In his recent State of the Nation address, Vladimir Putin said that if challenged by another state, Russia’s response would be swift, harsh and ‘asymmetrical’. An unusual word, but anyone who has been paying attention to the developments in cyber warfare will know what he means.
Despite Russia pulling back more than 100,000 soldiers positioned on the Ukrainian border, British troops will shortly join Ukrainian counterparts to prepare for any misadventures from the Kremlin. And if a conflict were to escalate, the action may not be limited to faraway battlefields. It might involve cyberattacks, which would hit us at home. This, too, is a threat the Ministry of Defence seeks to prevent.
For years, the MoD has treated cyber warfare as a dangerous possibility, but in the next conflict — wherever it might be — British officials expect cyberattacks to be the new reality. ‘The threats of today are different from those we are used to,’ said the government’s Defence Command paper, which was published last month. ‘Our adversaries no longer only seek to challenge us in open, large-scale warfare, but instead seek to use activities below the threshold of open war… new technologies have created more potential ways for our enemies to do us harm.’
The risks are particularly acute for Britain: we are the second-most targeted country in the world for hacks after America. In the past four months, more than 100 British schools have been attacked by unidentified hackers using ransomware, which works by encrypting all the files on computers and then demanding a ransom to be paid in untraceable cryptocurrency. Schools in London, South Gloucestershire, Cambridgeshire, Coventry and Peterborough were infiltrated by gangs who demanded payment to return the use of their computer networks.
The Woodland Trust was also targeted in December by ransomware hackers. The attack meant that the charity was un-able to accept new memberships and many people complained of being unable to contact the organisation during January and February. In March, high-street clothes chain FatFace paid a £1.45 million ransom to hackers. The malware locked the firm out of its systems and harvested 200GB of its data, including employees’ bank details, national insurance numbers and the personal details of customers.
The NHS is an obvious target for -hackers. A state-sponsored North Korean cyber gang was blamed for wreaking havoc four years ago with its WannaCry virus: 19,000 appointments were cancelled following the attack, costing £92 million. There were no deaths, but medical facilities from intensive care to heart monitoring and the operation of insulin pumps are all, in theory, hackable. In September, the digital infrastructure of Düsseldorf University Hospital was severely hit during a ransomware attack, including the ambulance computer system. One woman died when her ambulance was redirected to another hospital 30 miles away.
APT41, a Chinese state-sponsored group, has been blamed for more than 100 cyber-attacks up to last year. In September, the FBI issued a poster featuring the faces of five APT41 members they wanted to question over ransomware raids in America, Britain, Australia and Taiwan. APT41 has also targeted UK government networks. Recently it was revealed that spies at GCHQ have warned the chairman of the foreign affairs select committee, Tom Tugendhat, that the parliamentary email system is not secure, following Chinese cyberattacks on him and other British politicians.
But it isn’t only large-scale state attacks that pose a risk: gadgets connected to the internet in our homes are vulnerable. Known as the ‘Internet of Things’, or IoT, these devices (there are an estimated 75 million worldwide) include smart watches, home thermostats, smart meters, wifi doorbells, baby monitors and smart home controllers such as Alexa or Google Home. The majority are run on cheap, generic computer chips that are easily hacked.
IoT hackers can do more than damage homes and steal data. Smart household devices can be turned into internet bots (which run automated tasks online) and harnessed to form large, powerful ‘botnets’ that make devices work in sync to hack data. Three years ago, in an attack known as Dyn, malware infected hundreds of -thousands of computers and made them continually search the internet for vulnerable IoT devices.
Because people often do not change the usernames or passwords that come with their gadgets, the default settings allow them to be easily hacked. The resulting wide-reaching viruses can blast targeted -computers with so much information that they crash. The Dyn attack took down large portions of the internet including Twitter, Netflix, the Guardian, CNN and Reddit.
More worryingly, cyberattacks can result in direct physical destruction: dams, industrial plants and critical infrastructure are all at risk. ‘Warfare is changing at breakneck speed and the arsenal of weapons available to our enemies and adversaries is changing with it,’ one senior defence source says. ‘A cyberattack on our institutions or critical national infrastructure could cause major disruption to our economy and our public services, and threaten our national security.’
In February, for example, there was a botched attempt to poison the water supply of the city of Oldsmar in Florida. An unidentified hacker attempted to raise the levels of sodium hydroxide in the water from 100 parts per million to a fatal 11,100 parts per million. A plant manager intervened and returned the system to normal. If the hack had gone unnoticed, it would have taken between 24 and 36 hours for the poisonous water to reach people’s homes.
It is also possible to take down a country’s entire physical infrastructure by sabotaging the massive undersea cables that carry more than 90 per cent of the world’s communications. The MoD expressed concerns that this poses an existential threat to the UK after intelligence services noted that Russian submarines are ‘aggressively operating’ near Atlantic cables. The recent defence review, in fact, is set to order a new Royal Navy surveillance ship with under-water drones to monitor the situation.
Then there is the issue of power grids. Russian hackers wiped out the electricity supply in Ukraine in 2015, leaving hundreds of thousands of civilians without power. A US report revealed that the control centres were still not fully operational two months later. Another more complicated cyberattack on the power grid followed in late 2016. The evidence pointed to Russia’s secret service.
Even geostationary satellites are vulnerable to attack either by jamming or by direct assault. Russia, China and the US have all demonstrated capability to bring down satellites with missile strikes — a ‘Pearl Harbor’ in space is not such a far-fetched notion.
Another issue is the development of artificial intelligence warfare. The defence review proposed the use of AI in the development of unmanned autonomous weapons systems, including swarms of drones. While this is in line with developments in Russia, China and the US, it nevertheless rings alarm bells. Such weapons operate on their own to select and attack targets. Imagine the destructive potential they could have in the hands of hackers.
If we were to experience a large cyber-attack that targeted civilians, it’s hard to know how we could respond under current warfare guidelines. The International Committee of the Red Cross is responsible for maintaining the laws of war, such as the Geneva Conventions. Together with the International Court of Justice, it shares the view that laws of war should limit cyber operations during armed conflict just as they limit other weapons and means of warfare in such situations. But it’s less clear how the laws stand when cyber warfare occurs outside armed conflict.
Will laws protect us any more than they protected civilians during the Blitz? It seems unlikely. In 2018, the Secretary--General of the UN, Ant
ónio Guterres, called for global rules to minimise the impact of electronic warfare on civilians. But nothing has happened since. During the Blitz, it was clear who was responsible for the bombers flying over Britain. But when it comes to cyber-attacks, attribution is difficult, or impossible. Attacks can be conducted through a network of thousands of machines located in many countries. Accusations are generally based on circumstantial evidence and signature patterns of behaviour. ‘The lines denoting acts of war have been blurred,’ the senior defence source says. ‘This is a new threat to our way of life, the security we take for granted and the freedoms we hold dear.’
Given the devastating consequences of cyber warfare, there appears to be little in the way of contingency planning. In the coming years, we could face devastating consequences as a result of our dependency on the internet. Indeed, it’s not unthinkable that, in the event of war today, cyberattacks could leave a nation under conditions similar to a medieval siege. Some believe the answer is to create impenetrable security systems — but there’s an old saying in computer science circles that ‘the only secure machines are ones that haven’t been hacked yet’.