We Must Know Our Enemies In The Age Of Cyber

Writing in the Sunday Telegraph on Sunday 10th January



Whether or not we think about it every day, we live in a rapidly changing world. Nowhere is this more true than in the field of technology. In 1993, a mere two decades ago, there was a total of 130 websites in existence. Only a handful of experts had heard of the world wide web. By the end of last year, however, this had risen to more than 700 million sites; and for billions of people around the world, internet access had become a cornerstone of modern life.

It would be foolish, therefore, to ignore some of the new threats we face as a result of such huge changes. On a security and defence level, it is clear to me that one of the greatest of these new threats is cyber crime – including cyber terrorism and cyber warfare.

The problem is a creeping one. As we have become more dependent on technology to lubricate the wheels of our everyday activities, we have become more vulnerable to either the failures of the technologies themselves or our ability to access them. We are being drawn inexorably into the era of the war of the invisible enemy.

This is not like the Cold War, where individual spies smuggled small pieces of information to their Soviet handlers in London clubs or Viennese cafes. Nowadays we have the unimaginably vast theft of electronic material by Edward Snowden, who immediately jumped on a plane to Hong Kong and Moscow. A small problem – one disloyal junior employee – can thus become a very large one. Likewise, when the Chinese shot down one of their own satellites in space, it was not to show themselves that they were capable of doing so – but to show the rest of us. The naval fleets of the West may be advanced and powerful but they are useless if we cannot link up to them via satellites. Small flaws in our systems can lead to massive problems.

We must be clear about who exactly our new enemies are. Contrary to the image so often portrayed in the media and popular culture, cyber criminals are not typically geeky teenagers. They tend to be veritable armies of terrorists, agents of hostile states or drug cartels. They use fraud and extortion to fund their activities and do so on a truly industrial scale. Those who leave themselves vulnerable to these activities make themselves part of a national security threat, usually as a result of lack of diligence or understanding.

Cyber crime that targets the state can often find an entry point further down the food chain. A disturbing example of this is a hack known as “Titan Rain”, believed to have been the work of Chinese groups. It started in 2003-4 as an attempt at corporate espionage, lifting sensitive information from the computer networks of major US Defence contractors. But the attack then spread in 2005-6 to attack the networks of both the US department of defence, and our own Ministry of Defence. The MOD declined to say whether their systems had been compromised. It is believed, however, that the same attack managed to shut down the House of Commons computer system for almost a day in 2006.

One of the major challenges is the need to persuade both the public and the military that we must spend more on the invisible technology that will protect us from these new threats. In a time of continuing austerity, this may mean spending less on the things that we can see – our traditional military capabilities – so that we can invest in things that we cannot see – our cyber capabilities. We also need to develop a proper cyber doctrine in the way that we did at the start of the nuclear era. We need to determine how we would respond to potential existential threats and how we can deter and, if necessary, deal with cyber aggression.

There are two other key areas for change that I would propose. The first is legislative and the second is organisational.

I believe that the law needs to be changed in two major ways. It is a serious concern that outright denial of cyber attacks is too often the response of companies that are primarily worried about their reputations. But if the fund holding my pension is being hacked and my money lost, I want to know about it straight away. That is why I believe the government needs to change the law to make it illegal to be hacked without informing shareholders and other stakeholders.

The second change I believe we must see is in relation to those who do business with government. To avoid attacks via the weakest link, the government should insist, legally, that any organisation with which it does business should have a minimum defined level of cyber security or they will be excluded from government contracts.

Finally, I would like to see all government cyber activity, including both its offensive and defensive capabilities, concentrated in one place and answerable to a single ministerial portfolio. We cannot afford either the luxury or risk of unnecessary duplication and diversion of resources. Those with the necessary skills to keep us secure in this changing world must play an active role in government.