Making sense of — and responding sensibly to — reports of numerous cyber-attacks on the UK
Gavin Hall of the University of Birmingham writes for EA:
The opening on February 14 of the UK National Cyber Security Centre, part of the electronic intelligence agency GCHQ, was welcomed with the revelation that the UK has been subjected to 188 “high-level cyber attacks” — defined by Ciaran Martin, the Director of the NCSC, as operations which threaten national security — over the previous three months.
So is the UK — its Government, its businesses, and its citizens — becoming increasingly vulnerable to cyber-intrusions?
The public perception, focus of the media, and policy makers is dominated by the potential threat to nation states. Indeed, in 2012 then US Defence Secretary Leon Panetta warned of a possible ‘cyber pearl harbour’ (http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html), with specific focus on the vulnerability of critical national infrastructure (https://www.cpni.gov.uk/cyber). The focus of resource deployment, including the £1.9 billion announced by the UK Government in November 2016 (http://www.bbc.co.uk/news/technology-37821867), is primarily geared towards combatting this threat. Spending and planning has a significant focus on attribution (https://www.publications.parliament.uk/pa/cm201213/cmselect/cmdfence/106/106we04.htm), who has carried out an attack. The fear is that with a known assailant being absent, the capacity to respond is limited.
The issue of attribution, however, is less of an issue than commonly presented. A cyber-intrusion at the State level is an expression of political intentions and, therefore, does not operate in a vacuum.
Nation states operate in a rational manner to pursue their strategic objectives. Russia has allegedly pursued cyber-attacks for years, against NATO over Kosovo 1999, Estonia 2007, Georgia 2008, NATO over Crimea 2014, and Ukraine 2017. Definitive proof that would satisfy a technocrat as to the origins of the specific attack, likely rerouted through a series of intermediary countries, remains a challenge, but in all the cited examples, the Russian involvement is “well evidenced” and “widely accepted”, according to Martin.
Undoubtedly these intrusions create a nuisance and erode confidence in the countries or organisations involved. The question is whether they pose a threat to national security equivalent to a kinetic attack, especially as NATO has declared it will invoke the collective defense of Article V in response to a cyber-attack of sufficient scale.
The corporate level is where the greatest threat exists. Potential perpetrators include nation-states seeking to create instability or economic distress, criminal gangs seeking to gain profit, hacktivists attempting to pursue a specific vendetta, and Joe Bloggs citizen because he can. Add so-called “white” or ethical hackers, who seek to expose companies’ vulnerabilities so that they can address them, and the situation becomes incredibly complex. Attribution is and will remain a substantial problem, and attempting to resolve it would not be a worthwhile investment. Instead the acceptance of vulnerability and greater focus on resilience and the institutional process for responding to an intrusion is less likely to have a detrimental impact on the company. The role of insurance firms is crucial, as they have the necessary information to inform big-picture government policy.
Since the UK adopted the National Cyber Security Strategy in 2011, companies are more open to reporting attacks than in recent years. There is now a greater understanding and acceptance that a cyber-intrusion is not necessarily detrimental to the firm.
This response of business is as important as the attack. The recent exposure of hacks on Yahoo and TalkTalk showed the damage of a slow admission, with Yahoo taking three years to acknowledge the attack and TalkTalk fined £400,000 by the Information Commissioners Office.
Like business, the individual citizen has to accept a much greater degree of personal responsibility for actions, or inactions. This is not limited to the cyber realm; it includes reliance on the government or someone else to be responsible for resolving their problems.
The UK has made significant improvements, in terms of cyber-defence, since the Cyber Security Strategy of 2011. The one area that has not been fully embraced is the educational objective of the strategy. The media and general public attach a far greater fear of cyber intrusion than is evident in the reality of the actual threat posed.
Cyber-attacks, as part of international politics, will continue. The approach cannot be to wish them away, but to encourage an integrated perspective where a sensible approach to defense is matched by an appreciation of what those attacks are seeking to achieve.