I tweeted some thoughts on the news of the UK’s new cyber force, and thought I’d follow up with a short blog. The short background is that the UK government has announced a new £250 million joint MOD-GCHQ cyber force. The purpose of this is to fight terrorists/Russia/AN Other depending on who’s reporting you choose to read. All reports agree this will be ‘offensive’.
Before going any further it’s important to note that this is a story broken by The Times which has not yet officially been confirmed. The article says that ‘[cyber force] is expected to be announced soon’. Some other notable points include the price: ‘at least’ £250 million, that cyber force will have it’s own HQ, and that there were tensions between GCHQ and MOD on cyber issues.
So is this big news, good news or what?
I think for me, it definitely falls into the ‘or what’ category. Noting the above caveat about the lack of anything official, £250 million seems like a lot of money for something that has an unclear remit, and whilst the value of ‘offensive’ cyber remains so unclear. I have written a bit on the idea and challenges of effective cyber offence before – you can read some of my musing here and here.
To summarise, lots of people think ‘cyber attacks’ can be used to good effect by the military whilst having the benefit of being cheaper than bombs and F-35s, and that ‘hacking back’ against people targeting your organisations and allies is a good and effective idea. I don’t think either of those things are a given, and indeed I think we have grounds to believe they are both likely to deliver much less than promised.
Firstly, on the idea that the military can use hacking tools as effective weapons in a conflict. I cover this somewhat in both of the blogs posts I link to above, but to in short; hacking is a great tool for spies. You can be covert, gain long term access to networks and steal lots of useful information. However, military people like their weapons to have predicable effects at precise times. It’s less than clear that hacking is a viable means of doing this – yes, we have seen disruption of electricity supply in the Ukraine by (presumably) Russian state hacking groups. But, as I have noted previously, delivering a precise effect at a determined time is much more challenging. Successful hacking of hard targets requires a lot of planning, might not be feasible at all (maybe they are good at security? Or you don’t have a tool or vulnerability that will be useful in the target environment) and your access can be discovered and cleaned up at any time.
Likewise, the idea of hacking back is not necessarily a good one. Lots of hacking activity relies on compromising third party infrastructure to use as a stepping stone to your actual target. These third parties are themselves innocent victims, and hacking them back is fruitless. Even if you can find actual infrastructure owned and used by your adversaries, if you break it they can rebuild (and if they know this is a possibility can ensure that can happen quickly). Hacking back could be expensive, and achieve little.
Finally, and very briefly, lets talk about targeting terrorists. I wrote (yes promoting myself yet again!) about terrorist cyber activity some time ago, you can read it here, and yes it does seem that GCHQ have had some success against ISIS, as you can read here. But a notable caveat, from the article itself:
“He added that the effect of GCHQ’s cyberattacks are not permanent, as ISIS militants eventually figure out how to evade further attacks”
So, yes I concede against ISIS using hacking tools has had value. However a) this has been done already by existing structures, b) was temporary and c) was done against a relatively unsophisticated adversary. Which isn’t to take away from the achievement of course – any disruption of ISIS is a good thing, so well done GCHQ!
Get to the point!
My point is that, as leaked to the Times, it doesn’t seem to an outside observer that this is an especially good way to spend £250 million. GCHQ have achieved successes against ISIS, and that is a good thing, but this was done through existing channels and presumably cost a lot less than a quarter of a billion pounds.
The NCSC is a doing a good job. If government wants to spend more on ‘cyber’, and specifically on ensuring the UK is secure, then I think building better response structures and international partnerships would be a good start. Lots of information sharing networks exist, but they are often ignored in terms of new, shiny things labelled cyber.
Making the internet a tougher environment for any hackers to operate in would be a good for everyone. If you have ever reported hacked infrastructure to an ISP, you’ll know the typical response is poor to non-existent. Building up CERT capability, and slicker international information sharing, and improving the response times for pulling down malicious infrastructure overseas would be a good thing (the NCSC has had success domestically on this front).
On offensive cyber, whilst I understand that the MOD does not want capabilities made public, the public needs assurance that this is money being well spent. Defence does not have the best reputation for delivering on time and on budget – there is no reason to think cyber force would be any different, and lots of reasons to think it could be much worse, especially if the actual requirements and expectations are blurred to being with.
This has gone on longer than I intended, so I am going to stop there. It will be interesting to see what the cyber force actually looks like when an official announcement is eventually made.