The former head of the National Centre for Cyber Security warned that some people in the British government have a deep misunderstanding about cyberspace, online warfare and information security.
Chiaran Martin, who resigned as head of the NCSC earlier this year, also warned politicians against viewing the online world as a theatre of war, he said: We’re militarizing the Internet against our threat.
In his speech last night at King’s College in London, Mr Martin called on the public sector to pay more attention to the security of the Internet and British users, instead of finding the red button to start a cyber war.
Both politicians and civil servants who would not hesitate to invite a layman to look at the activities of an aircraft carrier can be strangely respectful and therefore indisputable when faced with discussions about digital possibilities, Martin said, referring to Britain’s offensive cyber tools.
The NSCC did not deter Nova’s headquarters behind London’s Victoria Station in the days leading up to VIDOC.
Just this week, GCHQ discovered that it had hacked into the bad guys of the Russian government by spreading false news about coronavirus vaccines. This is the second time the British state has actively attacked someone else. In 2018 the first case was against the Islamic state.
Martin’s warning came a few weeks after the Chief of Defence, General Sir Nick Carter, asked Britain to expand its cyber warfare capabilities to provoke countries like Russia and China.
Indirectly, Martin referred to this school of thought, he says: Comments like We have to fight in cyberspace against those who attack us imply that the cyber domain is closed as a boxing ring and that only the same possibilities can be used against opponents. Although it is clear that there is no reason to fight cybernetics.
But there are exceptions to this, as well as to any good rule, according to the former head of the NCMC. An online contest is very useful if you want to destroy the criminal infrastructure of C2 and/or botnets, as happened a few weeks before the U.S. presidential election earlier this month. Where it’s less effective is keeping potential aggressors at state level.
He went on to say:
It also plays into the hands of cyberpolitics, which provoke dissatisfaction and information service at a high level: the attribution of the attacks. What good is it to countries like Iran, Russia, China and North Korea to name and shame them when they turn to British companies or the digital infrastructure of the public sector? Will it make Kim Jong-un think? Hmm, you better call the cyberboys back before Dominic Raab calls me back?
Attribution does not have this effect, according to the non-profit organization GCHQ Martin, who in all my operational experience I have seen absolutely nothing to suggest that the existence of Western cyber capabilities, or our willingness to use them, prevents attackers. I haven’t seen any convincing research either.
With regard to the award at the beginning of the month, Paul Chichester, Director of Operations at NCSC, told the registrar : We believe that allocation, as part of a wider campaign, is a valuable tool in the British Government’s toolbox. There are a number of things that we, as NHSC, do together with other departments to counter threats. The audience award is part of this… The deterrent effect of the internationalisation of this work comes with time, which is why we consider it an important tool.
What works, according to Martin, is the application of sanctions against hackers from different states. While the Russian boss probably doesn’t care about not being able to throw a dozen of them into premium bonds or open a savings account in a post office, the 20- and 30-year-olds who work for his hackers are probably less shy to never be able to visit countries that have extradition treaties with the United States, so the charges brought against them by the U.S. Department of Justice are not activated.
The Obama administration’s brilliant innovation of bringing criminal charges against hostile state actors has done more to deter the activities of hostile states than any retaliatory attack: not only by embarrassing the accused states, but also by denying any of the accused the opportunity to travel to the West for life, Martin agreed.
His full speech, a reasonably readable document, is available on the website of the Beach Group at King’s College. You can also sit down to drink tea and cookies and watch the video of the shed. ®