Cyber war and the reality of cyber attacks

CYBER 'WAR' AND THE REALITY OF CYBER ATTACKS

19th March 2024

Photo credit The Economist

“Ever since Hollywood movies like War Games started imaging computer generated Armageddon way back in 1983, popular depictions of cyber-attacks have tended towards the apocalyptic. So too, at least in the early days of the digital revolution, did Governments’ rhetoric – highly placed Americans spoke of the risks of a ‘Cyber Pearl Harbor’ or ‘Cyber 9/11’. Decades on, the reality of cyber-attacks is much more pernicious: their impacts being more chronic than catastrophic. As one industry expert put it, cyber gives rise to ‘weapons of mass annoyance’ rather than ‘mass destruction’. But that ‘annoyance’ is becoming ever more dangerous and damaging: the disruption of hospital administration with consequences for patient care; assisting military attacks on civilian targets during war; strategic data losses leading to widespread and justified fear; huge economic losses, and more. As we move toward the age of AI, what can we learn about the real dangers of cyberspace, and what lessons does this have for our protective strategies?”

The Speaker

The topic was introduced by Professor Ciaran Martin, CB, who is a Professor of Practice at the Blavatnik School of Government at the University of Oxford. He also works with various cyber security companies. From 2014 to 2020 he set up and then led the UK’s National Cyber Security Centre, part of GCHQ, on whose board he served throughout that period. He spent 23 years in the civil service, with roles in the Cabinet Office, HM Treasury and the National Audit Office. A native of Northern Ireland, he is a graduate of the University of Oxford. He is also a Visiting Professor at the University of Texas at Austin.

Introductory Presentation

Cyber security and cyber warfare have a somewhat lurid history. Various films, articles and front covers on respected magazines such as the Economist have suggested forthcoming Armageddon.

However, the current threat is pernicious and chronic rather than catastrophic – mass annoyance rather than mass destruction. In warfare itself, such the conflict between Russia and Ukraine, it is undermining and harassing, e.g. its effect on the power grid. But, there have been no deaths directly from the cyberwarfare itself. There need to be defences against cyber-attacks but such defences will not replace conventional resources. Conversely, in the more general field of security, there have been huge losses of critical data, e.g. the USA’s security database stolen by China.

The often-cited Stuxnet attack on the PLC’s controlling Iran’s uranium enrichment centrifuges was unusual and very expensive. Arguably, it was de-escalatory by preventing a physical warfare by Israel on Iran.

More common are attacks which disable services which people have come to rely upon or serve the population more widely, such as:

Hospital ambulance and admission processes, but not operating theatres
Local authority services such as the one on Leicester City Council on 7th March
Charities, e.g. International Committee of the Red Cross
Cultural services such as those provided by the British Library which, at the time of writing, has been digitally disabled for almost six months and who have reduced functionality on their 170 million item catalogue

Many of these are ransomware attacks demanding payments in Bitcoin to restore services. Ciaran mentioned that companies attacked are likely to be contacted by a sophisticated, besuited, office-based ‘account manager’.

Overall, the perpetrators, as well as seeking money, are mounting assaults on Western values, ethics and ways of life. Russia is a frequent source. There they are tolerated and attacks are not illegal under Russian law. Iran, North Korea and China are other sources.

When considering the role of AI in cyber-security, there is a lot of over-wrought comment and people may suspend critical judgement – we are not sliding towards the apocalypse that has been promised for some decades.

Having said that, key safety systems, such as air traffic control and railway signalling, should not depend on networks and competent cyber-management is a core requirement of all organisations.

Discussion

The questions were addressed by discussion groups who through rapporteurs’ summary presentations made the following points:

Discussion point 1:

Many commentators are calling the Russian invasion of Ukraine the world’s first cyber war. Do the tables agree with this analysis?

All the tables disagreed with this point. Cyber warfare is a nebulous concept. There have been many instances of the use, or suspected use of cyber-attacks in the past, for example, the invasions of Georgia and Crimea, the Brexit referendum, and the US election of Trump as president. Chinese camera systems are prevalent in the UK, representing a potential cyber threat. But propaganda and dis-information has been used in warfare since time immemorial, e.g. Britain’s demonisation of Napoleon Bonaparte as an under-sized tyrant.

In Ukraine, cyber warfare is being employed, but the main threats are physical including boots on the ground, artillery and WW1-type combat on the battlefield.

Discussion point 2:

In a world most observers agree is more threatening than at any time since the end of the Cold War, what does the table believe are the implications of the defence posture of the UK?

Ukraine has shown that we need to have a response to the full spectrum of threats, including trenches and tank warfare, which some politicians considered redundant.

Modern armaments are expensive and both difficult and time-consuming to manufacture. Stocks are low and will not last long in an extended conflict. Production lines are difficult to re-establish. They are also vulnerable to alternative low-cost, low-tech threats such as drones which have become an effective and low-cost form of warfare.

Is constructing two large vulnerable aircraft carriers the best use of resources? They were not even deployed to operate in the Red Sea to defend against attacks from the Houthis in Yemen.

Hopefully government has close links to the main leading AI companies, such as Deep Mind in London, to stay updated with the latest developments.

Discussion point 3:

Sir Geoffrey Hinton says that “we have set out to create something that is cleverer than ourselves and we are going to succeed”. What is the table’s view on how potentially serious consequences of AI can be managed?

The tables had a more balanced view of artificial intelligence, including regarding it as a source of plausible nonsense.

Mustafa Suleyman’s book ‘The Coming Wave’ describes the AI ‘revolution’, but also the linked wave in synthetic biology, which feed off and reinforce each other. He co-founded Deep Mind which was bought by Google. Deep Mind has calculated the 3D structures of all the main proteins for the first time which will have a major impact, including potentially generating malicious organisms and artificial life.

Standard regulation is not enough. Currently there are many initiatives but little co-ordination. Steps to enhanced safety suggested in ‘The Coming Wave’ include:

Use the profit motive, which is driving the waves, to incentivise safety.
Try to develop programmes for technical safety using common standards.
Avoid draconian laws that stifle AI research which has many potential benefits.
Buy time using a ‘Test Ban Treaty’ approach.
Make containment a responsibility of the developers.

Alliances and treaties between like-minded countries are essential.

Conclusions

The overall conclusion is that cyber-threats are not life-threatening but can be very disruptive. In warfare, cyber capabilities can’t replace conventional defences. There is a lot of hype about AI and there is a danger of missing everyday threats by focussing too much on it. Most importantly, real competence is required in all organisations to guard against cyber-attacks that have a high probability of happening (3 out of 4 US organisations report some effects).