Openness and offensive cyber: Neil Ashdown

Offensive cyber capabilities are among governments’ most closely held secrets. As such, a public speech by a former senior intelligence official about these capabilities is rare. It is even more unusual for such a speech to call for more open debate on the topic.

On the 10th of November, Ciaran Martin gave a speech entitled ‘Cyber weapons are called viruses for a reason: statecraft, security and safety in the digital age’. Although he spoke in his capacity as a Visiting Professor at King’s College London, Martin had an illustrious career in UK government, including as the founding chief executive of the National Cyber Security Centre (NCSC) in 2016.

The UK intelligence agencies have been moving towards greater public engagement. Sir Alex Younger, then the chief of the Secret Intelligence Service (SIS), gave what the service described as a “rare public speech” on the future of espionage at the University of St Andrews in 2018. His successor, Richard Moore, retained his personal Twitter account after stepping into the role, changing his username to @ChiefMI6.

These official activities represent a welcome change from the days when the agencies’ public relations were conducted solely through informal contacts in the press. However, it is likely that informal interventions – such as speeches by former senior officials – continue to play a role in the agencies’ public engagement strategy.

Sir Alex has given several public interviews since leaving SIS. In one interview, with Angelina Jolie, he called for us to be “training ourselves, training our kids” to think critically about possible disinformation. Another prominent former official, Sir David Omand, has recently released a book called ‘How Spies Think’, advocating the use of intelligence analysis methods to combat disinformation.

Sir Alex’s statements and Sir David’s book suggest that the agencies see a pressing need to encourage the development of critical thinking skills among the general public. More broadly, there are a host of issues where the agencies have realised that the benefits of engaging with the public outweigh the risks involved in speaking out about their secret activities.

Martin made a similar point in his speech on 12th of November: “isn’t the lesson of the successes of cyber security in the UK over the past few years that transparency is not just more possible than we thought it was, it is hugely advantageous because sharing information about risk helped people manage it?”

Martin’s speech advocated greater openness about the UK’s offensive cyber capabilities. To this end he proposed a framework – called HACKS – defining five levels of offensive cyber operations of increasing intensity. While applauding the UK’s use of capabilities at the lower end of this scale against non-state groups such as the Islamic State, Martin urged restraint in the development and use of high-end offensive capabilities.



                                           Martin’s HACKS framework. Used with permission.

Rather than viewing cyber purely as a “domain of military and national security operations”, Martin urged his audience to think of cyber as an “environment” – an environment upon which we increasingly depend for every aspect of our daily lives. In this environment, Martin said, “one could consider cyber attacks as, say, a pollutant, or, a cause of illness like a virus.” In this analogy, he suggested, offensive cyber capabilities are akin to biological or chemical weapons.

Martin’s argument in favour of restraint carries weight precisely because it comes from a former senior official speaking publicly about normally secretive matters. Seen this way, his speech parallels Sir David’s decision to write a book about intelligence analysis. In both cases, well-placed former intelligence officials have offered the public tools to think about complex issues. The public debate is richer for their involvement.

Nonetheless, we should not uncritically accept such interventions. For example, Martin’s framework carefully focuses on offensive uses of cyber, rather than cases where cyber is used “just to spy”. Martin makes a convincing argument about the risks of high-end offensive capabilities. However, because the HACKS framework does not cover espionage, someone swayed by his argument could come away with the impression that there are no similar ‘environmental’ concerns about cyber espionage.

Such a conclusion is debatable. The paradigmatic examples of cyber weapons that Martin cited, the Wannacry and NotPetya malware, spread so widely in part because of their use of the EternalBlue exploit. This exploit, which was leaked online in 2017, allows an attacker to remotely execute code on a vulnerable machine – a capability that would be just as useful for espionage as for delivering offensive capabilities.

To extend Martin’s environmental analogy, if offensive cyber resembles a damaging virus, then espionage resembles a parasite that remains undetected within its target. The public health response to both threats is very similar – cutting down transmission and improving people’s defences against the infection. The capabilities that allow the UK to penetrate an adversaries’ defences to conduct offensive operations are by and large the same as the ones that allow spying. The environmental risks are not restricted solely to high-end offensive operations as the HACKS framework might suggest.

None of this is to downplay the value of Martin’s speech, both for its content and as an example of greater openness on a formerly sensitive topic. Rather, there is a broader tension here: when expertise on a topic is concentrated in classified environments, the public is unusually reliant on what current and former officials are willing to divulge. The desire to encourage more public openness should not make us uncritical about those statements that do emerge.

Comments

  1. Fascinating exploration of offensive cyber tactics! Just like DVHosting provides robust hosting solutions, understanding offensive cyber strategies is crucial for maintaining a secure digital landscape!

    ReplyDelete

Post a Comment

Popular posts from this blog

Remote working and Cyber Security: Georgia Crossland and Amy Ertan

New Publication: Remote Working and (In)Security?: Amy Ertan

The Artificial Intelligence Monster: Nicola Bates