communications that revealed that the Falkland Islands
were about to be invaded by the Argentine junta in 1982. It was a very dramatic moment.
The islands are so far away in the South Atlantic that there was no time to send reinforcements,
that there was no time to send reinforcements,
but at least what the intelligence did,
it provided the situational awareness,
the explanation we could work out from the content of these intercepted messages,
and that gave her the forward look,
the estimate that by the end of the week
they would be on the island
and there was nothing to stop them.
And that gave her time to mobilize to the Royal Navy
to put together a task force to send to the South Atlantic
to recapture the islands.
And that almost certainly saved her political life.
If she'd woken up a few days after this warning. I think her position would
have been very rocky as it was. She could stand up and say, yes, this is an appalling act of violence
against innocent islanders, but we're already taking steps to recapture them, which of course is eventually what happened.
But of course the fourth element of my model that I mentioned,
strategic notice, had been a failure
because we hadn't warned sufficiently in advance
that this might be one of the possibilities
and therefore we hadn't reinforced the islands
in the way that we should have done.
Yeah, and it's a really fascinating point.
I suppose the lessons that you must have learned when things did not go well,
when you experienced failure despite your best efforts.
Yes, the book is subtitled Ten Lessons in Intelligence
and the first lesson, which is true for everyone,
is that our knowledge of the world is always fragmentary, incomplete, and it is sometimes wrong.
But if you gather information, if you explain it carefully, then you can predict or estimate how things are likely to turn out.
I think the current COVID-19 epidemic illustrates this model really very well.
You need the knowledge of the world.
You need to know who is being infected, how many people are being admitted to hospital. You need all that
data, which is gradually, gradually coming forward. Then you need to explain it in terms of
how does the disease actually transmit from one person to another. And then you can produce a good model showing how things are likely to turn out.
Had all that been done and had governments been listening to that kind of modeling from the scientists,
then probably we wouldn't be in quite the mess we're in now.
How do you suppose things are different for the leadership at GCHQ today,
having to deal with things like social media,
and how much more connected folks are than when you were running the organization?
Yes, the world has changed.
When I was running the organization, Google, I think, was merely a research project.
You know, we're talking about the mid-1990s.
But we could see coming over the horizon a transformation of the world
from analog to digital.
And digitization, the ability to turn any form of information,
whether it's sound or video,
any data can be digitized, turned into numbers,
and stored and enciphered.
The transformation is very profound.
GTHQ and its partner in the United States,
the National Security Agency, have done amazingly well to keep up.
In some ways, it assists the intelligence officer
because there is more information that can be drawn on.
On the other hand, there is so much, the volume of digital data is so enormous
that the bad guys can hide much more easily than they could in the past.
And by using digital ways of attacking networks that has recently been uncovered in the United
States, of course, you can then get inside your adversary and gather very large quantities of information.
Can you give us some insights into the relationship between GCHQ and the NSA, the two nations? Are there significant differences in their approaches? Is there
a different style in the way that they approach spycraft?
Is there a different style in the way that they approach spycraft?
I've got a chapter in the book on that relationship because it's a wonderful example of long-term partnership in mutual interest.
It wouldn't have survived after the Second World War
if both nations hadn't recognized that they could do more together
than they could do separately.
And that, of course, is particularly the case for the United Kingdom
because we're a much smaller country.
But nonetheless, we have extremely good people,
we've got good access, we've a long tradition of a diverse set of minds
trying to solve some of these problems.
So together we are stronger than we are individually.
It's based on an extraordinary Second World War experience of sharing.
And it's, I think, the only example in the world where two sovereign nations
have deliberately decided to pool, put together
some of their deepest secrets and it relies on each regarding the other as completely trustworthy
and capable of managing securely those deep secrets. It's undoubtedly saved a great many lives recently. Their work
uncovers the activities of terrorists and proliferators and criminal gangs.
Not everything is shared. There are one or two areas where, for political reasons,
the two sides have agreed, no, we won't expect you to share information on that.
It's politically sensitive for you.
And we have some areas like that as well.
But almost all of it is jointly acquired and processed.
As to culture and attitude,
because it's larger,
the National Security Agency as to culture and attitude because it's larger the national security agency probably
has a better handle on if you like volume but it's maybe a bit less agile because it's so much bigger
gchq is smaller it can turn direction rather faster. But both still manage to recruit extremely able people,
the sort of unusual minds that can solve problems and devise ways of getting information that
the bad guys simply don't know is possible. You mentioned the situation that we find ourselves here in the U.S.
with the recent relevations about the SolarWinds breach.
And there's been a real spectrum of reaction in the reporting.
Some folks, politicians and otherwise, saying,
oh, this is an act of war.
Others saying, oh, this is espionage.
Please dial down the rhetoric.
I'm wondering, what is your response to something like this?
The revelation of such a large, broad act of espionage.
I'm on the outside, but I'll give you my view,
which is very firmly that this has all the hallmarks
of a Russian large-scale espionage operation.
It's not the first.
Back in the end of the 1990s, there was an operation codenamed Moonlight Maze,
which is really the first major cyber espionage operation known about. And the Russians attacked the U.S. defense
establishment pretty comprehensively. And a joint U.S. and British effort managed to uncover it
and stop it. But that was, if some of your listeners may remember, that was when the Defence Secretary had to instruct every member
of the Pentagon to change their passwords. Now, that was an attack through the front door,
which had not been sufficiently secured because the threat from cyber espionage had not been
sufficiently recognised. This latest attack is through the basement. This is a different kind of attack.
It's much sneakier. It appears to be rather cleverly devised. It hasn't got into highly
classified networks. The national security damage may not be too severe, probably less severe than the Moonlight Maze, which did penetrate highly classified networks.
But it's a major act of espionage.
It's not an act of war.
We spy on people.
The United States spies on its adversaries.
There's no international law prohibiting espionage,
and there never will be,
because countries will never agree on the definition of what counts as espionage, and there never will be, because countries will never agree
on the definition of what counts as espionage. If, however, it were to be revealed that this
attack had been used to plant destructive malware of the kind that we know, the names like NotPetra,
WannaCry, or the ransomware attacks that the hospital sector has suffered.
If it was that, then it would be extremely serious rather than just being serious.
But it's our responsibility as free nations to guard ourselves against espionage by hostile nations.
to guard ourselves against espionage by hostile nations.
In this occasion, the hostile nation got won over the United States.
But the message is you have to be more careful about how you defend your networks.
Getting back to the book, what do you hope that people take away from it?
What do you hope that someone who reads the book learns from it?
Well, the top line message would be, be much more aware in this digital era as you use social media. Be aware of what is happening to you.
You are being emotionally manipulated.
to you. You are being emotionally manipulated. And whether it's for the purposes of commercial purposes, advertising that is targeted at you, whether it's political advertising that's targeted
at you, or indeed whether it's hostile interference in your democracy targeted by an adversary country. Be aware of that. Not everything you read is true. And
I think that sense of just being more careful, and that leads inevitably into the kind of analysis
you need to carry out, the kind of thinking, let's call it just thinking. You just have to be a
little more careful how you think in this era. And politicians
have to be more responsible about, although they can try and manipulate us emotionally using social
media, for example, they shouldn't. They should get back to a much more rational conversation with their voters.
Well, the title of the book is How Spies Think, Ten Lessons in Intelligence.
Sir David Omond, thank you so much for joining us.
It's been a pleasure.