The hackers are on the offensive. The election in the United States, the NHS, banks, businesses, even parliament itself have fallen victim to cyber-attacks over recent months. Cyber security has rapidly gone from a fringe anxiety to an all-pervasive mainstream worry. This in mind, I spoke to David Omand, former director of the UK’s surveillance agency GCHQ, who has been involved with worrying about this issue for a good deal longer than most. He explained just how grave a threat hackers pose to Britain.
“Cyber-attacks have risen up to the top rank of worry that any national security council has to think about. They are the new normal,” he said in an exclusive interview. Worse, “over the next five years, we’re in for much more of this,” he told me. There is “quite a lot of work to be done” even, startlingly, before government departments are secure from malignant actors online.
“The availability of the kind of tools that mid-level criminal organisations can use has increased. So inevitably there are going to be more attempts by them. I think that’s pretty clear.” The public quite simply has a “lack of awareness of the threat.”
But crucially, countries face threats not just from such criminal gangs but also from nation states. The latter pose a particular danger: they are “very difficult to stop, because they’re very good at it.” Pressed on the question of whether Britain specifically is likely to be targeted by a cyber-attack from a nation state in the coming years, Omand was hesitant to be drawn, but did concede that “both the Russians and Chinese have shown themselves to be determined"—an sobering comment for those tasked with keeping Britain safe.
"The public has a lack of awareness about the threat"Omand suggested that cyber-wars could in the most extreme circumstances turn into wars plain and simple, suggesting that we could respond to future attacks on critical infrastructure with conventional weapons: “If someone was doing serious life-threatening damage and there wasn’t any other way of stopping them,” he said, speaking slowly, “then they ought to think seriously about the kind of capabilities the UK could bring to bear.” This is, he argued, “an extension of the right of self-defence argument.”
His comments echo controversial remarks made by Michael Fallon, the Defence Secretary, during a speech at Chatham House in June. Fallon suggested that Britain would consider launching air strikes—even sending in ground troops—against perpetrators. That leading intelligence figures are now adding their voices to this argument is noteworthy, with potential implications for policy.
Omand’s intervention could not be more pressing. In recent months, cyber-attacks have made the headlines countless times. Not only does Russia stand accused of hacking the US presidential election last year, in recent weeks it is alleged to have targeted critical Ukrainian infrastructure. If you were hoping the UK is guarded against hostile interference, recent events have proved it is not: in May, malicious software called “WannaCry” crippled the NHS. With surprising candour, Omand explained that “one or two” cyber-security companies have told him “They suspect it may well be the North Koreans who were behind this attack.” In June, trouble struck again: hackers attempted to gain access to MPs’ email accounts.
Omand speaks in a deep voice, and paused to think for several seconds before offering each of his replies. Now 70, his experience goes way beyond his time at the helm of GCHQ: after that, he was Permanent Secretary at the Home Office and then the UK's first intelligence and security coordinator. He has also served for seven years on the UK's Joint Intelligence Committee, and is now a visiting professor in war studies at King’s College London.
The problem is that we “can’t just defend ourselves by putting up a cyber wall around the United Kingdom,” he said. That is because, for better or worse, the UK’s digital infrastructure and the systems it carries are now inextricably linked with the digital infrastructure in other countries. We are all connected. Worse still, “not every country has quite realised that they could become the target of attack,” Omand said. This total lack of awareness is “clearly a worry.”
“You’re only as strong as the weakest link,” as Omand put it. “Everybody has to raise their game... and that’s why I think there’s a lot more co-operation going on internationally now and people talking to each other, which is the best practice when trying to improve security.”
As our conversation was drawing to a close, Omand made ominous comments about culprits around the world, and the methods they are using. The foes he wants to UK to have in its sights are very much the ones you’d expect. “We have at the moment, it appears, a Russian offensive against western institutions and against countries like the UK... and one form this is taking is hacking to steal information and ‘weaponising it’ by releasing it onto the Internet." Cyber theft of intellectual property has also been conducted on a massive scale: "the Chinese were very prominent in that in the past," Omand explained, drawing on his experience.
At the start of the year, the Queen unveiled the UK’s new National Cyber Security Centre, that describes itself as "proudly part of GCHQ." A moment for Omand to cheer you might think, but the mood doesn’t lighten as this crops up. This important new capability comes, he says, as a “recognition that the previous model for securing UK cyber space simply wasn’t delivering results fast enough.”