17 May 2019

At a time of permanent cyberwar, the UK must stand firm against Russia

Tim Stevens

The British government has directly accused the Kremlin of responsibility for a series of cyber-attacks on British, American and Ukrainian targets between 2015 and 2017. These include the World Anti-Doping Agency and the US Democratic National Committee in 2016.

The task of revealing cyber-attackers’ identities has in the past been delegated to junior ministers. Not this time. Instead, the foreign secretary, Jeremy Hunt, condemned Russia’s actions as “reckless and indiscriminate”and affirmed the government’s confidence in its assessment of Russia’s culpability.

Underlining the close security relationship between the UK and its European allies, the Dutch have disclosed that they expelled four Russians in April. These agents were, with the help of British intelligence, thwarted in the process of a cyber-attack on the global chemical weapons watchdog, the Organisation for the Prohibition of Chemical Weapons. These events transpired shortly after the chemical attack on Sergei and Yulia Skripal in Salisbury

The UK and its allies are increasingly open about their possession of offensive cyber capabilities and their willingness to use them

Implicated in all these operations is the GRU, the foreign military intelligence arm of the Russian armed forces. Hacking units within the GRU, known externally by monikers such as APT28 and Fancy Bear, are deemed directly responsible for these cyber-activities.

Russia has denied involvement but the UK’s National Cyber Security Centre has taken the unusual step of issuing a technical advisory, detailing precisely the methods used by APT28 to compromise computer systems.

This will not silence doubters, but it demonstrates the UK’s willingness to put as much information in the public domain as possible without compromising its intelligence sources and methods.

It is legitimate to ask whether the UK and its allies are also engaged in covert cyber-operations. Are we, too, involved in subverting and degrading the computerised assets of our strategic adversaries, perhaps even Russia?

Western intelligence agencies are undoubtedly in the networks of other states. Otherwise, we could not attribute with such confidence the role of the GRU in the DNC leaks, the role of North Korea in the WannaCry attack, or the Chinese in cyber-espionage. This is a crucial counter-intelligence function and all states are developing their capabilities.

It is a matter of record that the US and its allies used cyber means against Islamic State in Iraq and Syria. But that was in battle and any suitably competent militaries would do the same. It is less apparent how we deploy cyber-tools against other nations in times of technical peace.

The UK and its allies are increasingly open about their possession of offensive cyber capabilities and willingness to use them. The UK was the first to admit to this in 2013, a position confirmed in the 2016 National Cyber Security Strategy. The US National Cyber Strategy outlines a similar position.

The new US Department of Defense Cyber Strategy goes a little further. One of its core tasks is to “persistently contest malicious cyber activity in day-to-day competition”. This is surely the heart of the matter. All states capable of doing so are involved in ongoing and persistent low-level skirmishing in cyberspace.

String of own goals by Russian spies exposes a strange sloppiness

Each is looking for operational and strategic advantage through cyber means. Whether to collect intelligence on others’ cyber capabilities, to test their own or to inflict damage on critical infrastructures, it is often difficult to tell. If we are positioning ourselves in foreign networks as a precursor to future disruption, our adversaries aren’t saying – and neither are we.

After the Skripal attack, Whitehall was abuzz with rumours of the UK and its allies launching a retaliatory “cyberwar” against Russia. This would never be war in a traditional sense and was perhaps best expressed by a senior US official as “pushing back hard” on Moscow. We can expect this to continue. Intelligence agencies will be in the thick of it, utilising more conventional means and cyber methods – with the continued reconnaissance of foreign networks, extraction of actionable intelligence, and possible subversion of adversaries’ decision-making processes via computer networks.

What else can the UK do to pressure Moscow into changing its behaviour? There will be no UN security council resolutions, care of a Russian veto and probably one from China too. Doubling down on EU sanctions may also be a non-starter given the fractious UK-Europe relationship, not to mention those wishing to relax not strengthen sanctions against their energy-rich neighbour.

It is a suboptimal solution, but perhaps the best the UK can do is to show resolve in the face of alleged Russian aggression. It needs to preserve the moral high ground in this dispute and demonstrate to the world its commitment to international laws and norms, as Theresa May has asserted. The hope will be that, in time, Russia reins in its activities before escalation leads to crisis and a confrontation that nobody wants.

• Tim Stevens is a lecturer in global security, department of war studies, King’s College London

Since you’re here…

… we have a small favour to ask. More people are reading and supporting our independent, investigative reporting than ever before. And unlike many news organisations, we have chosen an approach that allows us to keep our journalism accessible to all, regardless of where they live or what they can afford.

The Guardian is editorially independent, meaning we set our own agenda. Our journalism is free from commercial bias and not influenced by billionaire owners, politicians or shareholders. No one edits our editor. No one steers our opinion. This is important as it enables us to give a voice to those less heard, challenge the powerful and hold them to account. It’s what makes us different to so many others in the media, at a time when factual, honest reporting is critical.

No comments: