Question of the Fortnight
Should we bomb cyber-terrorists?
WhenSAS fighters joined the battle against Islamic State in Mosul, Iraq, earlier this year, they weren’t the only Brits trying to end the regime’s barbaric rule. Working in the background were cybersecurity experts aiming to disable the computer systems that supported Islamic State’s infrastructure. Talking to the international affairs think tank Chatham House in June, Defence Secretary Sir Michael Fallon confirmed that British hackers were now attacking systems used by the Islamists in Raqqa, their Syrian stronghold.
Sir Michael said that the success of these operations means the UK is ready to help Nato launch future cyber attacks. He added that Nato’s Article V, which states that an attack on one country is an attack on all, could be enforced following a major hack.
But would a cyber attack alone do enough damage? There are growing calls for the UK to consider military action against hackers that target our infrastructure. In his speech Sir Michael raised the possibility of drone strikes against hackers, saying “that the price of an online attack could invite a response from any domain, air, land, sea, or cyberspace”.
Foreign attacks are escalating. Days before Sir Michael’s comments hackers accessed the parliamentary email accounts of 90 MPS and peers, sparking fears they could be blackmailed by foreign spies. He said it was too early to speculate who was behind the attack, though many believe Russia is responsible. Sir Michael claimed that Moscow-backed hackers launch 60 attacks on the UK every month, “working overtime to disrupt and discolour our democracy”.
He acknowledged that the nature of a response – military or cyber – would depend on whether a hack was carried out “by criminals, terrorists, activists or nation states”. But is this easy to establish? Simon Edwards, founder of British security company SE Labs, said that “attribution of cyber attacks is extremely difficult to do”.
His point is illustrated by the continued uncertainty over who launched the Wannacry ransomware attack in May, which took down thousands of NHS computers. A US intelligence report recently accused North Korea, but only with “moderate confidence”. Some security companies had previously blamed Chinese hackers. Edwards added that exposing the source of an attack shouldn’t be done using “computer forensics” alone. He called for the use of more “conventional techniques”, such as surveillance on the ground.
But before the military decides how to identify a cyber-enemy, the Government needs to confirm what kind of hack warrants an armed response. For Sir Michael that threshold would be crossed if an attack “endangers the state itself, the daily existence of its people”. Many people would say that the assaults on the NHS and parliamentary emails fulfils that criteria.
It’s unclear whether other security leaders share his view. Ciaran Martin, chief executive of the new National
Cyber Security Centre, dodged the issue on Radio 4’s Today programme, saying that “we will do everything absolutely in our power to build up national defences to make us the hardest target we can be”.
Few would disagree that defence should be the priority. It’s why the Government spent £1.9 billion on cybersecurity, and why the Ministry of Defence is setting up tougher checks to ensure that companies it works with are protecting themselves. But should these defences be breached again soon, expect louder calls for the UK to retaliate militarily.
The price of an online attack could invite a response from air, land or sea