The UK Government Must Act Now on Cyber-Threats

Written by

Whenever I try to make my friends and family alive to the real risks cyber poses, they often retort with “blah, blah, blah.” But make no mistake; this is a great concern for us all. The complicated mess of North Korea’s online assaults and ISIS’s inexhaustible rise has served to highlight the escalatory nature of sinister cyber activity. Targets now include ATM networks (your money), energy grids (your heat and electricity), air traffic control (your flights), and much more.

Many aspects of our online lives could be switched off with just the click of a mouse. And it gets worse; the cyber domain has a low cost of entry and is devoid of international norms, regulations, laws and even terms of reference. The cyber assassin is left untethered, enjoying carte blanche over a lawless, ubiquitous domain – a virtual wild west. It’s worrying stuff.

Whilst this sounds like something from Die Hard 4, let’s be under no illusion. Over the last five years, the international community has witnessed a rising tide in pernicious activity targeting corporations, industry and state. The strike on Sony and the hacking of the Playstation and Xbox online networks are just two of the most recent, public (and relatively speaking, minor) examples of cyber-attacks.

Examples such as Stuxnet and the Shamoon virus’s infiltration of Saudi Aramco’s 30,000 computers illustrate the enormous damage that can be exacted. It is no small wonder that the National Security Council now considers cyber-attacks one of the four highest priority risks to UK sovereign security.

Worryingly, the UK is under-resourced and ill-equipped to deal with this. Very little progress has been made in the way of formulating meaningful policy or strategy. Instead, the government appears to be more preoccupied with targeting lower-level cybercrime – point-of-sale malware, phishing etc – and the comprehensive accumulation of online information.

There are two constructive policies the government can swiftly enact, both with relative ease and at very little cost. In its first measure, the government should initiate international talks to devise an explicit set of terminology for the cyber domain. Governments and the wider community remain baffled by a plethora of nebulous definitions, perpetuated mostly by an ill-informed press under the ‘cyber warfare’ tag. 

“Governments and the wider community remain baffled by a plethora of nebulous definitions”

There is a clear need to define the various strands of malicious cyber activity that cannot be attributed to the ‘cyber warfare’ misnomer. With this in mind, I use the acronym TWESC to summarize the categorizations that exist:

    •      Cyber Terrorism: A person or group which intends to disrupt, damage or destroy public or private property or seeks to terrorize citizens in order to achieve a political, religious or idealistic aim through cyberspace.

    •      Cyber Warfare: A state-sponsored attack or response that leads to an engagement through cyberspace, in addition to the use of technology as part of an established conflict.

    •      Cyber Espionage: A person, group or state which penetrates public or private networks in order to gain classified information.

    •      Cyber Sabotage: A person, group or state which disrupts or damages public or private entities through cyberspace.

    •      Cyber Crime: A person, group or state which engages in cyber activity that violates sovereign and international law.

This acronym offers a set of terminology for the types of known activity that come from the fifth domain, giving clarity and breaking down much of the confusing language surrounding this emerging platform. Many of the sanctions and consequences relating to activity nestled within these terms are not necessarily exclusive. The reality is that each rule can, on occasion, act as a relative cause and/or consequence of another; a cyber war would most likely incorporate the acts of cyber espionage and sabotage.  

In its second act, the government should generate agreed restrictions on the use of cyber capabilities. International law already prohibits the use of chemical, incendiary and nuclear weapons for the safety of humanity and it is time to treat the use of cyber’s most harmful components with the same limitations. This existential threat has the capacity to disrupt, damage and destroy the operational running of our national systems and infrastructure, yet stands wholly unregulated.

Imagine, the human fallout of a concerted attack that switches off dialysis machines in a hospital – the consequences would be devastating. I am not suggesting such restrictions should impede technological development, but simply prevent the misuse of science’s most deleterious innovations.

All things considered, this is not such an enormous task. I am asking for the UK government to take the prudent and necessary steps to formulate coherent policy and the laws and sanctions that follow. The government has the opportunity to seize the initiative here – it would require very little international drive to table a motion of this kind. Let’s get on with it and tackle this very real and present danger. 

About the Author

Ash J. Hunt is a researcher on transnational cyber policy. He has authored several articles and publications. In 2013, he was the sole British delegate to the UN Conference on the Development of Communication and Technology Policies. He has also worked for the Under-Secretary of State, Lord Astor, the Ministry of Defence and the Cabinet Office.

What’s hot on Infosecurity Magazine?