The Government’s secrecy over cyber attacks leaves us vulnerable and deluded | #government | #hacking | #cyberattack


On Tuesday James Cleverly, a Foreign Office minister, answered MPs’ questions about the Chinese state’s hacking of some of Microsoft’s digital infrastructure. This followed a carefully coordinated statement by 39 countries, led by the US and the UK, calling out Beijing for this egregious attack which not only facilitated large-scale spying, but left thousands of US organisations vulnerable to further attack from criminals. Only a very sophisticated FBI operation removed the latter risk.

The MPs were uninterested in such technicalities; they were there for China policy, not computers. All they wanted to know was what the Government was going to do in response.

Mr Cleverly talked about a “robust” response, but said specific actions were just too secret to discuss. “We are taking action, not all of which I can talk about at the Dispatch Box”, he said, one of three occasions where he invoked operational confidentiality to bat away concerns. Citing secrecy to avoid scrutiny when in a difficult spot is hardly new. But what was gloriously unusual this time was the loud groans from across the chamber indicating deep and entirely justified scepticism.

The Government was hinting yet again at covertly using Britain’s own offensive cyber capabilities – hitting back at cyber attacks with cyber attacks of our own. This approach goes all the way back to 2013, when then defence secretary Philip Hammond told the Conservative Party conference that the UK would “build a dedicated capability to counter-attack in cyber space and, if necessary, to strike in cyber space”.

This was formalised last year when the Prime Minister announced the creation of a National Cyber Force. And this concept of “cyber power” was at the heart of the Integrated Review. The message has been loud and clear for years: the UK will defend and assert its interests on an invisible digital battlefield, and cyber adversaries will be magically and secretly brought to their senses.

The only problem with this is that it doesn’t work, at least when it comes to deterring authoritarian states like China or Russia. Offensive cyber has its uses: it can and has been used against terrorists like so-called Islamic State to disrupt their battlefield preparations and propaganda operations. It may also be used against online child-sex abuse rings and organised cyber criminals.

But what sort of retaliatory “cyber strike” would we undertake against the Chinese state? Sure, we can try to harass Chinese hackers and undermine their infrastructure: that’s a cost of doing business for them rather than a response from us. But what’s beyond that? A replica cyber strike endangering digital infrastructure in China? An attack on Chinese critical infrastructure on which the wellbeing of innocent civilians depends? Why would we do those things and more?

These limitations of the use of cyber capabilities are poorly understood. Secrecy exacerbates that. Offensive cyber operations have the same classified status as special forces. That can be justified for operations. But the doctrine around its use is hardly ever debated. That risks poor policy choices in two different ways.

First, it means genuine policy choices aren’t properly evaluated. It is simply not acceptable to push away legitimate questions about responding to China, whether on a Winter Olympics boycott or our own economic and technological resilience, by citing unspecified secret activity, especially when that activity is a mixture of the fictional and ineffective.

Second, secrecy prevents a debate on our online security posture. Being a cyber power is not risk free, as the Americans found out when some of their capabilities were stolen and sold. And most importantly, secrecy restricts the most critical debate of all – are we in favour of a safer internet or not? Over-reliance on offensive cyber incentivises weaker cyber security because that makes the job of our lawful hackers easier. But our free, open and digitised Western societies have far more to lose from internet insecurity than to gain by exploiting the digital insecurity of others.

Dealing with China and cyber insecurity involve many complex issues. “We’re hitting back in secret” just isn’t good enough, especially when in reality, we’re not, and won’t be.

Ciaran Martin is a professor at the Blavatnik School of Government, Oxford University. He was the founding chief executive of the National Cyber Security Centre



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

− three = three