In the past five years, cyber and telecommunications defence has left its niche market to become one of the fastest growing industries in the world. In 2011, governments, industry and ordinary computer users spent roughly £65 billion shoring up their computer networks, a figure that is predicted to double within five years.
In Britain, cyber security bucks the recession and receives more money from the Treasury every year. Yet even this is not enough, according to the Commons select committee on intelligence and security, which published its annual report this week. Not only do we need to spend more, the committee also implies for the first time that Britain should ramp up its “active” defence strategy to keep pace with the proliferation of cyber attacks that rain down on our institutions, companies and citizens every day.
The report correctly highlights the role of GCHQ in Britain’s cyber defence strategy. Scion of Bletchley Park’s wartime code-breakers, GCHQ in Cheltenham played a critical role in intelligence-gathering during the Cold War. Just as the National Security Agency in the US has developed into the most powerful single spy organisation in history because of its ability to gather data from telecommunications and computer networks across the world, so too has GCHQ’s cyber capacity emerged as the hub of Britain’s advanced security strategy, with its ability to anticipate, monitor and neutralise major attacks aimed at this country and its allies.
GCHQ is a remarkable asset. As I discovered on a recent visit, the interior, with its break-out areas for breezy discussions over lattés, is more like the offices of Google than the austere atmosphere associated with traditional spy agencies. There are good reasons for this, because GCHQ is losing brilliant cyber specialists at an alarming rate, a major cause for concern, according to the select committee. With top cyber security technicians commanding eye-watering salaries, the private sector is poaching them with ease, thus benefiting from specialist training that the taxpayer has generously provided.
The central mantra of GCHQ and the intelligence services is that 80 per cent of all cyber threats are easily eliminated by everyone following a few simple rules: keeping security software updated; not opening suspicious emails; being careful with the use of memory sticks and, at the corporate or institutional level, monitoring the network traffic going in and out of a system.
At the heart of this core strategy lies education – ensuring that company boards, employees and the public understand the need to avoid cavalier behaviour. Britain’s record on this has been quite encouraging, although it is not an easy sell. The great majority of computer users either do not grasp computer security or find it a rather mind-numbing subject.
On the whole, however, this country succeeds in reducing the risks posed by that 80 per cent of threats to acceptable levels. What concerns the Government is the remaining 20 per cent – those products of more sophisticated criminal minds, intelligence services and military establishments that are specifically designed to breach the defences either of companies or of the so-called Critical National Infrastructure (CNI). And this is where we might be falling behind.
Enter the concept of an “active” defence strategy. This is a controversial business: translated, it means seeking out and disrupting an opponent’s military assets before these are used against you. This is no longer a theoretical discussion. Just over a month ago, the White House leaked the news that the United States and Israel were responsible for the deployment of at least two major pieces of malware, Stuxnet and the Flame virus, aimed at hindering Iran’s development of a nuclear capability.
Equally, the select committee has in the past singled out China and Russia as being responsible for attacks both on our commercial and security interests. So has the time come for Britain to start developing its own offensive capability and deploying new forms of viruses and Trojans (malware that masquerades as legitimate) around the globe?
If the internet belonged exclusively to spies and the military, then this question would be a lot easier to answer. Why not develop such a programme? Especially as everyone else appears to be doing it. Unfortunately for the advocates of “active” defence, the web belongs to everyone, so when you release your nasty stuff to get at the Russians, the Chinese, the Iranians or whoever you don’t like, you have a very high likelihood of causing collateral damage.
This is exactly what happened with Stuxnet. The US and Israel believed that because the Stuxnet virus’s primary target, the Natanz Uranium Enrichment facility, was “off-line” (not connected to the internet), the virus would be contained. But somehow Stuxnet escaped Natanz, infecting roughly 50,000 other systems around the world. Once circulating freely, it was seized on by other intelligence agencies and criminal groups that have been able to learn from it and adapt its technology.
A second problem with “active” defence relates to the absence of any framework regulating the behaviour of states on the internet. Along with the US, Britain has been at the forefront of efforts to halt abuse by criminal or terrorist groups. By encouraging the development of cyber weaponry, however, it will be sending a green light not only to countries such as Russia and China but to other groups intent on doing harm over the web.
Once countries decide that networked computer systems are a legitimate target, the logic of pre-emptive attack is almost certain to take over. Unlike wars fought with conventional weapons systems, your “assets” in cyber war consist of the weaknesses affecting your opponents’ networked computers. In order to establish the strength of your assets, you need to explore and investigate those networks. The United States has already discovered so-called “sleeper” viruses on some of the computer networks controlling its electronic grid; the assumption is that in the event of war, those sleeper viruses would have been activated to disrupt America’s CNI.
Britain is currently part of a second tier of nations, thought to include France and Germany, that possess sophisticated cyber defences but have not yet decided to make offensive capability a major priority. In front of this group stand the United States, Russia, China and, perhaps most notably, Israel, which in Unit 8200 of the Israeli Defence Force boasts one of the most successful incubators of cyber military technology in the world.
So while there may appear to be compelling reasons to give a green light to the development of “active” defence, the Government needs to understand that it will be contributing to the growth of a free-for-all on the web with disturbing implications.
And yet that seems to be where we are heading. There is only one international agreement on cyber security – the Convention on Cybercrime, originally a European Council agreement but increasingly recognised internationally. It is a good start but it has no impact on the growing issues associated with the militarisation of the web.
The United States and Britain are reluctant to move towards any regulatory agreement because Washington believes this will threaten its current superiority in cyber offensive capability. At the same time, Russia and China are pushing for regulation, in part because they want enshrined in international law the right to control the internet within their borders as they see fit; that is, de facto recognition of the censorship they exercise (especially China) over the web.
We are thus stumbling into a new era of warfare with only the vaguest notion of its legal, political and technical implications. The Government may conclude that we have no choice but to join in – but as our dependency on network computer systems deepens by the day, the consequences of things going wrong become ever more serious.
Misha Glenny is the author of ‘DarkMarket: How Hackers Became the New Mafia’ (Vintage)