ritain has thankfully managed to avoid economy-wide cyber-attacks to date but with Russia’s invasion of Ukraine, increasing sanctions, and the threat of Russian reprisals in response, many people have started to ask: what might happen if a state used its cyber might against us?
Ukraine has been the testbed for nationwide cyber destruction over the past few years, courtesy of Russia, with many campaigns spreading further west. To get an idea of what we might face in the future, we should look at what happened in 2017.
It began as an intrusion through a popular tax accounting software platform called ME Doc. The attackers embedded themselves in this software and effectively used it as a trojan horse to deliver their ransomware to many businesses and individuals across the entirety of Ukraine. If you filed your taxes, it was likely you could no longer use your computer.
ATMs were taken down so no one could access their cash, card payment machines no longer worked, utility companies could not effectively provide their services, trains couldn’t run and media companies struggled to communicate. Computers all across Ukraine were hit by the same ransomware, known as ‘NotPetya’. Geography means little to the spread of data through our connected world so the attack moved well beyond the Ukrainian borders, impacting on some companies’ global operations. The disruption stretched as far as China, the US and Australia.
The key difference with this ransomware attack was there was no ‘ransom’ at all. Unlike when attacks are carried out by criminal groups, there was no ability to decrypt the data and unlock their systems in exchange for a sum of money. The intention here was clear: to cause damage to the country and its people. We can take this as a blueprint to understand what it might mean for us all if Britain were to be targeted.
Our connected society
Like Ukraine, the fabric of British society is connected through the internet; it makes it easy for a coordinated attack to spread. This could include the use of distributed denial of service (DDoS) tactics, ransomware and even the direct wiping of data.
A DDoS sends huge amounts of internet traffic towards websites to overload them. When targeted towards government institutions, this can impact a citizen’s ability to do things like renew a driving licence online: you’d just get an error page. When part of a significant cyber-attack, it could impact the government’s ability to communicate and coordinate with the entire population.
It is likely banking infrastructure would also be targeted. It would leave our banks fumbling around searching for back-ups. In the meantime, our financial system would grind to a halt, with no ability to take money out of ATMs, or take and receive payments.
Buying necessities like food and household products would be impacted. We wouldn’t be able to receive our pay or benefits. Coupled with the cost of living crisis, it would be the perfect catalyst to whip up civil unrest across the country.
Then the lights could go off. In the digital age, nothing is more valuable than a country’s power delivery system. Electricity providers could be locked out of their systems, seeking manual workarounds. Hospitals would be running on generators without access to their records and diagnostic machines. Other emergency services would struggle to communicate.
How can we navigate through the storm?
With such an interconnected system, it could take days or weeks to adapt. Even if we get back up and running, we’ll be contending with significant damage to our personal and commercial computing systems, from which it could take over six months to recover.
In the short term, every one of us will be reliant on local and national government to navigate the immediate paralysis, ensuring there’s no shortage of food or water. This means it is critical to encourage our local authorities to have plans in place to limit the impact of such an attack.
We’ll find ourselves reverting to many low tech ways of doing things. It’s good practice to have hard copy backups of key personal documents and information – vaccine records, bank account numbers, the underlying keys to access to any cryptocurrency stores.
Business owners need a cyber resilience strategy. This means having clear steps in place in case some or all systems go offline, so they can continue trading. The first step is understanding just how connected we, and our businesses, are.
The bottom line is we all need to be prepared for significant disruption to our lives, while encouraging our governments to prepare for a destructive cyber-attack. It’s less about if we will face one, but rather when.