The UK must place itself at the forefront of cyber warfare capabilities while remaining fully cognisant of the consequences of weaponising cyberspace, according to Andrew Beckett, head of cyber services at Cassidian UK.
Briefing journalists on 20 November at a location close to Bletchley Park in Milton Keynes (the UK's famous Second World War deciphering station), Beckett argued that "in this day and age, having a strong defensive and a strong offensive capability in cyber is absolutely essential".
He cautioned, however, that cyber-weapons need to be very specifically targeted. "You tend to target a cyber-weapon based on the hardware, the software, the infrastructure of your target organisation," he explained, but "no matter how much you target, you cannot guarantee that only your intended target is going to be affected".
"A traditional kinetic weapon has a defined blast radius; you know what it's going to do and, once it's been used, that's it," said Beckett. "If you release a cyber-weapon, particularly over the internet, you cannot guarantee what will affected and where."
By way of example Beckett noted that Stuxnet, a very heavily targeted computer worm that the United States, with possible Israeli assistance, used to disable Iranian uranium enrichment facilities in mid-2010, "also affected a car plant in the US, which was shut down for several months because they were using the same centrifuges [as the Iranians] to purify paint".
Interestingly, he noted that Stuxnet had been "in the wild" on the internet for two years before finding its way into Iran's nuclear facilities.
Beckett was speaking in light of the 28 September announcement by UK Defence Secretary Philip Hammond that, as part of a GBP500 million (USD805.6 million) initiative by the UK Ministry of Defence to create a Joint Cyber Reserve Unit, the UK would also be developing an offensive cyber capability. Asked by IHS Jane's if Hammond was right to signal the UK's development of an offensive cyber capability, Beckett replied: "We have seen, over the years, America is doing it, the Chinese do it, the Russians do it. I think it was right to say that the UK has such a capability because it does have a deterrent impact, but we just have to be careful how and when we use it."
The potential use of a cyber-weapon "because it is cheap, because it can be done at a distance, because it can be done without bloodshed, might seem attractive, short term, to politicians, [but] you can't guarantee that," Beckett warned. "You can't guarantee that it won't be used against you or your allies, and a lot of thought needs to go into the decision to deploy a cyber-weapon as a solution."
He noted that "the safest way is to attack organisations that are disconnected from the internet and have cyber-weapons delivered by special forces or intelligence agencies, maybe using social engineering so you actually deliver it to the home PC of somebody who works in your target organisation".
Beyond the unintended consequences of using cyber-weapons, Beckett noted that another drawback to their use was that "people get to see it", potentially allowing an adversary - or any hacker in cyberspace - to retarget a nation state's cyber-weapon. "You're arming the very people you're fighting against," he said, warning that "the potential for fallout is huge" and that, for example, the "supremely elegant coding of Stuxnet" was now out there in cyberspace: "a ready-made cyber-weapon waiting to be retargeted".
Beckett also warned of the threat from countries where an absence of cyber-related legislation allows individuals to commit cyber crime without fear of prosecution.
Further to this, he noted that a number of countries typically hostile to the West can harness such individuals and effectively "punch above their weight" in terms of their offensive cyber capabilities.
Briefing journalists on 20 November at a location close to Bletchley Park in Milton Keynes (the UK's famous Second World War deciphering station), Beckett argued that "in this day and age, having a strong defensive and a strong offensive capability in cyber is absolutely essential".
He cautioned, however, that cyber-weapons need to be very specifically targeted. "You tend to target a cyber-weapon based on the hardware, the software, the infrastructure of your target organisation," he explained, but "no matter how much you target, you cannot guarantee that only your intended target is going to be affected".
"A traditional kinetic weapon has a defined blast radius; you know what it's going to do and, once it's been used, that's it," said Beckett. "If you release a cyber-weapon, particularly over the internet, you cannot guarantee what will affected and where."
By way of example Beckett noted that Stuxnet, a very heavily targeted computer worm that the United States, with possible Israeli assistance, used to disable Iranian uranium enrichment facilities in mid-2010, "also affected a car plant in the US, which was shut down for several months because they were using the same centrifuges [as the Iranians] to purify paint".
Interestingly, he noted that Stuxnet had been "in the wild" on the internet for two years before finding its way into Iran's nuclear facilities.
Beckett was speaking in light of the 28 September announcement by UK Defence Secretary Philip Hammond that, as part of a GBP500 million (USD805.6 million) initiative by the UK Ministry of Defence to create a Joint Cyber Reserve Unit, the UK would also be developing an offensive cyber capability. Asked by IHS Jane's if Hammond was right to signal the UK's development of an offensive cyber capability, Beckett replied: "We have seen, over the years, America is doing it, the Chinese do it, the Russians do it. I think it was right to say that the UK has such a capability because it does have a deterrent impact, but we just have to be careful how and when we use it."
The potential use of a cyber-weapon "because it is cheap, because it can be done at a distance, because it can be done without bloodshed, might seem attractive, short term, to politicians, [but] you can't guarantee that," Beckett warned. "You can't guarantee that it won't be used against you or your allies, and a lot of thought needs to go into the decision to deploy a cyber-weapon as a solution."
He noted that "the safest way is to attack organisations that are disconnected from the internet and have cyber-weapons delivered by special forces or intelligence agencies, maybe using social engineering so you actually deliver it to the home PC of somebody who works in your target organisation".
Beyond the unintended consequences of using cyber-weapons, Beckett noted that another drawback to their use was that "people get to see it", potentially allowing an adversary - or any hacker in cyberspace - to retarget a nation state's cyber-weapon. "You're arming the very people you're fighting against," he said, warning that "the potential for fallout is huge" and that, for example, the "supremely elegant coding of Stuxnet" was now out there in cyberspace: "a ready-made cyber-weapon waiting to be retargeted".
Beckett also warned of the threat from countries where an absence of cyber-related legislation allows individuals to commit cyber crime without fear of prosecution.
Further to this, he noted that a number of countries typically hostile to the West can harness such individuals and effectively "punch above their weight" in terms of their offensive cyber capabilities.
Comments
Post a Comment