Former MI6 chief Sir Alex Younger on why "intelligence is fundamental" to cybersecurity
Over his 30-year career at the U.K.'s Secret Intelligence Service, commonly known as MI6, Sir Alex Younger witnessed a sea change in the way countries gather and use intelligence.
"[When I joined MI6], you could go anywhere and do anything and say anything and nobody would be in a position to second guess you. Now, of course, that's just not true: Everything you do is essentially auditable..." said Younger, who led the agency from 2014 to 2020. "If the data is on your side now, you win. If not, you are in trouble."
Younger spent his early career in the field, mostly in the Middle East and Afghanistan, and rose to the position of director of counter-terrorism in 2009. But during his time leading the agency, issues around cybersecurity—such as disinformation, economic espionage, and ransomware attacks—swelled in importance. Younger compares it to the lead-up to the first World War, where "nobody really knows what the rules are, everyone thinks they're in the right."
Since leaving his position in government, Younger said he's looking forward to being more vocal about his opinions and the ability to explore how the private sector operates. Recorded Future—the publisher of The Record—announced on Tuesday that Younger is joining the company's board. In a series of conversations with The Record, Younger discussed his time in the Secret Intelligence Service, Russia's disinformation game, and why ransomware is more of a people problem than a technological one. The discussion below has been condensed and edited for clarity.
The Record: You left the Secret Intelligence Service about six months ago—what do you miss about being a spy chief?
Sir Alex Younger: I really loved being a spy, and I'm very glad that career found me—in the days when I began, that's how it worked. You didn't apply, you got approached. And although it wasn't without its pressures, I'm very glad that's the turn that my life took. I joined at a time when the world was very different, but the essence of the task, which is creating relationships of trust with people across forbidding political and cultural and linguistic boundaries, remains the same.
The mission attracts people with two particular traits: one is a very developed level of curiosity about the world and the other is a need to do something about it and to be consequential in however small a way. So it's full of people who are curious, want to make a difference and, by the way, generally have a developed sense of humor. I’m not sure if this environment is unique, but it is certainly special, and it is a privilege to work in a place like that.
I don't particularly miss being part of a big system. Of course it is incredibly validating to be at the centre of things. But it is now time to try something new. I was chief for six years, I was an intelligence officer for 30 years, and although I didn't achieve all of the things that I wanted to achieve, I achieved a good part of them and I don't feel a sense of unfinished business. The service is under great new leadership and I've got deep faith in the people there. So I'm happy with the idea that it's time to move on. As my wife points out, there is more to life than government. I love the idea of being a private citizen. I can be more open about what I think, and I've got much more freedom over my time, so actually the next phase feels quite exciting.
TR: Why do you think they approached you in the first place?
AY: Well... I don't know. And the things that the service looks for in recruits have to some extent changed over time. But there are a couple of constants. Probably the most important one of those is a spirit of intellectual curiosity, wanting to understand the world around you. And the other is emotional intelligence and the appetite and the capability to listen to people and try to understand what makes them tick. I can only suppose that those were the things that they saw in me—but you'd have to ask them if you want a definitive answer!
TR: It sounds similar to journalism—you could have been a reporter.
AY: I think that is one of the reasons that journalists and spies often have such a difficult relationship—beyond the obvious secrecy stuff—I think they are rather similar characters.
TR: What were the biggest changes that you witnessed both at the agency and with how intelligence is conducted?
AY: The things that have stayed the same are the things I mentioned earlier: fundamentally it's about talking to people, understanding them, creating relationships of trust, it's about overseas, and crucially it's about making sure that everything you do supports the values of your country and doesn't undermine them—I utterly reject the idea that there is a moral equivalence between us and our adversaries. I like to think those are the constants. We're human beings; sometimes you don't live up to your own aspirations, but those were always the standards I aspired to.
"In ’91 you could go anywhere and do anything and say anything and nobody would be in a position to second guess you. Now, of course, that's just not true: Everything you do is essentially auditable in this world in which we live. And that leaves both opportunities and problems, but it mandates really significant change. If the data is on your side now, you win. If not, you are in trouble."
The two huge changes are obvious: digitalization and globalization. With globalization, the boundaries have gone: between peace and war; cyber and real; domestic and international. And these were the boundaries that we used to organize our work when I arrived in 1991. They've just gone. The premium on effective partnership and organizational flexibility has shot up as a result. Now the person who can transcend those boundaries and cross them will win. So partnership is a feature of life now where it wasn't really in ’91, and that's good. I think we are good at partnership, but I have to say that we've had some lessons from the autocrats on this: the Russian bureaucracy is world leading when it comes to internal rivalry, but they can still integrate very well because they're run by an autocracy, with a very strong centralizing function. And we need to find our way of generating that, not least with a much more forward-leaning approach to the private sector, in particular for tech. This will be vital if we are to find the solutions that we need to stay ahead. The days when we arguably shortened WW2 by cracking the German Enigma code at Bletchley Park, sitting behind the wire (and incidentally inventing the first computer!), are behind us. The really important solutions lie beyond our security fences, in partnership with the commercial world and academia.
The other is digitization, where, put bluntly, in ’91 you could go anywhere and do anything and say anything and nobody would be in a position to second guess you. Now, of course, that's just not true: Everything you do is essentially auditable in this world in which we live. And that leaves both opportunities and problems, but it mandates really significant change. If the data is on your side now, you win. If not, you are in trouble. It’s Darwinian.
TR: How has the service changed with evolving threats?
AY: In the early 1990s, the internet wasn’t really a thing, and now cyber threats are a constant issue.
I don't think of cyber so much as a threat as a vector. It's not about computers acting autonomously (at least not yet!). It is ultimately done by human beings, attempting to assert security or economic interests. They still live in places, and behave in ways both unpredictable and imperfect. So in a sense it's a traditional problem enacted in a different way.
It is also highly dynamic. So, it seems to me that our capacity to defend ourselves in cyberspace is fundamentally rooted in the need for good intelligence. If you take a Second World War analogy, the French built the Maginot line, the series of forts along their eastern border, and assumed that those would be enough to repel any conceivable German invasion. And not only was that wrong, but it influenced their behavior and it stopped them looking eastwards—it wasn't just a physical problem, it was an imagination problem. And it meant that they didn't have the flexibility, either of thinking or capability, to defend themselves. So when the war started and the German blitzkrieg just went around the edge, they had a problem.
I think it's really important to think about cybersecurity in the same way. There's a place for static defenses, and in truth a surprising amount of our ability to defend ourselves is just about doing the basics right. But beyond that, if you're to achieve any real form of resilience, it's all about what's going on outside. For states, organizations and individuals, intelligence is fundamental to our ability to keep ourselves safe. Understanding your environment, understanding the threats that are out there, understanding, crucially, the people behind the threats and what their intent is, and understanding the context, the incentives, politics, the geopolitics behind that threat... All those things are necessary if you’re to effectively defend yourself.
TR: In 2016 around the time of the U.S. presidential election, you said that cyberattacks and disinformation pose a fundamental threat to the U.K. and other democracies. Were you specifically referring to Russia? And when you look back at it five years later, do you think that the issue has improved or has it just gotten worse?
AY: I was talking about Russia and it's arguably got worse. The Russian state has been invested in disinformation campaigns for most of its existence. And, frankly, it's generally been pretty good at them. And now cyber disturbingly provides an excellent new vector to conduct this ancient business along. They have some strong capabilities that we need to take seriously. Russia has a combination of technically skilled people, and a highly precarious economy characterized by corruption and blurred boundaries between the state and the private sector. The Russian intelligence services can therefore call on a community that exists in the gray space between organized crime and intelligence, to conduct this very traditional mission.
With the internet, in cyberspace, they've got the perfect opportunity to stimulate discord and distrust in the West at very little cost and at some scale, and it's a serious problem and we need to organize to stop it. But I've also been really clear that there are two mistakes we mustn’t make. One is to big this up. It is a strategic problem, but it's not an existential risk—the response to it is the existential risk. And we don't want to do the FSB or the SVR or the GRU’s job for them by overreacting.
"It's a bit August 1914. Nobody really knows what the rules are, everyone thinks they're in the right, everyone's got a new capability which they don't really understand the consequences of. It feels febrile."
The second, related, mistake would be to allow this activity to distract us from solving the self-made problems that exist within our societies. It’s easy to blame the Russians for much that is wrong in our society. But it is also obviously wrong. Most of our problems are self made; if we are distracted from solving them by an obsession with foreign interference, then, ironically, the Russians will have achieved their objective.
TR: You commented a couple of years ago that the U.K. needed to decide the extent to which it is going to be comfortable with the Chinese ownership of 5G and other infrastructure technologies. Where do you personally stand on this issue, and what are your biggest concerns with Chinese involvement in 5G?
AY: I'm not relaxed about this. We have to face the fact that we’ve now got one planet, two systems. As a child of the Enlightenment, and liberal democracy, I regret this, but it's a fact. And I don’t think it is going to change any time soon. The idea that China will become more like us as it gets richer is for the birds. On the contrary, it’s obvious that there will be continuing ideological divergence and steepening rivalry. I think we've got to find a way of dealing with that, while avoiding a new cold war. This will require unity and innovation on the part of the west, which in turn generates strength—the only real language that the CCP understands. But also statesmanship. The big issues that we face as a global population—pandemic disease, climate change, antimicrobial resistance, whatever it might be—cannot be solved unless the international system as a whole is working on them.
On 5G, we were faced with the possibility of very significant participation of Huawei in the U.K. In practice, the decision was made because following U.S. sanctions, we could not provide assurance that Huawei would be able to fulfill its part of the supply contract. And also, there were significant concerns from the National Cyber Security Centre about the quality of cyber engineering. But if you want my personal view—this is not the government view—the most important thing is to avoid dependence on a country that doesn't share your values for any aspect of your critical national infrastructure. Diversity of supply is therefore the key national security imperative—cyber risk matters as well, of course, but I have to note that we are being pretty thoroughly attacked over infrastructure designed in the west, so this is about more than excluding foreign vendors.
I've got a challenge to make after this decision, which is that we have concluded what we don't want, but we need to work up what we do want. So what is the Western, for want of a better word, response to generating these key technologies together? At the moment, we seem to have just decided to have some slightly fruitless arguments between the U.S. and Europe over tech sovereignty or protectionism or tax and essentially fragmenting our response to a monolithic problem, which is the authoritarian capacity to innovate potentially faster than us. We seem to have just decided to argue with each other, and I do not think that's the answer.
TR: Between Russia and China, which concerns you the most when it comes to cybersecurity?
AY: We’ve got kind of an acute problem and a chronic problem. The acute problem is Russia, and they broadly focus on political objectives as opposed to economic ones. We've already discussed that, and it's a problem and we need to deal with it, but we don't want to build it up artificially in the process.
China is a chronic problem. There is an erroneous assumption that the “economic” espionage in which they specialise—stealing IP—is less dangerous than political espionage. But I think it is more damaging in the long term. If our knowledge edge is being removed systematically through cyber theft, that arguably poses the most significant long-term threat to us. We're forfeiting our long-term prosperity and security through an excessively casual approach to knowledge transfer, and we need to get serious about that. One part of that is ensuring that we can become much more resilient when it comes to cybersecurity than we are at present.
"I think we're setting ourselves up for a fall if we say: “If you do this, we're going to do that.” Red lines haven't really worked in the past. The key is for no one to be under any doubt that ultimately this stuff has consequences."
Even more importantly, I think the ultimate threat to our security is falling behind in our capacity to innovate. A superior rate of technology innovation over potential adversaries is the thing that has kept us safe for centuries: lose this, and our kids will not enjoy the same freedoms and choices as we have. And this is about much more than preventing cyber theft of our IP; this is about re-booting the previously formidable western innovation machine. A huge issue, and one that I'm very pleased to see the new administration has begun to deal with.
TR: Are there laws, policies, or standards—either domestically or internationally—that would help with this?
AY: Clearly it would be good if there were laws—it's inherently escalatory when no one knows what's normal and what’s unacceptable. It's a bit August 1914. Nobody really knows what the rules are, everyone thinks they're in the right, everyone's got a new capability which they don't really understand the consequences of. It feels febrile. The petrol on the fire—gas on the fire, as you would say—is the idea that these things could be done without attribution, that you can get away with it. It feels dangerous. We need an international effort to thrash out a legal framework, just as happened after 1945 in the human rights space.
But the problem is there's no global unanimity, and if you look at the way in which the Security Council is split, there’s very little prospect of that unanimity being generated. Also there is a trap: we need to bear down on those states, groups or individuals, who exploit the anonymity of the internet to do harm, not just to our infrastructure, but to our citizens, our children and our democracy. But we should recognise that autocrats would be only too happy to sign up to a vision of a top-down regulated internet—they worry about the freedoms the digital world brings for different and self-serving reasons. Rules are needed, but we must hold onto our values.
For now, I think we should focus as a value system on establishing case law through our actions and reactions—to respond to attacks in a way that makes it clear where the boundaries lie. SolarWinds and Microsoft Exchange, for instance, in their different ways, give us challenges where our response will start to set the boundaries and case law around this sort of stuff.
TR: How should intelligence agencies balance secrecy and transparency when it comes to cybersecurity?
AY: Secrecy and ambiguity are inherent to what intelligence services do—to protect sources and methods. But secrecy is not an end in itself. The purpose is not to be secret, it is to produce intelligence that is useful and helps protect our citizens.
There is always tension between finding stuff out and using what you find, and I think with cyber, as you highlight, that's particularly true. There's no point in us knowing things if we can't then use them to make our societies more resilient. I think that the solution that we've arrived at in the U.K. is probably the optimal one, which is to establish a National Cyber Security Centre within our signals intelligence agency, GCHQ. So it has access to all of the capabilities and intelligence within that organization, but its other focus is the unclassified mission: completely transparent and engaged, including with the private sector. It goes from the geopolitical, which is deciding on issues of attribution of cyberattacks, to the prosaic but vital, which is helping institutions, organizations, companies be more resilient through getting the basics right. It is a good system that gets away from this dichotomy between offense and defense, or public and private and just remembers why we are doing all of this.
"I question whether the ransomware problem in its current form would exist or could exist without the existence of cryptocurrency."
I think the only thing that gives me pause is the risk of moral hazard, by which I mean the government cannot be the organization that solves everything for the people. What you can't do is wave a wand and say we're taking this problem away. The government has a role to play in attribution and particularly in creating international partnerships and treaties and law in the way that we were discussing. But what I don't think they should do is take away the responsibility of individual actors for owning their own cybersecurity. They need to give advice but make it clear that it’s up to each and every one of us to implement that advice, to make the necessary investments.
TR: The U.S. is definitely grappling with this right now, especially with your last point. After SolarWinds, a lot of lawmakers have started asking if the government needs to take a more active role and potentially take over cybersecurity for things like critical infrastructure.
AY: I agree, clearly there's going to be a sliding scale. But the other point I should have made is that the government's got a vast amount to learn. I expect most of the knowledge flow actually to be the other way—there’s a huge amount to learn from big tech and the private sector more broadly.
TR: Lawmakers and cybersecurity experts in the U.S. have been discussing whether the SolarWinds attack amounts to typical espionage or if it crosses a line into something that resembles a dangerous attack. How do you view the issue and how should governments set these lines?
AY: There's a really good treatment of this by Dmitri Alperovitch at Silverado. These two are different types of attacks with different levels of damage associated with them, and they probably mandate different responses. I broadly agree with that.
But the wider issue is that the logic of offensive cyber operations is not symmetrical. Everyone compares it to nuclear weapons and deterrence and all of that. But that's not going to work because there are multiple actors and there is always doubt with attribution. So it's not like you can hold each other at threat with cyber actions or deter people from doing stuff through fear of retaliation in cyberspace. It therefore means that it's pointless to look at this in isolation. Quite often if you suffer a cyberattack, you won't want to respond in cyberspace at all—you want to do something completely different. The FBI has demonstrated this brilliantly with their wanted posters and sanctions against individuals. So it's really important not to fall into the trap of feeling like these things mandate symmetrical responses. They don't.
And I don't think it would be resilient to make policy on the basis of individual instances of attack, although they're pretty important data points that should inform our wider posture. But I think we're setting ourselves up for a fall if we say: “If you do this, we're going to do that.” Red lines haven't really worked in the past. The key is for no one to be under any doubt that ultimately this stuff has consequences; allowing a culture of impunity is highly escalatory. Look at ransomware.
TR: How do you think governments should approach the issue of ransomware?
AY: SolarWinds and Microsoft Exchange represent the more traditional type of cybersecurity problem we’re trying to deal with, but ransomware is bringing to life the real-world consequences of malign cyber activity. It represents a challenge and a real wake-up call for organizations and governments because of the damage it can so obviously do. Clearly, the basic model where they encrypt your data and offer the keys for money is still a very large problem, but the reality is much wider—they’ll get into your system and do bad stuff until you pay them to stop. It’s essentially a digital protection racket, and the reason I labour that point is that it’s evolving fast, and this is now about much more than backing up your data.
I think the advent of cryptocurrency represents a particular issue—there are clearly significant benefits to be had from digital currencies of all kinds, but this isn’t one of them, and I question whether the ransomware problem in its current form would exist or could exist without the existence of cryptocurrency. We need to think of a way of preventing cryptocurrency from being an asset to criminals, and it seems to me there are ways this can be done. Cryptocurrencies are on the blockchain and so are not inherently untraceable; in some ways are more auditable than other mediums of exchange such as cash. The issue is resolving the physical identities or at least nature of the users from their electronic signature, and I think there’s some really interesting approaches developing here, with companies using advanced data analytics to distinguish between good and bad cryptocurrency users. We have to develop this technology quickly to deny criminals the advantage of anonymity. Digital KYC.
But the issue I’m most focused on is that, ultimately, ransomware is not a computer problem—it’s a people problem. It’s done by people who need a physical place to hide and to spend their money, immune from the consequences of their actions. If the Colonial Pipeline hack has a benefit—and clearly it was a terrible thing to do—it demonstrates that a strictly law enforcement approach to ransomware is now no longer enough and there has to be a geopolitical dimension to the problem. The ability of ransomware attackers to work with impunity out of specific geographies is a huge part of the issue, and that geography is more often than not Russia. If Colonial galvanizes the U.S. government to recognize the geopolitical component of this problem, and it works on ways of upping the price for this activity within its broader national security dealings with Russia, then I think something good will come of it. To be clear, I don’t think that in this case it was an attack instigated by the Russian state. But it was done by people within their jurisdiction and it hasn’t escaped anyone’s notice that these organizations don’t attack anybody in Russia.
TR: The perception most people have of your former role comes from actors like Ralph Fiennes playing “M” in James Bond films. And I just wanted to ask, what do the movies get right and wrong about being the head of MI6?
AY: I think we can all relate to the energy, patriotism and raw cunning that Bond brings to the job. But teamwork, integrity, emotional intelligence? I’m not so sure!
He has made us one of the most famous secret organisations in the world, if that is not a contradiction. Which brings benefits, I suppose. But the reality of the work is that it is mostly perspiration with just a dash of inspiration. Not the sort of cocktail Bond would be attracted to!
TR: Yeah, as long as you don’t get people who show up on the first day in a three-piece suit ready to drive an Aston Martin off a bridge.
AY: That's not a good sign—they’ll be in for a disappointment.
Adam Janofsky is the founding editor-in-chief of The Record by Recorded Future. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.