Wednesday, August 16, 2023

Where in the System should Comsec Belong?

I have written before about the parlous state of cryptography – communications security – before the Second World War, and until the point late in 1941 when Sir Edward Bridges, the Cabinet Secretary, began to interest himself in the subject. In January 1944 the Prime Minister accepted a proposal from the Chiefs of Staff Committee. It agreed that: 

1. A controlling authority should be established with responsibility for:

(a) Policy regarding the security of British encryption systems, including decisions on any new encryption devices and on any safeguards which might be necessary in their use.

(b) Ensuring due supervision of encryption by the Services and by Government Departments.

2. The Controlling authority should be known as the Cypher Policy Board (CPB), and its decisions should be regarded as having ministerial approval. It should consist of:

(a) The Director General of the Government Code and Cypher School ('C') – Chair

(b) A representative appointed by the Chiefs of Staff Committee

(c) The Cabinet Secretary.

3.  A new section of GC&CS should be established to deal with the security of British encryption (and of Allied systems in so far as British commands were concerned). This section would have as its head an Assistant Director of GC&CS known as CSA (Communications Security Adviser) who would also act as Secretary of the CPB and Chair of the existing JIC Cypher Security Committee would now be responsible to the CPB.

(Not included in this plan was 'wireless security'. MI5 was responsible for ensuring that the only people transmitting were those authorised to do so, and for monitoring their use of transmitting equipment; and for ensuring that the physical security of transmitters was maintained. It carried out those responsibilities without reference to GC&CS: indeed, for practical purposes their main direct relationship during the Second World War was in connection with the encryption systems used by German agents. The transfer of the Radio Security Service (RSS) to GCHQ after the war would eventually lead to an increased collaboration between GCHQ and MI5 on the intercept of illicit transmissions, but that is another story.)

This structure paralleled the structure for oversight and management of Sigint: a board of stakeholders (CPB for Comsec, LSIB for Sigint) oversaw the tasking and budget for the two parts of GCHQ, leaving Director GCHQ and CSA to operate within the framework they were assigned.

The structure for Comsec was maintained for some years but the services were unhappy about the pace of development of new encryption machines, and felt that the proliferation of committees (for example the Services Cypher Policy Committee, the Speech Secrecy Panel, the Cypher Machine Development Panel) was pulling the CPB away from its original terms of reference. The matter was formally discussed at a meeting of the Cypher Policy Board in October 1952. Sir Edward Bridges gave his opinion that it was inappropriate that a Sigint organisation – GCHQ – should be responsible for cryptographic policy. A review of the CPB was commissioned which eventually concluded that a different agency, independent of GCHQ, and to be known initially as the London Communications Security Agency, should be responsible for Comsec, under the oversight of a new London Communications Security Board. The Board was chaired by 'C' initially, and the Heads of the Signals and Intelligence Divisions of each of the Service ministries, as well as representatives of the Foreign Office and GCHQ, were members. From 1956 the Foreign Office nominated a Chairman (Pat Dean) common to the JIC, LSIB and LCSA. 'C' remained on the Board, and for the first time the Director General of MI5 (Sir Roger Hollis) was invited to be a member.

A new Director LCSA, Captain Stannard, was appointed in November 1957 and the LCSB Chair wrote a letter to Hollis in which he referred to a decision taken by the PUS of the Foreign Office, the Joint Permanent Secretary to the Treasury, and the Chiefs of Staff (to whom collectively the LCSB was responsible) that Director LCSA should be responsible under the general direction of the Director-General of the Security Service for day-to-day decisions on behalf of the LCSB. This would entail an amendment to the terms of reference of the Director LCSA who wrote a paper outlining the role of the LCSA and its relationship to DG MI5 and Director GCHQ.

These can be summarised as:

(a) Transmission Security: LCSA should advise on the transmission security of all communications and non-communications equipments and techniques and agree with the authorities concerned on the principles of protection.

(b) Cryptographic Security: LCSA should, in addition to its current work on the protection of communications against cryptanalysis, advise on the means of cryptographic security protection in all new forms of communications and develop the appropriate security techniques and equipments required.

(c) Requirements for Communications Electronics Security Equipment: LCSA should be responsible for:

(i) Evaluation and determination of requirements

(ii) Development of appropriate security techniques

(iii) Coordination of research, development, and production to meet new requirements.

(d) Consultation with the Security Service

The provision of advice on all aspects of Transmission and Cryptographic security should be the joint responsibility of the Security Service and LCSA. The former should advise on personal, documentary and other physical security measures to protect the equipment and related information, whilst the latter should advise on measures to protect the transmissions. LCSA should provide the Security Service with the technical guidance which it might require in this connection and incorporate Security Service advice in the communications-electronics measures which it recommended.

(In fact it proved impossible to define exactly the respective responsibilities of LCSA and the Security Service, and agreement on the advice to be given depended on the close personal relationships (which always existed) between the contact officers of the two departments.)

From these conclusions the new terms of reference were framed, and these included the following:

'The LCSA will be under the charge of a Director who, under the general direction of the Director General Security Service, will be responsible for day to day decisions on behalf of the LCSB … The Director LCSA will:

(a) consult Director General Security Service on all matters concerning general security policy

(b) consult Director Government Communications Headquarters on all appropriate aspects of

communications-electronics security and ensure that his advice and assessments are fully taken

into account.'

However sound all this may have been in theory, it had two serious weaknesses. First, DG MI5 had no understanding of communications, which largely determined Comsec policy; and second, the UK's Comsec release policy (ie which systems could be released to which foreign nations) was governed by Intelligence interests which were not the responsibility of DG MI5.

The LCSB approved the new terms of reference. However, in discussion it became clear that while 'Communications Electronics Security' meant the security of communications and non-communications transmissions, Hollis thought that it was simply some sort of elegant variation on 'Electronic Communications'.

Stannard also tried to change the status of the LCSB from Ministry of Defence Committee to Cabinet Committee. This proposal took the lid off a can of worms: LCSB (like LSIB) were each subordinate to Official Committee on Communications-Electronics which was set up in 1958. The terms of reference of neither the LCSB nor the LSIB referred to this supervision because they were in existed before the Official Committee had been established. Dean pointed out, however, that a proposal to transfer the LCSB from the Defence List to the Cabinet List might give rise to a review of the status of LCSA The Director LCSA was under the general direction of DG MI5 but his salary was paid by the Foreign Office. The arrangements for paying the staff of the Agency were complicated because they were those used for paying GCHQ staff and were hidden in the budgets of five other ministries. LSIB, in a closely related position to LSIC's was, for security reason, not listed as either a Cabinet or a Defence Committee. It was agreed at the meeting that no action would be taken, but that Dean would mention the anomaly of the Board's present status to the Cabinet Secretary and make sure that the service Chiefs were aware of the increasing civil functions of the Board and Agency. The Ministerial responsibility for the Agency was also discussed. This matter had not been covered when the terms of reference were drafted which placed the Director LCSA under the general direction of DG MI5. It was agreed at the meeting that it was important to make it clear whether the Home Secretary or the Foreign Secretary should be answerable to Parliament for the Agency. Dean suggested that representatives of the Security Service, LCSA, the Security Department of the Foreign Office, and GCHQ should meet and submit recommendations. In spite of lengthy discussions no change was either suggested or made in the Ministerial responsibility for LCSA: the lid was put back on the can before any of the worms could escape. It seems clear that the decision to alter the status of the Director LCSA was made hastily and without any detailed examination of the implications.

In April 1965 there was a radical change in the organisation when LCSA, SCDU (Services Communications Development Unit), and JSRU (Joint Speech Research Unit) were integrated into one department. Up till this time, although LCSA exercised operational control of SCDU and JSRU, they were administered by the GPO. This division of responsibility had never been a very satisfactory arrangement and, following an interdepartmental enquiry in 1964, LCSA took over full control of both units. It was also decided that a new title was needed to show that a new organisation was coming into being. In a letter to Burrows, the LCSB Chair, copied to DG MI5 and Director GCHQ, Stannard suggested "Government Communications-Electronics Security Agency", pointing out that the existing title had on occasions given the impression of a commercial concern and was unlikely to appeal to those who had worked for such a well-known department as the GPO. He did not propose that the title of the Board should be changed, since it was well-known and fitted in with that of its signal intelligence counterpart. Hollis did not like the proposed title, first because it was too close to GCHQ, and GCB, both of which were already in use, second because LCSA's responsibility extended beyond Government communications, and third because he did not think the organisation was an agency. He suggested 'Electronic Communications Security Department' (he still didn't understand the meaning of the order of the words). Hooper, Director GCHQ, commenting on both Stannard's and Hollis's letters, pointed out that communications electronics security was correct, because electronics security referred to non-communications transmissions and suggested that if it was the word 'agency' which implied a commercial status, then 'Communications Electronics Security Department', with the abbreviation CSD would be appropriate. Stannard wrote to Sir Bernard Burrows accepting this, but proposed the short title CESD. Hollis objected to 'communications security' as being too wide and doubted the responsibility for 'electronics security'. Burrows, however, agreed with Hooper's proposal as amended by Stannard, and this was accordingly submitted for acceptance by the Board.

From this point on, the influence of DG MI5 in CESD affairs waned rapidly. Like LCSA before it, CESD administration services were provided by GCHQ; its London Headquarters were in GCHQ's Palmer St building; its cryptographic services were underpinned by mathematicians from GCHQ; and the JSRU technical staff now joining CESD were members of the Royal Navy Scientific Service attached to GCHQ. It was too small to stand alone, and in 1969 it returned to GCHQ, though with a conscious and generally accepted autonomy within the organisation.

Putting its direction under MI5 was a mistake: Comsec had to be linked in policy terms to its opposite, Sigint, rather than to its complement, physical security. Comsec policy must take account of Sigint policy; whereas physical security policy has little bearing on the matter at all. This doesn't mean Comsec and physical security are not closely connected, particularly at the practical level, and it doesn't mean that the Comsec should be subordinated to Sigint, even if both are part of the same organisation: that was why there were separate oversight boards – LSIB and LCSB – for the two disciplines.

Sir Edward Bridges had been correct in identifying the cause of the weakness of British cryptography in 1941 as the lack of attention which the primarily Sigint organisation had devoted to Comsec between the wars, and was right to be suspicious that service complaints about the slow pace of development of new cryptographic equipment in the postwar period might be used to GCHQ not giving enough priority, but the solution was better informed and detailed oversight by the Sigint and Comsec Boards, not organisational change. Bridges retired in 1956, and it is not hard to imagine that Stannard's proposal that Hollis should become his boss was as much a search for somebody to protect him from Director GCHQ as for a more coherent structure for Comsec.

No comments:

Post a Comment