The tension between the UK and Russia following the poisoning of former spy Sergei Skripal and his daughter Yulia has escalated – with British prime minister Theresa May indicating that a cyberattack could be one option of retaliation against the alleged involvement of Vladimir Putin’s regime.
Serious concerns have been expressed about the potential risk to people living in the English city of Salisbury who may have been exposed to the poison, which the British government has confirmed is a Soviet-manufactured, military-grade nerve agent known as Novichok.
The prime minister recently told MPs that “extensive measures” could be unleashed against Russia if the country failed to offer up a clear explanation about the events surrounding the use of the nerve agent on the Skripals. But, besides the sanctions and political manoeuvring which include the expulsion of 23 Russian diplomats, there are other options on the table.
The Conservative MP, Mark Harper, asked May on March 12:
Will she confirm that, if Her Majesty’s government conclude that there was unlawful use of force by the Russian state, we possess a considerable range of offensive cyber-capabilities that we will not hesitate to deploy against that state, if it is necessary to keep our country safe?
To which the prime minister responded:
We, of course, will look at responses across a number of areas of activity, should it be … that we conclude that this action does amount to an unlawful use of force by the Russian state here in the UK.
A state-sponsored cyberattack from the UK could lead to severe consequences for Russia’s digital infrastructure, which underpins its machinery generating propaganda and disinformation.
But it’s incredibly rare to hear such strong rhetoric from the British government in response to an incident in the full glare of public scrutiny, as opposed to a covert espionage effort. So is the UK’s official position on offensive cyber operations finally shifting?
Given the history of information warfare the Russians have been embroiled in, such a vocal threat from May’s government doesn’t come as a complete surprise. For over a decade now, Putin’s regime has been associated with an increasing weaponisation of the web: from a full-blown botnet attack on Estonia’s digital infrastructure in 2007 to NotPetya – a major malware attack that hit the globe just last year with the largest number of incidents being reported in Ukraine.
Britain’s possible cyber options
Russia’s state-supported media outlets and information portals are an obvious first target. They have been known to spread hate and propaganda on social networks and provoke civil society into online malicious campaigns. Any such effort to nefariously propagate and magnify influence in cyberspace should be weakened.
Any Russian asset used to carry out intelligence, espionage and cyber warfare operations – from government websites to internet connectivity infrastructure – could be deemed a legitimate target.
Various parts of the dark web could also be potential targets for the UK. It has been linked to Russian mafia and organised gangs, many of whom operate thriving criminal syndicates and have the backing of oligarchs who profit from cyber crime, drug smuggling and human trafficking.
But challenges remain around the international laws that govern any declared targeted response, and talks on the need for cybersecurity coordination on a global scale are only just emerging.
The Tallinn Manual – a non-binding consensus of legal experts on cyber operations – merely suggests that targets should “cause the least danger to civilian lives and to civilian objects”. It’s left open to wide interpretation, meaning any choice of a target, such as Russia, is problematic in a world where telecommunications and internet infrastructure is increasingly under joint public and private ownership.
If the UK were to respond to the Skripal attack with an offensive cyber operation against Russia, it would ultimately serve as a blatant provocation in the current climate. A retaliatory attack is highly plausible, which has a real risk of escalation given possible hype around cyber warfare.
Political rhetoric may get carried away, but a sense of reality should prevail over the UK’s critical dependency on digital infrastructure, be it from ordinary broadband access and mobile phone services to systems of critical and national importance, including energy grids, water treatment plants, transport systems and healthcare.
In a well-timed, if presumably coincidental announcement, the UK’s Ministry of Defence recently said it was opening an academy to train military personnel to help them respond to cyber threats.
Mark Lancaster, who is the armed forces’ minister, said: “Cyber threats to the UK are constantly evolving and we take them very seriously. That’s why the Defence Cyber School is so important. It’s a state-of-the-art centre of excellence that will train more personnel across defence and wider government in dealing with emerging threats.”
The minister’s remarks came just four days after the nerve agent attack on Sergei Skripal and his daughter – both of whom remain critically ill in hospital.