Practically all commercial businesses rely on passive cyber defence. A company’s information assurance strategy is dependent on a combination of software, business processes and human resources - of these the most important is continuous education of the human resources says John Curry MBCS.

Current security software is supported by procedures designed to reduce opportunities for vulnerability and enhance staff education. Staff need to understand the importance of not circumventing the systems designed to keep the business secure (and so at a most basic level, helping keep the business solvent and the staff in jobs).

The idea of an active defence is well-established at an international level in reducing crime. The British Royal Navy routinely intercepts and boards ships in international waters to attempt to reduce the flow of drugs into the UK.

It is reasonable to ask if this policy should be extended to cyber operations. The idea of moving from active defence to offense might include bringing down the servers hosting IT facilities that are used by organised crime gangs in other nation states.

Their reliance and dependence on information, similar in some ways to any other legitimate commercial business, makes them equally vulnerable to disruption of their IT facilities.

Some other countries take the view that the best form of cyber defence is offence. Colonel Hagestad, in his book Red Dragon Rising (summarised in ITNOW Summer 2012) argues that part of the reason for the People Republic of China’s aggressive cyber programmes is their genuine desire to protect the ‘Middle Kingdom’ (their phrase for China) from foreign threat.

Russia and North Korea have also been cited as states that initiate operations abroad to protect themselves from what they perceive as threats. Even western democracies have attacked other countries via the internet. In June 2012 The New York Times reported that US President Obama had ordered cyber-attacks to be launched against Iran’s main nuclear enrichment facilities.

The concept of the UK having an active defence was publicly raised in July 2012 with the publication of the Intelligence and Security Committee of the House of Commons Annual Report 2011-2012.

Chaired by the Rt. Hon. Sir Malcolm Rifkind, MP, the report challenged the establishment by stating while defence against the threats in cyberspace must be the priority, there were significant cyber opportunities for the intelligence, security agencies and the military that should be exploited in the interests of UK national security. In short the UK should be hacking.

The House of Commons report suggested the development of the following capabilities: 

  • active defence: interfering with the systems of those trying to hack into UK networks.
  • exploitation: accessing the data or networks of targets to obtain intelligence or to cause an effect without being detected.
  • disruption: accessing the networks or systems of others to hamper their activities or capabilities without detection (or at least without attribution to the UK).
  • information operations: using cyber techniques and capabilities in order to deliver information operations.
  • military effects: the destruction of data, networks or systems in support of armed conflict.

The last two need further explanation. Information operations would be using the power of the internet to influence people’s opinions, crudely an example could be using Twitter, YouTube and Facebook to encourage or discourage social unrest abroad.

The traditional military solution has been to conduct war by largely kinetic effects, e.g. bombing, but if it were possible to bring down the power grid of an enemy’s country by cyber means, then this would have obvious advantages.

Part of the UK stance on intelligence goes back to Bletchley Park. Part of the success was concealing the knowledge that enemy codes had been broken. State-level hacking is seen as expensive, difficult and often a ‘one-shot’ capability. Once used, discovery renders the tool obsolete and another has to be developed. If the tool or malware used ‘gets into the wild’, it can have unintended consequences for allies as well as the target.

A good example of the UK approach to cyber operations was the Mujahedeen Secrets operation in Afghanistan. The enemy messages were being passed using software that used 256-bit AES and 2048-bit asymmetrical encryption and were very difficult and time consuming to break.

The software itself was freely available on a website, but there are reports that at some stage the server was hacked and the software tampered with. The tampering was very subtle, in that it was not altered in any way except to append an additional byte or two of null data to the file.

The MD Checksum published on the site was also changed to match the new file and left to carry on. Eventually the users discovered that there were two versions of the software, both of which appeared to work, but were slightly different.

This subtle attack spread fear, uncertainty and doubt about the software and the security of the encryption and was far more effective than an obvious intrusive hacking operation. Those responsible have now been forced to develop a new version of the software because of the lack of confidence in the old version.

As part of NATO, the UK has been active in exploring international law on cyber operations. The tiny country of Estonia hosts the NATO Cyber Defence Centre and in August 2012 the centre published the draft Tallinn Manual on the International Law Applicable to Cyber-warfare.

This aimed to lay out the international rules for conducting hostilities via the internet. Although in draft form, the manual is likely to become the legal basis for many nations operations on the internet.

The concept of a cyber-war is currently a misnomer. Cyber-attacks such as the Stuxnet worm, need a staggering amount of intellectual capital. The idea of even a nation state having large numbers of these cyber weapons prepared and ready to go at a moment’s notice is not realistic. Stuxnet itself used three zero-day exploits that are rare and difficult to discover.

Any cyber-weapon can be rendered obsolete by the right patch within minutes of a vendor distributing the fix. As the instigator of the British armed forces cyber strategy Major-General Shaw stated, it is more productive to see cyber-war as cyber conflict. Skirmishes are happening every day across the internet. Intelligence is more likely to generate a sustained advantage in the long-term than short-term gains from offensive hacking.

In the new world of Wikileaks, it is harder to keep state secrets. An active cyber defence by any area of UK government, which was outside a UK legal framework can be vulnerable to sudden disclosure, leaving the staff involved and their immediate managers vulnerable to criminal prosecution or. at the very least, the termination of their careers. Even senior officers in the armed forces would not be immune.

The UK’s position has been to largely avoid ‘active’ cyber defence, but as soon as  international law is settled regarding cyber conflict, it is unlikely the UK will be slow to exploit new opportunities in cyber operations.