Kremlin-backed hackers have long been using Ukraine as a Petri dish for cyberwar experiments. Now, as tensions on the borders are escalating, we must prepare not just for a military incursion, but for a whole new form of hybrid warfare.
We need only look at the 2017 Russian state-sponsored ‘NotPetya‘ virus that caused more than $10 billion worth of damages in total to appreciate how devastating such attacks can be. At the epicentre of this ‘digital hydrogen-bomb’ in Ukraine, national transport infrastructure ground to a halt, people were unable to withdraw money from ATMs and even the radiation monitoring system at the Chernobyl Nuclear Power Plant went offline.
As recently as the 14th of January 2022, a cyber-attack shut down over a dozen of Ukraine’s government websites. Computer hacks might not be lethal in themselves but coupled with conventional military power they generate a dangerous new front – with disruption and power outages opening the door for shock and awe tactics to be used to great effect.
And globalisation has only widened the reach of these kinds of tactics – as rogue nations increasingly target international businesses. Maersk’s global shipping operation was crippled by NotPetya and, especially worrying during a global pandemic, the pharmaceutical giant Merck was sabotaged and left unable to manufacture essential vaccines.
As a result the most recent attack, the National Cyber Security Centre (NCSC), the technical authority on cyber-threats in the UK, updated their guidance and encouraged British businesses to strengthen their resilience to being hacked.
In addition the UK Government has put aside a total of £2.6 billion for cyber and IT, a significant increase over funding for the previous five years. However, with the UK Government pledging the creation of regional cyber clusters around the UK as part of the Levelling Up agenda, we need to be conscious that if we attempt to standardise security protocols across multiple corporations, we must guarantee that the overall effectiveness of the security in each company is improved – not weakened – as a result.
More funding should be put into a defensive technique known as ‘honey potting’, whereby a computer is set up to be purposefully vulnerable but isolated from the rest of a system. The ‘honeypot’ computer acts as bait, drawing in hackers and enabling us to observe their methodologies and learn how to protect ourselves. We can effectively lock in a piece of malware and observe how it acts to learn how to better respond to similar attacks in the future.
I firmly believe that cool heads can, and still will, prevail over Ukraine. The Prime Minister is right when he says dialogue is our best way to defuse the current situation. However, we should not ignore the stark lessons from history of authoritarian regimes annexing sovereign states. Russia and other countries such as China and Iran pursue an aggressive realist foreign policy agenda, maximising their power and influence, with little regard for the tolerant and democratic values that we in the West hold dear.
So appeasement cannot be an option. That is why I have been buoyed by the recent support that NATO and the UK Government have given to Ukraine. I am proud that our Armed Forces have trained over 20,000 Ukrainian troops and supplied their military with state of the art anti-tank weaponry. But if the worst were to happen and conflict broke out, we must be prepared for how the ever-changing nature of warfare has rapidly evolved into the cyber domain.
Therefore we should be actively seeking to deter Russian cyber incursions on NATO and its allies. The best deterrence is, of course, the outstanding reputation held by GCHQ globally. But we now need to prove that there are serious consequences to cyber-espionage and hacking. I am pleased to see the Government intends to bring forward legislation that allows for tougher sanctions on Russia. I argue that new sanctions should also be implemented with explicit reference to Russian cyber activities when they occur.
The UK Government, surely, must consider pursuing a policy of retaliatory cyber-attacks as a form of deterrence. Such a policy would be similar in principle to the theory of Mutually Assured Destruction from the Cold War. One of the primary reasons the USSR never used a nuclear weapon on a NATO member is that fear of retaliation is a powerful weapon.
Unlike traditional armies, cyber-attacks are an invisible threat. They strike from the shadows and are difficult to respond to by conventional means. Nonetheless, cyber-security is now integral to how warfare will be conducted and the United Kingdom must be prepared to act accordingly.
Click here to subscribe to our daily briefing – the best pieces from CapX and across the web.
CapX depends on the generosity of its readers. If you value what we do, please consider making a donation.