Openness and offensive cyber: Neil Ashdown

Offensive cyber capabilities are among governments’ most closely held secrets. As such, a public speech by a former senior intelligence official about these capabilities is rare. It is even more unusual for such a speech to call for more open debate on the topic.

On the 10th of November, Ciaran Martin gave a speech entitled ‘Cyber weapons are called viruses for a reason: statecraft, security and safety in the digital age’. Although he spoke in his capacity as a Visiting Professor at King’s College London, Martin had an illustrious career in UK government, including as the founding chief executive of the National Cyber Security Centre (NCSC) in 2016.

The UK intelligence agencies have been moving towards greater public engagement. Sir Alex Younger, then the chief of the Secret Intelligence Service (SIS), gave what the service described as a “rare public speech” on the future of espionage at the University of St Andrews in 2018. His successor, Richard Moore, retained his personal Twitter account after stepping into the role, changing his username to @ChiefMI6.

These official activities represent a welcome change from the days when the agencies’ public relations were conducted solely through informal contacts in the press. However, it is likely that informal interventions – such as speeches by former senior officials – continue to play a role in the agencies’ public engagement strategy.

Sir Alex has given several public interviews since leaving SIS. In one interview, with Angelina Jolie, he called for us to be “training ourselves, training our kids” to think critically about possible disinformation. Another prominent former official, Sir David Omand, has recently released a book called ‘How Spies Think’, advocating the use of intelligence analysis methods to combat disinformation.

Sir Alex’s statements and Sir David’s book suggest that the agencies see a pressing need to encourage the development of critical thinking skills among the general public. More broadly, there are a host of issues where the agencies have realised that the benefits of engaging with the public outweigh the risks involved in speaking out about their secret activities.

Martin made a similar point in his speech on 12th of November: “isn’t the lesson of the successes of cyber security in the UK over the past few years that transparency is not just more possible than we thought it was, it is hugely advantageous because sharing information about risk helped people manage it?”

Martin’s speech advocated greater openness about the UK’s offensive cyber capabilities. To this end he proposed a framework – called HACKS – defining five levels of offensive cyber operations of increasing intensity. While applauding the UK’s use of capabilities at the lower end of this scale against non-state groups such as the Islamic State, Martin urged restraint in the development and use of high-end offensive capabilities.



                                           Martin’s HACKS framework. Used with permission.

Rather than viewing cyber purely as a “domain of military and national security operations”, Martin urged his audience to think of cyber as an “environment” – an environment upon which we increasingly depend for every aspect of our daily lives. In this environment, Martin said, “one could consider cyber attacks as, say, a pollutant, or, a cause of illness like a virus.” In this analogy, he suggested, offensive cyber capabilities are akin to biological or chemical weapons.

Martin’s argument in favour of restraint carries weight precisely because it comes from a former senior official speaking publicly about normally secretive matters. Seen this way, his speech parallels Sir David’s decision to write a book about intelligence analysis. In both cases, well-placed former intelligence officials have offered the public tools to think about complex issues. The public debate is richer for their involvement.

Nonetheless, we should not uncritically accept such interventions. For example, Martin’s framework carefully focuses on offensive uses of cyber, rather than cases where cyber is used “just to spy”. Martin makes a convincing argument about the risks of high-end offensive capabilities. However, because the HACKS framework does not cover espionage, someone swayed by his argument could come away with the impression that there are no similar ‘environmental’ concerns about cyber espionage.

Such a conclusion is debatable. The paradigmatic examples of cyber weapons that Martin cited, the Wannacry and NotPetya malware, spread so widely in part because of their use of the EternalBlue exploit. This exploit, which was leaked online in 2017, allows an attacker to remotely execute code on a vulnerable machine – a capability that would be just as useful for espionage as for delivering offensive capabilities.

To extend Martin’s environmental analogy, if offensive cyber resembles a damaging virus, then espionage resembles a parasite that remains undetected within its target. The public health response to both threats is very similar – cutting down transmission and improving people’s defences against the infection. The capabilities that allow the UK to penetrate an adversaries’ defences to conduct offensive operations are by and large the same as the ones that allow spying. The environmental risks are not restricted solely to high-end offensive operations as the HACKS framework might suggest.

None of this is to downplay the value of Martin’s speech, both for its content and as an example of greater openness on a formerly sensitive topic. Rather, there is a broader tension here: when expertise on a topic is concentrated in classified environments, the public is unusually reliant on what current and former officials are willing to divulge. The desire to encourage more public openness should not make us uncritical about those statements that do emerge.

Comments

Post a Comment

Popular posts from this blog

Post-PhD thoughts on the Cyber Security field: Amy Ertan, 2017 CDT Cohort, now Cyber and Hybrid Policy Officer at NATO HQ in Brussels.

It has been just over a year since I successfully completed my viva – a milestone that initially felt both terrifying and insurmountable when I first joined the CDT. Now, I have the privilege of reflecting on my PhD journey and how its opportunities have shaped my present. I also wish to inspire curious students to embrace the full potential of the CDT and similar programs.   When I first came across the CDT application form, I initially envisioned transforming from a disillusioned city worker into a technical cyber security wizard, focusing on governance or incident response – as those were the only cyber security functions I was familiar with at the time. Very quickly, the CDT taught me that cyber security encompasses a vast and comprehensive range of approaches, offering me a holistic perspective on the field. Supported by the CDT, I engaged with exciting research and practitioner communities to learn about security governance, feminist and critical approaches, geography, the philos
Read more

Remote working and Cyber Security: Georgia Crossland and Amy Ertan

Image
Introducing the project The shift to remote working represents a huge shift for employees and organisations alike, introducing significant implications for cyber security. Amy Ertan and Georgia Crossland are currently working on a research project, in collaboration with the Research Institute for Sociotechnical Cyber Security (RISCS) and funded by the UK National Cyber Security Centre (NCSC), on the impact of remote working on cyber security and wellbeing. This blog post will give an overview of a section of this project, how remote working impacts cyber security. In response to COVID-19, in March 2020, organisations across the world made the rapid shift away from physical office working to remote working, wherever possible. This shift has had a significant impact across many aspects of organisations. This blog post will offer a high-level overview of how the cyber threat landscape was impacted for many organisations and may further change organisational cyber resilience. Remote workin
Read more

New Publication: Remote Working and (In)Security?: Amy Ertan

Image
A recent research report by CDT researchers Amy Ertan and Georgia Crossland has been published with the Research Institute for Sociotechnical Cyber Security (RISCS). The report examines ‘The Impact of Pandemic-Driven Remote Working on Employee Wellbeing, the Psychological Contract and Cyber Security’, with research carried out through a series of interviews with senior cyber security colleagues between January and April 2021. The full report can be found on the RISCS website: New publication: Remote Working and (In)Security | RISCS. Context In the UK and around the world, the impact of COVID-19 represented a total shift away from what was considered ‘normal living’. One aspect of this change was the rapid transition to remote working as people were encouraged to work from home and limit contact with others as far as possible through repeated lockdown conditions. Fellow CDT colleague Georgia Crossland and I were curious to explore how remote working has impacted the experiences - and se
Read more