Talking UK Cyberwar With Sir David Omand
14.9.2018 securityweek CyberWar
Over the last few days, UK national press has run headlines such as "IT'S CYBER WAR! Prime Minister May vows to take on President Putinís novichok spy network" (Daily Mail); and "Novichok poisoning: Theresa May 'orders cyberwar' on Russia's spy network as she calls UN security meeting" (Evening Standard).
This presents a very simplistic view of Britain's attitude towards cyberwarfare; and implies a scale that almost certainly will not happen.
The background is the use of chemical weapons by the Russian GRU in the UK against Sergei Skripal, a former member of the GRU, and his daughter Yulia. Last week Alexander Petrov and Ruslan Boshirov -- believed to be aliases -- were accused of their attempted murder. Britain is not seeking extradition of the two suspects because of Russian constitutional restrictions on extraditing Russian citizens, but has issued an Interpol red notice for their arrest if they ever leave Russia. Nevertheless, it is widely felt that some form of retaliation is politically necessary -- and hence, ultimately -- the warnings on imminent cyberwar against Russia.
Talking UK Cyberwar with Professor Sir David OmandThere may well be cyber retaliation by Britain's intelligence agencies against the GRU, but it will be limited in scope and probably unattributable -- and nothing that can be classified as cyberwar. This is because the UK does not separate cyberwar from kinetic war. In May 2018, UK attorney general Jeremy Wright QC MP outlined his interpretation of international law and cyber activity. It implies that a cyber attack that resulted in actual or threatened loss of life could legally elicit a kinetic military response.
Of necessity, the UK will ensure that any cyber retaliation falls short of cyberwar that could lead to loss of life because that would invite a legal kinetic response from Russia. For the UK, cyberwar and kinetic action are both aspects of one condition: warfare.
SecurityWeek talked to Professor Sir David Omand to get a better understanding of the UK viewpoint. Sir David is a former Director of GCHQ, and former Security and Intelligence Co-ordinator in the Cabinet Office. He is visiting professor at the Department of War Studies at King's College, London.
Sir David draws a distinction between the current conditions affecting the West and Russia (which he describes as 'hostile cyber activities in peacetime'), and actual armed conflict. "No serious armed conflict in the future will be without its offensive and defensive cyber components," he told SecurityWeek. "The former to support military operations by confusing and distracting enemy commanders, degrading command, control and communications, blinding key sensors and weapons, and interfering with supply chains. The latter is essential to ensure that the adversary does not similarly degrade our capabilities with his cyber means."
The military has to be prepared for armed conflict even if it is not current and hopefully never will be current. "Offensive cyber for MOD will involve careful preparation with GCHQ in peacetime, but there will be good arguments for not disclosing the cyber components until it is really necessary to support military operations. Defensive cyber on the other hand is a constant concern for MOD to ensure the security and integrity of all defense systems in peacetime so that an adversary cannot be in a position to take advantage should it come to armed conflict. All this is not ëcyber warí; it is what we must expect serious military operations in armed conflict conditions to be like in the 21st century."
The "good arguments for not disclosing the cyber components until it is really necessary to support military operations" explains the lack of any government support for Microsoft's proposed Cyber Geneva Convention, which requires international cyber disarmament.
The implication from Sir David is that the UK is prepared for cyberwar, but it is not yet happening. Rather, he continued, "I use the acronym CESSpit: Crime, Espionage, Sabotage and Subversion perverting Internet technology. Acquisitive Crime conducted through cyber means (including traditional crimes amplified and conducted at scale through the Internet) is rising. Espionage using digital methods as well as traditional ones is ubiquitous. These are risks that just have to be managed and defended against but cannot be eliminated." It is largely, but not entirely, conducted by non-aligned cyber criminals.
"Sabotage, using cyber-attacks to damage infrastructure or the integrity of information," he continued, "comes from hostile states, non-state groups, and hackers with a grievance. These are crimes that should result in legal sanctions of some kind (as the US has done with North Korean hackers over the Sony attack). Finally, we have Subversion, the attempt to undermine our democratic institutions, and our confidence in them, as we have seen with Russian attacks on the US, French and other elections and democratic processes. Traditionally subversion is conducted by a combination of intimidation, propaganda and dirty tricks. All three components can be delivered today by digital means, more easily than with the traditional methods of the Cold War."
It is how the UK is willing to respond to this CESSpit that defines the UK attitude towards cyberwar. The first priority is to be able to defend against such attacks. "We need to organize to defend ourselves robustly with passive and active defenses against crime, espionage, sabotage and subversion, bringing together the resources of government, the private sector and academia. That is a key task for the new UK National Cyber Security Centre, part of GCHQ."
The key question here is whether -- and if so, when -- active defense can tip over into active retaliation. "There is the risk," continued Sir David, "that a hostile state or group will miscalculate where our thresholds for response are, or will imagine that their sabotage or subversive activity can be conducted unattributively leaving us unable to respond. Or, as has happened with some cyber-attacks, the malware may infect far beyond the intended target with serious damage, or loss of life as the result."
While absolute attribution of cyber activity is almost impossible by pure cyber detection, western governments have the resources of national SigInt agencies -- the Five Eyes and allied nations such as France, Germany, the Netherlands, Sweden, Israel and more. With that attributive capability comes the sting in Sir David's comments.
"No potential adversary should imagine that in those circumstances a British government might not respond in kinetic terms. But the manner and timing of such a response must be for decision in the light of the circumstances with a full range of options, cyber and military open to the government. No potential adversary should be able to game our reaction in advance or imagine the UK or its NATO allies would only think of response to cyber-attacks as necessarily being confined to the cyber dimension alone."
These conditions explain the precarious nature of UK/Russia relations right now. There has been no loss of life directly attributed to Russia -- the Skripals both recovered. A third innocent victim of Novichok has died, but this has yet to be blamed directly on Russia. But the threat to life was certainly present -- which means that the UK attitude to international law gives it the right to retaliate both kinetically and by cyber.
It will wish to avoid an armed conflict with Russia -- leaving a cyber retaliation as the primary option. But even this has to be limited in scope so as not to give Russia the same legal option of retaliating kinetically.