Why cyber resilience is the UK's first line of defence
New threats require the sort of joint civilian and military planning that was common in the Cold War – but with a focus on cyber rather than nuclear, says Jennifer Cole of the Royal United Services Institute (RUSI)
"We need to understand not only what cyber attacks might look like but also how cyber can be weaponised and how we might defend against it." Credit: Pixabay
Our increasingly digitised, interconnected world opens up threats and opportunities both to agencies seeking to ensure our security and those who conspire against it. There seems to be little doubt that future battles will be fought over or through cyberspace and that cyber networks will provide a delivery mechanism for targeted weapons – as well as being the target of those attacks. Cyber hostility may bring down transport networks, disrupt communications networks and cripple supply chains. Or it may be more subtle: propagating fake news, or presenting attractive narratives that draw vulnerable young men and women towards radicalisation.
The challenge is that cyber is woven indelibly into the fabric of our lives. We cannot live without it. There can be no cyber disarmament in the way nations could choose to forsake nuclear weapons. We therefore need to understand not only what cyber attacks might look like but also how cyber can be weaponised and how we might defend against it. Rather than consider a new Cold War in which cyber Armageddon is threatened, we should think more in terms of biological warfare – about how we defend ourselves through the cyber equivalents of vaccination, good personal hygiene and strong immune systems.
A key consideration in this approach is how cyber attacks will fit into the wider environment. What physical or psychological effects are they seeking to achieve – are their intended impacts in the physical and human aspects of cyber networks, as well as the code that lies beneath it? If so, where, and how can we mitigate the damage they might cause? We need to understand the intentions of the attack – as well as how it might be delivered – to be able to build adequate defences against it.
- Cabinet Office group to map government transformation projects
- In depth: National Cyber Security Programme
A recent Public Administration and Constitutional Affairs Select Committee report stated: “The US and UK understanding of ‘cyber’ is predominantly technical and computer-network based, while Russia and China use a cognitive approach based on understanding of mass psychology and of how to exploit individuals”.
This is not entirely true. The UK has considered these issues, but it has not used that understanding so aggressively. In 2011, the Foreign Office commissioned a RUSI report considering how national attitudes to civil liberties and social media interacted, which fed into the UK’s first Cyber Security Strategy. This identified that apparent government indifference to social media communication – showing a more tolerant attitude than its approach to the mainstream media – had enabled certain platforms to be used to spread dissent during the Arab Spring. Our report also highlighted how the distribution of ICT to activists in future conflicts might be as powerful as the distribution of guns in past wars. Computers are now no longer only the lines of communication between actors but also, potentially, the delivery mechanism for weapons with kinetic and psychological effects.
"Modern warfare is clearly changing: information operations can be run over Facebook and YouTube with off-the-shelf technology"
We later took this idea further as we helped to develop the Ministry of Defence concept of “cyber littorals”: the points at which cyber touches the physical and psychological domains and determines how weaknesses can be strengthened or exploited. Exploitation of such weaknesses may include substitution of the correct dose of a pharmaceutical drug with a lethal dose in a patient’s medical records, for example, or blocking all social media messages from family and friends to a young soldier, leaving him feel lonely and isolated. Cyber strategy will include knowing not only how to switch off an electricity grid, but at what time of day or night that will have the most disruptive effect on the community it targets.
To understand these issues, we need to fully understand the interdependencies of the systems in which IT sits. In the American Civil War, exploiting lines of communication depended less on understanding the differences between how the rail network and the Pony Express functioned than understanding what those different functions enabled. The war was not won or lost by veterinarians or railway engineers, but by strategists who saw value in how communication lines were formed, traversed and blockaded – and just as importantly, which ones most needed to be kept open.
Modern warfare is clearly changing: information operations can be run over Facebook and YouTube with off-the-shelf technology. The entry point to actors is more open than ever before. Early indications of state aggression may be evidenced through hybrid attacks on civilian systems and infrastructure, and although the eventual response may need to be military-led or co-ordinated, this will require civilian actors to recognise anomalies, determine what should be done about them, and ensure that action is taken by the appropriate bodies.
This brings with it a need for a joint approach to the planning and delivery of civilian and military resilience that has slipped since the end of the Cold War but now needs to be re-envisaged for the new security environment. The interdependencies cyber creates need to be mapped, understood and managed by every agency and every individual who interfaces with a network – in the broadest sense of the term – through which a cyber attack might be delivered. The trick is to realise that the attack may be psychological as well as kinetic, it may be obvious or silent, and the first line of defence is almost certainly going to be civilians: do they know how to protect themselves from the cyber aggressors?
Process of assessing use of technology has been 'sub-standard' committee finds
John Swinney tells Holyrood conference that most attackers are ‘exploiting the same basic failings’
Leaders at the National Cyber Security Centre lift the lid on the impact of and lessons learned from the Triton malware assault
Government cybersecurity agency issues guidance telling users to act ‘quickly’