To distract attention from having fired one fifth of the army, the Conservative defence secretary Phil Hammond needed something positive, whizzy and modern to tell his party members (average age: 68) at their conference last weekend. What better than to announce how go-ahead Britain is in all things cyber and defence? Well, he went one better, and announced that the UK will soon have the power that dare not speak its name; cyber strike capability.
You see, just as ‘everyone knew’ that the NSA was eavesdropping on all manner of phone and Internet traffic, including that of the US’s supposed allies, everyone also knows that the US, Russia, China, Israel, Iran– and probably North Korea if they can string together some cast-off Lenovo servers with galvanised wire – everyone is developing and has in some manner already deployed the ability to attack other countries’ critical networked infrastructure. It’s just that no one wants to admit to it.
Yes, the US’s bashful aw shucks ‘we sure would love to have invented Stuxnet, it’s so dang smart’ wink wink nudge nudge routine as good as confirmed that American cyber strike capability (with a little help from Israel) is not just a war-game scenario. And yes, the Russian state via its proxies knocked out most of Estonia’s official web presence and e-government capability six years ago already, by way of a stern warning to NATO that pre-dated the whole Georgia / Ossetia thing. But the difference is these members of the club only boast about it in semi-private, and to people whose access to information and continued relationships depend on their ability to hug the secrets close and only dispense them in a roundabout fashion and after the fourth drink. The first rule of fight club, and so on.
The reason for this false modesty being, only Bad Guys launch cyber attacks. So everyone is allowing everyone else to pretend they are only developing defence capability, and would never do anything so hostile as to prepare an attack. It’s a bit like the Cold War, except with missile defence but no missiles. (Which is just as well, as parading across Red Square behind a couple of Dell servers is not very stirring.)
Why so coy? Partly because cyber attacks focus not just on military targets but on infrastructure such as energy or financial centres. Attacking purely civilian targets is verboten, and this international agreement has recently been stretched to cover networked assets, not just physical ones. And partly because if another country admits to committing an act of war against you, it puts you in the rather awkward position of having to retaliate. Plausible deniability works both ways.
So Hammond’s entirely willful statement that the UK is developing “full spectrum military cyber capability, including a strike capability” must have come as an unwelcome surprise to the Foreign Office and security services. Truth be told, Hammond’s intended audience was wider than Sunday’s blue rinses. Just as in the US, cyber-defence was the cue for a massive bun-fight on turf and cash between intelligence agencies and the military, Hammond is getting his lumps in first. He simultaneously announced the creation of a rather unfeasible sounding cyber-defence reserve.
Hammond’s astonishing faux pas is probably not bad domestic and intramural politics for him, but it creates a bigger problem for the UK. Do (publicly)-as-you-would-be-done-by has been till recently a pretty good approach to all things cyber and international. But Snowden blew a lot of that useful hypocrisy away. Much of Britain’s laudable public positioning on the open Internet, freedom and security is now hollow.
Consider this speech by Foreign Secretary William Hague a year ago on why the UK and other states need to beef up their security;
“In another case, a large international manufacturer was targeted during a period of negotiation with a foreign government. We do not know how the company’s networks were initially penetrated. But the company later identified that the hackers had accessed the accounts of the company’s entire leadership team during the negotiations. Their significant commercial interests were clearly threatened by this loss of confidentiality.
Attacks of such scale and severity continue to compromise many millions of pounds of investment in research and development, damaging a company’s ability to defend its Intellectual Property Rights and wiping away years of sensitive negotiations and commercial positioning. If these attacks are left unchecked they could have a devastating impact on the future earning potential of many major companies and the economic wellbeing of countries.”
All very reasonable as a cause of concern until you roll forward twelve months and think; Petrobras, Brazil, Roussef. Pot. Kettle. Black.
So when it comes to intentionally blowing away the useful hypocrisies* that kept the world of cyber diplomacy spinning round, Phillip Hammond has a lot in common with Edward Snowden.
The problem now is that the Russians and Chinese gained endless rhetorical cover both to retaliate against us and further develop their own bowdlerised Internets as technologies of political control. Rhetoric has real-life consequences, and the long game they are playing at the UN to win allies and exert intergovernmental control over the global Internet has been given a massive boost.
On one hand, Hammond’s punchy and self-serving revelation undercuts the ability of the UK to pursue with a straight face its current line on Internet openness and security. That hurts all of us working for a global, end to end network where permission to innovate – technologically and politically – is baked in to the protocols.
On the other hand, maybe it’s time to end the phoney war and bring into the relative open the process to spell out and agree how nation states will conduct themselves offensively and defensively in cyber space.
- Henry is co-writing an article on Snowden and the useful geopolitical hypocrisies he’s exposed, and I’ve borrowed the phrase.