Is critical infrastructure now vulnerable?

GCHQ turns 100 this year. Photos: Shutterstock Britain faces a new kind of threat. The digital world has given hostile international actors an entirely new toolkit. Cyberattacks are now one of the foremost security risks. The consequences range from disruption to compromised information and even physical harm. Targets have included banks, the NHS, power systems and notoriously, democratic elections. The furore over the involvement of Chinese technology giant Huawei in Britain’s telecoms infrastructure brought the cybersecurity issue to national attention. Yet foreign state interference is only one aspect of a multifaceted threat. What precisely does that threat look like? And how can Britain best secure its networks? Few people are better placed to answer than David Omand. He was head of GCHQ, the government’s central intelligence, security and cyber agency, as well as the UK’s first intelligence and security co-ordinator and permanent secretary at the Home Office. He spent seven years on the Joint Intelligence Committee and is now a visiting professor in war studies at King’s College London. We met at the Prospect offices in June and started by discussing the most serious threat: rogue governments. As the number of “cyberattacks by hostile states has gone up,” Omand said, leaning back in his chair, there is a “recognition that with modern attack methods, you can’t guarantee to keep the bad guys outside the perimeter.” He spoke slowly, pausing sometimes to choose his words carefully, as befits a former intelligence chief. The classic high-level threats include sabotage, espionage, theft and also the distribution of misinformation intended to confuse. “The digital age we’re in makes it easier and cheaper. The risk is going up. And the cost to the nation doing this to us is going down.” Alarmingly, “there is evidence that critical infrastructure, power grids, telecommunications and so on, have been pretty well reconnoitred by states like Russia and China. That is certainly true of the United States. And so the possibility of sabotage arises.” There could be very real-world consequences. At the most serious end, for example with attacks on a hospital, there could be loss of life. Would we in the UK ever respond to a cyberattack with conventional weapons? That “depends what damage [has been done]. If people are dead as a result of some serious cyberattack, then the response has got to be proportionate,” said Omand, and “the attacker has got to recognise that.” “The US has already made its deterrence stance clear: any serious attack on US critical infrastructure will be regarded not just as sabotage, but potentially as an act of war. The response might be a flight of cruise missiles.”

Cameras were allowed inside for the first time in 2015

Cameras were allowed inside for the first time in 2015 The nature of conflict is changing. “I can’t imagine any serious armed conflict that will not be accompanied by attempts to knock out the adversary’s air defences and sensors through some kind of cyberattack.” The urgent question is how you defend yourself when hacktivists, aggressive firms, criminal gangs and foreign states are attempting to infiltrate your digital systems. Omand said: “international collaboration is obviously essential, because most of the problems that we’re discussing don’t originate inside the UK.” One aspect might be “tracking attacks, which may well be bounced off servers in innocent institutions in a number of different countries—universities are a favourite with attackers—before they reach the intended target. “Leaving the European Union makes all this harder when dealing with certain very serious kinds of cybercrime. As far as I know, nobody’s come up with a legal mechanism to allow the UK to remain a full member of Europol (the European Agency for Law Enforcement Co-operation) after Brexit.” The agency explicitly focuses on terrorism and cybercrime. “European security authorities would love us to be fully engaged with them... but if we insist on fully removing ourselves that may be problematic.” The problem of course is not always at the nation state level. Omand explained “there are also hundreds of thousands of attempts to attack British government departments and databases, mostly criminal, mostly in search of ways of committing fraud.” “To counter the most serious criminal attacks, which are as sophisticated as anything that can come out of the state... you probably need to enter the intelligence space, you need to understand who it is that’s attacking, how they’re going about it, and track their movements.” Everyday cybercrime meanwhile can be extremely disruptive for individuals and firms. “On protection of personal data, recent cases have demonstrated that companies are still not properly encrypting the personal data of their customers.” For individuals there is also basic cyber hygiene such as keeping secure passwords for bank accounts and internet purchases. “Over time, and starting in schools, teaching people to be safe online is going to have to be a major educational theme.” The threat then is not confined to any one domain. The extent of the danger varies, but digital tools are ubiquitous and that makes it extremely difficult to guarantee safety. For Omand the principle of “active cyberdefence” can help shore up security at all levels.

“As far as I know, nobody’s come up with a legal mechanism to allow the UK to remain a full member of Europol”

“I’m not talking here about offensive cyber,” he said, “going out deliberately to attack somebody else’s network. It’s about recognising that you have to be proactive in the face of these attacks. Companies and departments can monitor streams of data coming into and out of a network, you can identify the profile of malware that is intended to harm and block it, dangerous websites can be identified and taken down... you can make sure that anyone trying to connect to your network is a trusted party. And what’s more that their machine has updated software before they are allowed to connect. Such 24/7 security is expensive, it might indeed involve replacing old networks entirely. But if you don’t do it, then you are vulnerable.” “At the moment, the UK is engaged in a very interesting trial of the concept of active defence. It’s being led by the National Cyber Security Centre,” which falls under GCHQ’s remit. “Anyone with the email address ‘gov.uk’ is part of this. And what has been shown over the last year or so is a dramatic reduction in the number of attack attempts.” “If you can do that with government departments, can you do it with companies? Could you even do it with the United Kingdom itself, so the ‘.uk’ domain is protected in that active way?” That is an interesting thought. More innovation is needed and at the highest levels. For the truth is that cyber is the new frontier. From individuals to companies all the way up to national governments, preparation is essential. We are in a race to keep up. Yet Britain remains a leading intelligence power. We have access to first rate equipment. Our security services are among the best in the world and have risen to the occasion before. The expectation is that they will do so again. But the stakes could not be higher. This piece features in Prospect’s new cyber resilience supplement