It’s vital that all countries follow international rules and norms if deploying cyber weapons, but some nation states aren’t being responsible when it comes to how they use cyber powers, some of the UK’s top intelligence and cyber chiefs have warned.
In a rare joint appearance in public at Chatham House, Jeremy Fleming, director of GCHQ, the UK’s intelligence and security organisation, and General Sir Patrick Sanders, commander of UK Strategic Command, which leads on the cyber domain for the military, detailed how cyberspace is becoming an increasingly important area of military operations and international relations.
The discussion involving the two intelligence officials came just weeks after the UK announced the National Cyber Force, a new offensive unit to take on and disrupt activity by cyber criminals and nation-state hacking operations.
SEE: Cyberwar and the future of cybersecurity (free PDF download)
“The domain is changing very quickly and we need now as a nation to be building out from our defensive posture to take advantage of all those benefits that come from technology, but also be able to contest cyberspace,” said Fleming.
“To be a responsible cyber power, we need to defend the digital homeland, we need to be able to disrupt and compete in cyberspace and we need to do that in accordance with international law and internationally agreed norms,” he added.
Cyberattacks and hacking campaigns have become an increasingly common part of how countries attempt to gather intelligence – and the discussion took place just as it was revealed that Russian intelligence services were behind a large hacking campaign that compromised departments across the US government.
“The thing that’s changed for me most is the intensity and the range and the scale. And cyberspace is now not only the most contested domain that we operate in but it’s one where there’s a state of permanent perpetual confrontation,” said Sanders.
“Cyberspace has become a domain of operations. And so we have to, when we’re thinking about military operations, be able to exploit cyberspace, defend ourselves in cyberspace and crucially integrate effects of cyberspace with what we do on land, air and sea – and in space,” he added.
Both intelligence chiefs pointed out that while the use of cyber weapons is increasingly on the agenda for the UK – and they’ve already been deployed – it’s important that they’re used appropriately.
“When we apply force in cyberspace we’re guided by the same principals as when we use kinetic force; military necessity, proportionality, discrimination and humanity,” said Sanders.
“So the idea we’d construct some kind of a cyber weapon of mass destruction… and use that indiscriminately is directly counter to international law… but it’s contrary to our values and it’s counter-productive. We’re trying to establish norms in cyberspace.”
The world has already seen the unintended consequences of what happens when cyber weapons get out of control; May 2017’s WannaCry ransomware attack encrypted networks around the world and was followed just weeks afterwards by NotPetya wiping networks of organisations around the world – both used the same EternalBlue vulnerability that formed part of a leaked NSA hacking tool.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
North Korea was found to have launched WannaCry while the NotPetya attack has been attributed to the Russian military. Both attacks were designed to be self-perpetuating – and both are likely to have spread further out of control than those behind them would’ve liked.
“In those consequences, what we saw were tools that self-proliferated in a way that I am sure the states behind them had not intended. The question is how do we stop that sort of thing happening?,” said Fleming.
“The way in which we think about capability and the way in which we plan operations, the legal and statutory and oversight behind us mean we have a very different starting point to those states that have released those sort of capabilities. I’m aware of no responsible state that is designing tools that are self-proliferating in that way,” he added.
MORE ON CYBERSECURITY