LONDON, ENGLAND - AUGUST 09:  In this photo illustration, a hard drive is seen in the light of a projection of a thumbprint on August 09, 2017 in London, England. With so many areas of modern life requiring identity verification, online security remains a constant concern, especially following the recent spate of global hacks.  (Photo by Leon Neal/Getty Images)
© Getty

American spymasters are concerned over the vulnerability of US companies to cyber attack and are turning to the UK for guidance on how to boost protection in the face of a growing threat from hostile state hackers.

A US intelligence official told the Financial Times that US intelligence is braced for the cyber threat to “get worse”, likening the US to a city at the bottom of a dam that is fast developing cracks. 

“Something horrible has to happen to fix it,” said Rick Ledgett, former deputy director of the NSA who left the agency last year after four decades. “The US should follow the UK model.”

One possible solution being weighed by US intelligence officials is to replicate the UK’s National Cyber Security Centre, the public-facing division of Britain’s digital eavesdropping agency GCHQ.

Admiral Michael Rogers, head of the NSA and US Cyber Command, which tackle cyber defence and offence respectively, visited the NCSC’s London headquarters this year, in a sign of the close links between the American and British services.

“The UK example is interesting,” said the US intelligence official, adding America has not been able to address the cyber threat. The official cited the UK’s effort to develop a national cyber strategy and house its own cyber security protection regime within each of the intelligence agencies, adding the US has “not yet done any of this”.

The official said that countries such as the UK also had more of a tradition of interference in the private sector that probably “wouldn’t be tolerated as much” in the US.

“The problem is the US is bigger and more complex and there isn’t a unity of focus,” said Mr Ledgett.

Set up in 2016, the NCSC works closely with companies to manage incidents, protect critical services from attack and provide guidelines for tackling the cyber threat. 

“Every country is grappling with this and trying to work out how to do this coherently,” explained Robert Hannigan, a former director of GCHQ who was instrumental in establishing the NCSC. “There are often too many players in cyber and a lack of clarity over who is responsible for what.”

Although the US boasts some of the world’s most advanced and best resourced cyber capabilities inside government bodies such as the National Security Agency and the Department for Homeland Security, senior American officials are divided over the best way to organise and co-ordinate sprawling cyber defence programmes.

Responsibility for defending the US private sector from cyber attack rests with the Department for Homeland Security. But US cyber defence operations also sit with the NSA, the FBI, the Department of Defense, the National Guard and the CIA.

Fears over US vulnerability come amid growing evidence of cyber hostility from Russia, North Korea and China. US intelligence chiefs describe continuing efforts from Moscow to subvert US democratic institutions, amid allegations that Donald Trump’s campaign colluded with Kremlin to secure his election as president. Foreign hackers have also previously stolen classified plans from defence contractors, including for high-tech weapons such as the flagship stealth F35 fighter jet.

The private sector’s lack of enthusiasm for engaging more directly with US spying agencies is partly based on a lingering paranoia among company executives after the 2013 leaks from Edward Snowden revealed the extent of NSA surveillance.

“Government has an important role in cyber but can’t do everything and shouldn’t try,” added Mr Hannigan. “It has to enable industry to tackle the vulnerabilities out in the wider economy”.

In testimony to Congress in his capacity as cyber command chief this week, Admiral Rogers laid bare system weakness and argued for greater integration. “How do we better work the [defence department] role in the defence industrial base and the . . . defence contractors?” he said. “We’ve got to get a different dynamic here.”

But in a sign the US defence establishment is keen to raise cyber security standards among private-sector contractors, deputy defence secretary Patrick Shanahan said this month that the Pentagon could condition contract awards on how committed companies are to what he described as “good [cyber] hygiene”.

“We have to create this culture — everybody’s a sentinel, they’re on watch — so that should be, for the CEOs, at the top of their list: ‘OK, are we safe? Are we secure? Are we protecting our secrets?’ And then have the mechanisms and the culture internally to make sure those safeguards are in place,” he told the FT at a defence industry conference in San Diego. 

Follow @DJBond6873 and @KatrinaManson on Twitter

Copyright The Financial Times Limited 2023. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Follow the topics in this article