The UK’s attorney general has clarified the government’s position on state-sponsored cyber-attacks, saying the country will fight back against any nation seeking to cause it harm and continue to attribute serious online threats.
Speaking at the Chatham House Royal Institute for International Affairs on Wednesday morning, Jeremy Wright became the first minister to set out the UK’s opinion on how international law applies to cyberspace.
“The UK considers it is clear that cyber-operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self- defence, as recognised in Article 51 of the UN Charter,” he argued.
“If a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber-operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us. If it would be a breach of international law to bomb an air traffic control tower with the effect of downing civilian aircraft, then it will be a breach of international law to use a hostile cyber-operation to disable air traffic control systems which results in the same, ultimately lethal, effects.”
Wright also claimed the UK would continue to work to name and shame the countries which launch such attacks, claiming that if more states get involved in such work the assessment will be more certain.
“It is important that our adversaries know their actions will be held up for scrutiny as an additional incentive to become more responsible members of the international community,” he added.
It’s unclear why the government chose this time to state its position but it can’t be a coincidence that state-sponsored attacks have increased over the past year. In November 2017, NCSC boss Ciaran Martin pointed to Kremlin attacks on the UK’s critical infrastructure, and in April this year the GCHQ body issued a joint alert with the US authorities of further Russian attack campaigns.
That’s in addition to the WannaCry ransomware attack that caused major outages at the NHS — subsequently blamed on North Korea.
However, Priscilla Moriuchi, director of strategic threat development at Recorded Future, argued that public naming and shaming is a double-edged sword.
“On one hand [it] allows companies, individuals, and governments to tailor their responses to and assess the risk involved in intrusions, intellectual property theft, and customer data loss. Public attribution puts a cyber-intrusion into context and assists governments in defining norms of behavior in cyber-space,” she said.
“On the other hand, there is scant evidence that public attribution deters nations from conducting cyber-enabled espionage. Naming and shaming may dissuade nations from executing destructive or disruptive cyber-attacks because of the real-world, life-and-death consequences, however public attribution as a deterrent for cyber-espionage or intellectual property theft remains unproven."