Ex-security chief: we have privatised our cyber security. The winners are the hackers

The digital threat is too existential to be left to individual firms

November 12, 2021
article header image
Image: Marcus Harrison / Alamy Stock Photo

Despite all the hype and warnings of “cybergeddon,” cyber security has remained a rather dull subject for most of its life. Social chaos and economic meltdown caused by digital warriors has remained the stuff of Hollywood fantasy; the reality for most people has been low-level (but painful) online scams and getting notifications of opportunistic personal data breaches. Seemingly out of nowhere, however, 2021 has served to remind us of our serious digital vulnerabilities.

In the United States, a hack of the Colonial Pipeline company caused a fuel crisis on the east coast; at one point, two-thirds of South Carolina’s gas stations had no fuel. The hack of another American company—an IT services supplier—led to the Coop in Sweden being unable to sell anything (and thus giving fresh food away for free). Closer to home, the Harris Federation, a charity running some 50 schools in and around London, found itself locked out of its systems and unable to pay suppliers and, in a small number of cases, unable to unlock digitally controlled school gates. Ireland saw the first ever targeted attack on an entire national health care system, while many of Rome’s citizens couldn’t book a vaccination because the system had been taken out by hackers.

But it’s not been hostile governments or the digitally savvy wing of nihilistic terrorist groups to blame. It’s been common criminals, mostly based out of Russia, looking for money. The attacks they’re perpetrating involve “ransomware”: the hackers lock people out of networks, sometimes threatening to publish their data online while demanding huge amounts of money.

At the height of the latest spate of disruption, the hackers seemed untouchable. They could operate freely from within Russia or nearby and trouser huge payments safely via cryptocurrency. But the sheer scale of the disruption has finally forced governments to act. Ransomware made an improbable appearance in the G7 communiqué issued after the Cornwall summit. Joe Biden claims to have read the riot act to Vladimir Putin at their private Geneva meeting shortly afterwards. Tentative steps are being taken to try to tackle the flow of easy money going to cyber criminals. Thus far, however, these have been done with nothing like the same levels of urgency or intensity as the global efforts to block terrorist financing channels after 9/11.

More strikingly, western governments, particularly the Americans, are now fighting back directly. Washington seems to have unleashed its own hackers against the Russian gangs. At the start of November, in what was the latest stage in a huge, US-led international operation against a major hacking group called REvil (Russian ransomware groups have a habit of adopting catchy names for themselves in English) saw arrests of associates in Romania and Ukraine, while a cryptocurrency exchange facilitating ransom payments was sanctioned by Washington. These developments followed an earlier operation, apparently by US Cyber Command and an unidentified foreign partner, to hack REvil’s own website. As a result the site has disappeared—for now.

Another group, DarkSide (the pipeline hackers), are feeling the full force of the FBI. The Feds effectively stole back most of the ransom money paid by Colonial, and in early November unveiled a $10m bounty for information leading to the identification of the criminals.

The fight back is welcome. Carefully targeted digital disruption of dangerous criminals who would otherwise be able to act with impunity is a good thing. But hacking by governments against the criminals is only a tactical pushback and needs to be part of a wider strengthening of digital defences. This will require a rethink of how we organise our digital economy.

When the Queen opened the new National Cyber Security Centre in 2017, a senior government minister confided to me, at the margins of the festivities, their concern that the launch of this new department in GCHQ to fight digital threats represented “the nationalisation of cyber security.” But the opposite problem is emerging: we are privatising national security risk.

The US fuel crisis is a case in point. When Colonial Pipeline was hit, it wasn’t the pipeline controls that were hacked but the company’s corporate systems. It was the company, not the hackers, who shut down the pipeline, apparently because it could not run its services profitably because of the damage done to its business processes.

This was a decision that the company was perfectly entitled to take. But while it did not consult the US government beforehand, it fell to the US government to deal with the fallout. Washington had to suspend safety regulations concerning the transport of fuel by road and issue guidance to citizens to prevent panic buying and the storing of fuel in unsafe containers. It then sent the FBI after the hackers. Yet it had no involvement in any of the decisions that made such actions necessary; those were taken by the firm's executives.

Colonial, it should be said, broke no rules. And that’s the point. Insufficient protection of its pipeline—a critical national asset—caused social disruption that clearly met the threshold of a national security threat. But there is nothing—yet—in the regulations governing this critical sector that requires firms to do better (and Republicans in Washington are starting to push back against suggestions for tighter controls). The unspoken message behind the Colonial case is that businesses can choose how to respond, whatever the consequences, and the government will pick up the tab.

The real lesson of 2021 is that digital vulnerabilities in a range of private and public organisations can be exploited to cause significant disruption and, potentially, serious social harm. That lesson will not be lost on authoritarian states that have better cyber capabilities than a few greedy Russian thugs. This year has revealed, among other things, that you can cause energy chaos in parts of America and a healthcare crisis in an EU member state with a few lines of malicious code of medium sophistication. In the same week as the fight back against REvil reached its crescendo, news emerged of a serious crisis in Newfoundland, Canada, thanks to yet more ransomware. Zapping a few bad guys online is cool, and a good idea, but it doesn’t fix the fundamental problem. A sustained effort to force economies to become more digitally resilient is what’s needed.