Interview by Lee Watkins:

Sir David Omand, former Director of GCHQ, on the current security climate and the recent IPT rulings on GCHQ’s information gathering.
***
Besides your role as Director of GCHQ from 1996-1997, what are other highlights from your career?
I was Principal Private Secretary to the Defence Secretary during the Falklands War. That was a very intense experience, seeing things at close quarters. The other defining experience was the Bosnian War. I was Deputy Undersecretary of State Policy and in charge of the MoD’s policy, which eventually led to the NATO intervention and brought the conflict to a close. That was both extremely hard but also rewarding. A lot of people lost their lives.
I supported NATO’s intervention. This was a period of extreme tension between the US Congress and most of the parliaments in Europe. And so getting something everyone could agree on – that’s the kind of policy work that’s really rewarding. The UN, when it works well, is extremely good. But if you haven’t got full consensus from the Security Council, then it’s very difficult. Getting it under control by reconciling Europe and the United States and then getting NATO to take the lead transformed the situation.
Additionally, you contributed to the 2010 Chilcott Inquiry into the UK’s role in the Iraq War. What was your role during that war?
I wasn’t involved in the Iraq decisions myself, but I was a member of the Joint Intelligence Committee at the time of the Iraq War. I was security and intelligence coordinator in the Cabinet Office. At the time I was deeply involved in constructing the UK’s domestic counterterrorism strategy.
How would you respond to criticism that the Iraq War may have been counterproductive by creating more militant jihadists than it has deterred?
Islamic extremism predated the invasion of Iraq and the War on Terror; for instance the 1998 US Embassy bombings in East Africa carried out by Al-Qaeda or the attack on the USS Cole. You can’t draw a cause and effect conclusion, nor can you say that there’s a direct relationship. Denmark was just attacked just over a month ago and no one would accuse Danish foreign policy of being aggressive.
But there is no doubt that passions were aroused by the invasion of Iraq and I expressed that at the Chilcott Inquiry. The British intelligence committee’s assessment was that as a result of our actions in Iraq the threat level would go up. This didn’t necessarily mean they should not go ahead, but they had an awareness of this assessment. They judged that that was manageable.
What about statements by Al-Qaeda and other groups that their attacks are in response to Western foreign policy, for instance that 9/11 was retaliation for US troops stationed in Saudi Arabia?
They’re going to say that anyway. I think that the Far Enemy thesis applies. If someone like Zawahiri [the current leader of al-Qaeda] believes that the West will prevent the creation of an Islamic state in Egypt or Algeria, then they will try to strike back at the power of the United States. They see the United States, the West, Israel, as implacably hostile to the creation of a Caliphate, of an Islamic State – which we are, because we are so diametrically opposed. It is a clash of values. Which is not to say that these values are intrinsic to Islam – very few Muslim communities in the US or the UK would see eye-to-eye with them.
Public anxiety has been mounting for several years, not only about terrorist attacks but also about government surveillance. Are these fears well-founded?
Some of this is inevitable because the more you know about the threat, the more anxious you are liable to be. If you’re in a happy state of ignorance, your anxiety is less – until something happens. The UK’s terrorist threat level [recently raised to “Severe”] is a way to condition the public to the existing level of risk. That way you don’t have a gross overreaction – shouts of “This must never be allowed to happen again!” and legislating away our human liberties. We make it clear that it’s not possible to stop all attacks, and that isn’t the objective.
The intelligence community’s objective isn’t to stop all attacks?
The formal objective of the UK counterterrorism strategy is to reduce risk so that people can freely go about their normal lives with confidence. You want to stop every goal from being scored by the opposing team – but you know that that’s actually impossible. No team ever succeeds in keeping out all the goals, but at any one moment you’re desperately trying to stop them from scoring. In no way does that imply that you’re taking a relaxed or casual approach. It is the reality that actually, your team is not going to win every game. If you try to give an absolute guarantee, you get driven into actions that are counterproductive.
What is your response to the recent Investigatory Powers Tribunal (IPT) court ruling that the intelligence-sharing relationship between the NSA and GCHQ was illegal?
The IPT’s first ruling determined that British intelligence was in conformity with the European Convention on Human Rights (ECHR) and the British Human Rights Act. The second again upheld the way the intelligence mission was being conducted. They determined that this was not mass surveillance, but targeted surveillance. However, under ECHR, the UK has the obligation to keep the public informed of how the law applies to them [the intelligence-gathering authorities].
Specifically there were two GCHQ guidelines not in the public domain. These safeguards applied to information collection by the US about people in the UK. In essence, an analyst was required to have the same level of authority [the Secretary of State’s authority] to access this information as if it had been the UK who collected it. But the difficulty came in where the UK was physically not in a position to get the access but the US was. The safeguard meant that the legal equivalent of a warrant, a secretary of state’s authorization, enabled the analyst to go to the US and say, “Have you got anything on this guy?” So it’s essentially a safeguard.
The court determined that two paragraphs in the government’s evidence should be public. They are now public. One of them is entirely theoretical. Technically the government had been in breach of its obligations for the preceding seven years because it hadn’t made these conditions clear. It has now made them clear, so it is now in the right. They should have done this when they first had access to the US material. So I think that’s a good decision, because it reminds the government of their obligation to explain to the public how it all works, and it’s also an excellent decision from the government’s point of view because it reaffirms that the court believes that what is currently going on is lawful, and is consistent with ECHR and it’s not mass surveillance.
I’m slightly confused by your positive response to the ruling because my impression was that GCHQ’s protocol was deemed a human rights violation.
Interception law, which requires warrants and authorities – all of that was being complied with. You’ve got various safeguards for external communication, but because of the way packages switch networks you pick up a domestic communication instead. GCHQ explained that in those circumstances you still require the same level of authority to access the material. But what they hadn’t done was make themselves understandable to the public, under ECHR regulation. And if you look at the 2008 statement, it doesn’t cover this at all. A lawyer would say it does, but if you were a layperson and you read the act, would you understand it? And the answer is no, you wouldn’t.
The government should have done more to explain. And what they’re not explaining is safeguards, which is slightly paradoxical. But the public has a right to know what those safeguards are. Immediately when the judgment came out, all the civil liberties groups jumped on it – but simultaneously GCHQ said they were delighted with the judgment, that what they were doing was legal.
Yes, in part my surprise at your reaction comes from statements by groups like Privacy International, which has launched a campaign titled “Did GCHQ spy on you?” that has gathered 6,000 signatures. Is it not your impression that people feel their privacy is being invaded?
This is simply mischief-making. This is what lobby groups do – try to create this impression. Their privacy was not being invaded, but their right to have the law explained to them was not being upheld. Would they be entitled to any compensation? I hope not.
Do you feel that there has been an escalation of public fear of being spied on? A case of increasing paranoia, if you like.
Yet the polls show that two-thirds of the British public think that more powers should be given to intelligence agencies because of the threat of terrorism. This is a very vocal campaign run on behalf of a minority. Now, they need to be taken seriously – they should be taken seriously – but I don’t think you should run away with the idea that there is huge British public unease. On the contrary, the majority of the British public want the agencies to go on trying to stop attacks.
So you feel that the fears of a terrorist attack are higher than the fears of privacy intrusion? Both of these public concerns put pressure on the intelligence community.
A lot of unease is down to a simple conceptual error in confusing mass surveillance with bulk access. This problem has bedevilled the whole argument. The IPT judgment discusses bulk access. GCHQ has the ability to capture quite a lot of external communication – it’s still a tiny part of the internet – and then a filtering is applied by computers, looking for the specific indicators of the targets they’re allowed to access. What is allowed to be seen by an analyst is tiny. If analysts are seeking, say, Syrian jihadists, then they are only allowed to view what is permitted to them on the relevant certificate. That’s why the IPT concluded that this was highly targeted and not mass surveillance. But it does involve computers looking at the major bearers of information in order to find useful material.
When you think about it, there’d be no other way to find the IP address of a computer being used by a terrorist. How would you find the communication? There are arguments over whether you should feel that your privacy has been intruded upon, even if it’s just the computer whizzing through and throwing your stuff away, because it’s not what they’re looking for. And that argument will go on, but it wasn’t accepted by the IPT.
The key for me is, it’s not about the tools being used by the agency. They are essential. They’re needed to catch paedophiles and criminals and terrorists. Law enforcement is all about digital intelligence these days. Worry about the oversight. Who gets to sign the authority? Who checks they’re actually complying with the regulations?
So you feel it’s a question of human integrity rather than technology?
Yes. This is where the IPT comes in. The report by Rt. Hon Sir Anthony May, Interception of Communications Commissioner, again concluded there’s no mass surveillance going on. He has free access to all the analysts’ stuff at GCHQ and he was previously an appeal court judge, so he’s quite a formidable character.
In the UK, I personally think that we have the model for the rest of Europe to follow. We’ve got parliamentary oversight, judicial oversight, got a specialist court for all of this. The bit that hasn’t been right has been the transparency vis-a-vis the public. The more transparent the government is, the more the public supports it. What Snowden has done is unleash a kind of worry – “What are they doing? How can I trust them?” – and in fact the more that comes out, for example through the IPT, the more people should be reassured that it’s a very organised system, it’s got checks and balances.
We’ve discussed concerns over too much information – what about worries over too little? In many cases, including the recent Charlie Hebdo attack, preceding a terrorist attack there is a trail of tweets, of blog posts, of other online clues that an attack will occur. Is there perhaps not enough access to information?
If you can get private correspondence, rather than public blogging, that will give you a better clue as to where they are – and do they have something big in mind? They may tip someone else off and say, “We’re going to do it on Saturday.” You can’t conclude one way or another about the Charlie Hebdo attack. It’s very important that people understand: intelligence work is a jigsaw puzzle. It’s putting together several jigsaw puzzles simultaneously. The pieces are all muddled up and you haven’t got the lid of the box. You can’t pick up one piece and say, “Without this, the attack wouldn’t have happened.”
It’s kind of a crazy question: “How many terrorist attacks has digital intelligence stopped?” Well, how long is a piece of string? If you’ve got reasonably good coverage of the people who mean you harm, you will stop most of them. The director of the security service indicated recently that the last dozen attempts in the UK have been stopped. Will the next one be stopped? Who knows. At least the score rate is good. And one would not want it the other way around.
Thank you.