In cyber-space, a strong defence should take precedence over arming ourselves with new weapons, the UK’s National Cyber Security Centre (NCSC)’s ex-chief has warned.
Ciaran Martin added that we “weaponise” and “militarise the internet at our peril”.
His remarks follow reports of the use of offensive cyber-techniques by nations, including the UK.
Mr Martin said he was not a digital pacifist, but he urged restraint.
“The case for cyber-restraint is a hard-headed one,” he said in a lecture to the Strand Group, part of King’s College.
“A more secure digital environment is the best guarantor of safety and security for Western countries in the digital age.”
The NCSC is the defensive arm of the intelligence agency GCHQ, Mr Martin was the division’s first chief executive, and stepped down from the role in September.
His comments come as the UK government is carrying out a defence and security review, which is expected to boost the nation’s cyber-capabilities.
“Where’s the red button?” a senior figure in government asked Mr Martin about the UK’s ability to carry out an attack early on in his tenure.
While he said understanding had moved on somewhat, he added there was still loose language, which revealed a “profound lack of understanding”.
And he added that there needed to be a more “cautious” and “realistic” approach.
The use of offensive cyber-weapons has been gathering pace.
The US is believed to have been the first to deploy one in the Stuxnet attack against the Iranian nuclear programme a decade ago
Russia has been linked to many high-profile attacks since then, including:
- taking down a French TV Channel in April 2015
- switching off a Ukrainian power grid in December 2015
- targeting Ukraine with a virus, known as NotPetya, in June 2017
Western countries have also carried out lower threshold cyber-attacks.
America’s NSA hit the infrastructure of cyber-actors in Russia, who were said to be trying to target the US elections.
And the UK, like the US, has publicly said it had targeted the electronic communications infrastructure of the group calling itself Islamic State.
Talk of cyber-attacks often fail to differentiate between different types.
Mr Martin outlined a five-tier structure using the acronym Hacks, rising in level of seriousness:
- Hacking an opponent to prevent them acting
- Adversarial infrastructure destruction, targeting their cyber-capabilities
- Counter-influencing by promoting information or pre-positioning cyber-weapons
- Kinetic attack to disrupt a target
- Systems-wide attack, effectively war
The danger, he argued, came from Western nations using the higher-end capabilities.
“What would we think if we turned on the TV and on the news was chaos across corporate Asia, for sake of argument, because a Western operation had gone viral?” Mr Martin asked.
Russia’s NotPetya attack was a reminder of the potential for unpredictable outcomes, after the virus involved spread beyond Ukraine and affected businesses worldwide.
Mr Martin also warned about the danger of cyber-weapons leaking out.
In one case, a US weapon was stolen, made public and then repurposed by North Korean hackers, who used it to unleash the WannaCry virus.
It spread around the world, hitting the UK’s NHS among others, in 2017.
“It is irresponsible for governments to plan on the basis that they can develop and store cyber-capabilities on the assumption that they will never leak or be stolen,” Mr Martin said.
But the greatest danger, he argued, is Western countries’ dependence on the net.
“Our societies will never be the winners from insecure technology and an unsafe internet,” he said.
“Therefore, we must be unambiguously in favour of safer technology.”
The former NCSC head called for more openness when it came to disclosing cyber-operations, especially since most currently focus on crime, terrorism and propaganda.
This week the government declined to comment on a report by the Times that GCHQ was targeting states that are spreading disinformation about a coronavirus vaccine.
And Mr Martin said national security officials must talk to civilian technologists to avoid there being two separate conversations without crossover.
It is sometimes said going on the offence is the best form of defence.
But in the case of cyber, defence is the best form of defence, Mr Martin argued.