Whether or not we think about it every day, we live in a rapidly changing world. Nowhere is this more true than in the field of technology. In 1993, there was a total of 130 websites in existence.
Only a handful of experts had heard of the world wide web. By the end of last year, however, this had risen to more than 700 million sites; and for billions of people around the world, internet access had become a cornerstone of modern life.
It would be foolish, therefore, to ignore some of the new threats the United Kingdom faces as a result of such huge changes. On a security and defence level, it is clear to me that one of the greatest of these new threats is cybercrime — including cyberterrorism and cyberwarfare. The problem is a creeping one. As the UK has become more dependent on technology to lubricate the wheels of everyday activities, it has become more vulnerable to both the failures of the technologies themselves and the ability to access them. We are being drawn inexorably into the era of the war of the invisible enemy. This is not like the Cold War, where individual spies smuggled small pieces of information to their Soviet handlers in London clubs or Viennese cafes. Nowadays we have the unimaginably vast theft of electronic material by Edward Snowden, who immediately jumped on a plane to Hong Kong and then to Moscow.
A small problem — one disloyal junior employee — can thus become a very large one. Likewise, when the Chinese shot down one of their satellites in space, it was not to show themselves that they were capable of doing so — but to demonstrate it to the rest of the world. The naval fleets of the West may be advanced and powerful, but they are useless if they cannot be linked up via satellites. Small flaws in western systems can lead to massive problems.
Britain must be clear about who exactly its enemies are. Contrary to the image portrayed in the media and popular culture, cybercriminals are not typically geeky teenagers. They tend to be veritable armies of terrorists, agents of hostile states or drug cartels. They use fraud and extortion to fund their activities and do so on an industrial scale. Those who leave themselves vulnerable to these activities make themselves part of a national security threat, usually as a result of lack of diligence or understanding. Cybercrime that targets the state can often find an entry point further down the food chain. A disturbing example of this was a hack known as “Titan Rain”, believed to have been the work of Chinese groups. It started in 2003-2004 as an attempt at corporate espionage, lifting sensitive information from the computer networks of major US defence contractors. But it spread in 2005-2006 to attack the networks of the US Department of Defence, and the UK’s Ministry of Defence (MoD). The MoD declined to say whether its systems were compromised. It is believed, however, that the same attack managed to shut down the House of Commons computer system in Britain for almost a day in 2006.
One of the major challenges is the need to persuade both the public and the military that more must be spent on the invisible technology that will protect them from these new threats. In a time of continuing austerity, this may mean spending less on the things that can be seen — traditional military capabilities — so that the country can invest in things that cannot be seen — cybercapabilities. The UK also needs to develop a proper cyberdoctrine in the way it did at the start of the nuclear era. It needs to determine how it would respond to potential existential threats and how it can deter and, if necessary, deal with cyber aggression.
There are two other key areas for change. The first is legislative and the second is organisational. I believe that the law needs to be changed in two major ways. It is a serious concern that outright denial of cyberattacks is too often the response of companies that are primarily worried about their reputations. But if the fund holding my pension is being hacked and my money lost, I want to know about it straight away.
That is why I believe the British government needs to change the law to make it illegal to be hacked without informing shareholders and other stakeholders. The second change I believe Britain must see is in relation to those who do business with the government. To avoid attacks via the weakest link, the government should insist, legally, that any organisation with which it does business should have a minimum defined level of cybersecurity or be excluded from government contracts. Finally, I would like to see all government cyberactivity, including offensive and defensive capabilities, concentrated in one place and answerable to a single ministerial portfolio.
The UK cannot afford either the luxury or risk of unnecessary duplication and diversion of resources. Those with the necessary skills to keep us secure in this changing world must play an active role in government.
— Telegraph Group Limited, London 2016
Dr Liam Fox is a former British defence secretary.
