Security strategy based on cyber ‘conjecture’

By Alex Stevenson

Politicians are struggling to justify the national security strategy’s focus on cyberwarfare because it is based on little more than “conjecture”, a leading expert has told

Dr Paul Cornish of global affairs thinktank Chatham House, whose work on the need to protect Britain’s cyberspace has helped make the UK among the leading states addressing the growing threat, admitted his field was the most difficult to justify in terms of public spending.

Senior government officials acknowledged the question of “how to bring it alive to people” was a pressing one.

Dr Cornish’s comments came as the government’s national security strategy placed cybersecurity in the top tier of threats facing Britain, alongside terrorism, small-scale warfare and national disasters.

States such as China and Russia are increasingly presenting the UK with the threat of attacks on the country’s key infrastructure, rather than a nuclear assault.

Recent attacks on Estonia and Georgia following diplomatic spats with Russia have resulted in major internet problems which have even shut down some cash machines.

There is increasing evidence the UK is not isolated from these threats. Last week the head of GCHQ Iain Lobban warned that the government was receiving 1,000 deliberate malicious attacks via email every month.

And home secretary Theresa May told the Today programme that over half of all the malicious software ever identified were spotted last year.

“Attacks in cyberspace can have a potentially devastating real-world effect,” the national security strategy noted.

“Government, military, industrial and economic targets, including critical services, could feasibly be disrupted by a capable adversary.”

The document cited the $1 trillion annual cost of cybercrime and the 12 million cyberattacks on Beijing during the 2008 Olympics to demonstrate the threat.

But its only example targeting “critical services”, the Stuxnet computer worm discovered in June, did not do any damage to the UK.

Dr Cornish told “The problem with cyber is this is all new, this is all conjecture. In a sense it is the most difficult point to make in terms of public spending.

“This hasn’t actually really happened yet. [We argue] ‘we need to spend money to stop it happening’. [They say] ‘give us the evidence’. There isn’t any evidence.”

A government official said Britain had already established “world class” capacities to understand what is going on in cyberspace.

“We don’t want to wait for planes to be falling out of the skies before addressing it,” he said.

The national security strategy comes a day ahead of the strategic defence and security review, which is expected to cut the Ministry of Defence’s budget by eight per cent.

Despite the cuts, funding targeting cybersecurity could receive a cash boost of up to £500 million, the Telegraph newspaper reported. That will be confirmed tomorrow.

The ongoing emphasis on the terrorist threat from international groups like al-Qaida means Britain’s security services are likely to be protected from harsh cuts.

One of the reasons for the shift away from large-scale conventional warfare is that cyberwarfare presents an increasingly attractive alternative because of its unattributable nature.

“It’s all deniable. It’s all difficult to attribute to anyone or anything” Dr Cornish explained.

“Because it’s so deniable, it seems to me unlikely you’re going to get a virus coming from country X with country X’s name on it.”

Like ongoing struggles against terrorist groups, conflict in cyberspace can be characterised as “classic asymmetric warfare”, he explained.

The government does not intend to develop an offensive cyber capability but will remain on a strictly defensive footing.

“It is an uncertain world and risks are arising that wouldn’t have been risks ten years ago,” the official added, explaining cybersecurity’s prominence in the overall strategy.

“We are trying to take notice of that and respond to it.”

Dr Cornish added: “You can wreak a lot of damage with just half a dozen blokes in a garage somewhere. What we do know is there are countries that are taking cyber operations extremely seriously and investing huge amounts of money in it. What are we going to do about it?”