Britain’s adversaries want to damage its economy and society and their new weapon of choice is the Internet.
Thirty years ago this sentence would have read like science fiction. Twenty years ago it would have sounded like technobabble. By 10 years ago it would merely have been dismissed as a bit far-fetched.
It sounds as if the world has changed. But has it?
Serious cyber-threats mentioned by Hammond included:
- Distributed Denial of Service (DDoS) attacks potent enough to bring down commercial and government services
- Mass data breaches of personal records
- A surge in financial fraud targeting government services such as tax refunds
UK ministers have made similar warnings in the past, but Hammond’s speech went an important stage further.
The UK, he said, was not only being menaced by criminal groups but by political and ideological adversaries.
“A small number of hostile foreign actors have developed and deployed offensive cyber-capabilities, including destructive ones. These capabilities threaten the security of the UK’s critical national infrastructure and our industrial control systems,” he said.
Again, this isn’t completely new but the emphasis given to it in his presentation underlines the anxiety felt by government about what it implies: nation-state cyberattacks could develop into an existential threat to the UK economy and national infrastructure if allowed to go unchecked.
It’s a scary prospect but Hammond came armed with some answers too.
The first is contentious but fascinating – cyber-deterrence.
“We will continue to invest in our offensive cyber-capabilities, because the ability to detect, trace and retaliate in kind is likely to be the best deterrent.”
The use of the word “retaliate” is key. According to Hammond, without the ability to go on the offensive in cyberspace the UK would be left with no way to respond except by either “turning the cheek” or resorting to old-fashioned military force, which means the risk of people being killed.
Enemies must understand this. Anyone thinking of attacking the UK in cyberspace was risking getting the same back.
Hammond’s second answer is to invest heavily as part of the UK’s expanded £1.9 billion ($2.3 billion) cyber-security budget, first announced in 2015.
There will be more money for specialised policing units, investment to boost the number of cyber-experts coming out of universities, and a new emphasis on institutions such as the National Cyber Security Centre (NCSC), which recently started operations.
While Hammond didn’t name any particular countries as posing a threat to the UK, it is striking that the speech came only days after an unprecedented warning from Britain’s MI5 intelligence chief that Russia, in particular, has been using espionage, propaganda and cyberattacks that pose a direct risk to the UK.
This isn’t the 1980s exactly but it still bears a depressing similarity to its battle lines. It’s as if old conflicts are being re-run by new technological means in an age defined by information rather than tanks and warplanes.
In short, when you strip out developments such as the Internet, the central problem posed by cyberthreats remains political not technical. This should temper our expectations of progress.
The devil will be fine-tuning interventions, suggested Sophos’s vice-president of end-user product management, John Shaw.
“The idea of a shared national security infrastructure, while appealing, is fraught with challenges.”
Simpler remedies might also work just as well such as actions to catch cyber-criminals wherever they operate and, in the case of data breaches, more emphasis on punishing firms that don’t properly protect themselves.
“There is the danger of government being accused of building a Great British Firewall and starting to abuse that technology to control and snoop on its citizens,” he said.