The age of cyber warfare

Nation states have a new kind of weapon—how well is Britain preparing? (This article is from Prospect's supplement on cyber resilience)

August 29, 2019

Warfare has always evolved. As weapons change so does the reality of conflict: spears gave way to swords, then to rifles and machine guns. Horses gave way to tanks and then fighter jets and now drones. Each had destructive new implications. The speed at which you can develop new technology puts you on the winning or losing side.

We are now into the next phase: cyber warfare. Nation states have a new weapon in their armoury. The internet provides for entirely new modes of conflict, and it is ubiquitous. So what will this new chapter look like, and what can Britain do to prepare? Having spoken to leading military and cyber experts, my view is that cyber resilience must be a first-order strategic priority.

Certainly, the challenge is unlike what came before. For Malcolm Rifkind, former foreign and defence secretary, “wars of the future will not just involve the armed forces of the combatants fighting each other. They will include economic warfare, propaganda, armed militias, terrorists and, most especially, cyber warfare.”

According to Admiral Alan West, former first sea lord and chief of the naval staff, “the development of the internet, and advances in digital control of growing areas of civil and military life, has changed things.” He added “the damage that can be caused to civilian networks and infrastructure [may] be immense if not properly guarded against.”

That potential for damage is becoming all too clear. Examples abound of malicious hackers inflicting harm, often on behalf of a hostile state. In 2015 the group “spearworm,” widely thought to be acting under instructions from the Kremlin, hacked the Ukrainian power system and disrupted the country’s electricity supply. They successfully infiltrated three different energy systems to do their damage. It was the world’s first successful cyberattack on a power grid.

This was not the first time Russia has used the cyber domain to strike against other countries. “The Russians [carried out] a massive cyberattack on Estonia some years ago,” said Rifkind, referring to the 2007 attack on the Estonian parliament, banking system and other critical infrastructure. And it would not be the last. The 2016 Russian interference in the US presidential election, and possibly in the Brexit referendum, indicated what is at stake. A full-scale cyberwar would be orders of magnitude more serious than this.

Russia now has “an entire government entity devoted to conducting information warfare through cyber means,” explained Cortney Weinbaum, an expert at the Rand think tank. It is not just the Kremlin to watch however. China has a powerful cyber toolkit at its disposal, while in June the US launched a cyberattack on Iranian weapons systems, compromising computers that control rocket and missile launchers.

George Robertson, former Nato chief: “If we don’t keep up with new forms of attack then all conventional spending will just be wasted”
If two nations go to war, their citizens are exposed as never before. “Everything is a potential target. It’s becoming increasingly impossible for anything or anyone to exist disconnected from the grid,” said Weinbaum. “There is nothing that I would not add to the list” as being potentially vulnerable.

Sneha Dawda, a cyber expert at the Royal United Services Institute, agreed that “information warfare” will play an increased role, with actors—including states— pumping out propaganda to confuse the civilian population. In the past it was leaflets dropped from the sky; now it will take place online. To an extent this is already happening.

Yet cyber warfare’s effects are not limited to the digital domain. It has very real-world consequences. If you hack the systems in a hospital, water sanitation or nuclear facility, you cause injury and loss of life. This is true even with regard to rogue hackers in their bedrooms, let alone foreign states. How can we defend ourselves?

In the view of David Craig, former chief of the air staff and later, the defence staff, the central point is strategy. To navigate this new threat landscape, we must aim for control of the cyber world just as allied forces seek superiority in traditional domains, with air supremacy or command of the sea. This dominance allows you to control the action in several different spheres.

“Like the well-established doctrine of air superiority and its importance in other conflict operations on land or sea, a similar... approach to establishing and sustaining cyber and digital superiority will be vital to all engaged forces in a conflict,” he said.

But that is easier said than done. To achieve supremacy, and to deter potential attacks, you must invest in the right equipment and expertise.

Britain has been doing this—to an extent. In 2016 it launched a new dedicated National Cyber Security Centre (NCSC), to guard against malicious actors and educate Britons about the scale of the risk. Modernisation initiatives have been pushed, most recently by Nick Carter, the current Chief of the Defence Staff. It all represents progress. But more must be done.
“The hope must always be that peaceful diplomacy prevails, yet there is no guarantee that it will”
George Robertson, former secretary-general of Nato, stressed the urgency: “continued investment in conventional defence is still essential for deterrence but it is insufficient. If we don’t keep up with the new forms of attack then all that conventional spending will just be wasted.”

I also spoke to Tom Tugendhat, Chair of the Foreign Affairs Select Committee, who said “the basic problem is that too much of the government’s [cyber] plan appears to come to fruition late in the 2020s. We need to move much faster than that. The creation of the NCSC is a welcome step: the government should ringfence its budget to protect it from wider pressures.”

Yet Britain will not want to be a passive actor in this new reality, simply batting away attacks. We will want to retaliate when we are under siege from a hostile state, and have the potential there to deter aggression in the first place. At least that is the argument.

For Craig, “a mix of both offensive and defensive cyber and digital capabilities, and the relative strength and importance of each of these towards achieving successful outcomes in conflict, will need to be considered.” He added: “preventative cyber capabilities will be key enablers, but unlikely to secure victory on their own.”

The truth is that we need a combination of long-term strategic thinking and basic political will. There are some steps politicians can take now. Tugendhat explained: “the government needs to [designate] a single cabinet office minister responsible for this critical issue.” What’s more, it needs to encourage change elsewhere in the system, in the “culture of critical national infrastructure operators and their supply chains.” This is “because their commercial interests do not always align with our collective security, and in some sectors market forces do not provide enough stimulus to companies to raise their game” on security.

As the era of cyber warfare dawns, the stakes could not be higher. The 21st-century world is fractious, with great power rivalries threatening to destabilise matters further. The hope must always be that peaceful diplomacy prevails. Yet there is no guarantee that it will.

“If we don’t get it right, then not only will our military components be extremely vulnerable, but the entire civilian population will be extremely vulnerable,” said Dawda.

“A severe cyberattack on the UK—one that causes a sustained loss of essential services, severe economic or social consequences or loss of life—is no longer a case of ‘if,’ but ‘when,’” said Tugendhat. When that does happen, it is essential that Britain is prepared. Whether it will be is an open question.

This piece features in Prospect’s new cyber resilience supplement