Our response to Russian cyber-attacks is feeble

By Edward Lucas

(First published in The Times of London)

We overreact to terrorism but overlook online threats that can inflict fundamental harm

Few readers will be familiar with Titan Rain, Moonlight Maze, SolarWinds and WannaCry, but they are the online counterparts of Dunkirk, Pearl Harbor and D-Day — battles that write history. These cyber-attacks have in recent years  hit our economy, political system, infrastructure and peace of mind. The most damaging, NotPetya, a Russian cyber-sabotage operation aimed at Ukraine in 2017, inflicted $10 billion in damage on other countries. Not only do most people in the comfortable “Old West” scarcely recall these episodes. We have no memory of the devastating counter-strikes launched in retaliation. But here the fault lies not with us, but with the guardians of our security. As Lucas Kello, an Oxford University academic, outlines in a new book, Striking Back, our response over decades has been too feeble to deter these attacks. The result: we face more of them.

One reason is that we do not fully understand the threat. We have woken up belatedly to the fact we live in an era of geopolitical competition, in which revisionist, illiberal powers, chiefly Russia and China, are trying to break the western-led world order (Iran and North Korea are disrupters too). This struggle is somewhere between outright war and real peace. Kello calls it “unpeace”, meaning “interstate conflict waged below the level of armed force”. Military conquest, as Russia has  found with its bridge to Crimea, is messy and risky. Much better is to attack the enemy’s political and economic system. This disrupts decision-making, degrades the functioning of the state and demoralises public opinion. Why fight a war when you can win the peace?

The approach has deep roots, in works by the Renaissance philosopher Niccolò Machiavelli and, 1,000 years earlier, the Chinese general Sun Tzu. Lenin and Stalin would recognise the Soviet dirty-tricks toolkit known as “active measures”: these include assassination, blackmail, bribery, explosions, forgery, kidnapping and subversion. All are still in use. But modern technology adds anonymity, ubiquity and speed, making these tactics, and the strategy behind them, far more effective.  The battlefield nowadays is the internet; the targets are our computers, and the confidentiality, integrity and availability of the information we store on them.

The Chinese speciality is espionage. One element is the wholesale theft of commercial secrets, fuelling the rise of China’s high-tech industries. Another is stealing swathes of personal information, such as health records, hotel bookings and credit ratings. Artificial intelligence trawls and sifts this data for patterns and anomalies, seeking threats and weaknesses of relevance to Chinese interests.

Russia’s forte is meddling, chiefly sabotage and lies. Its most recent public stunt in this country was a simple swamping attack on the MI5 website last month. (A more serious, secret effort a few years ago targeted the MI6 recruitment portal.) The Kremlin’s headline success is still its influence operation on the US political system in 2016, when its hackers stole emails from Hillary Clinton and senior Democrats and leaked them. American journalists should have queried the source of the material. Instead they focused on what it revealed: backbiting, policy wobbles, and attempts by party chiefs to derail Clinton’s rival for the nomination, Bernie Sanders. Her presidential bid never recovered from the unsurprising revelation that politics involves machinations, and that public and private behaviour differ. Russia tried a similar hacking-and-leaking tactic to derail Emmanuel Macron’s campaign in 2017. French journalists were savvier and largely shunned the material.

We wildly overreact to terrorism, imposing huge inconvenience on daily life and shredding civil liberties, but naivety, legalism and timidity mean we overlook attacks from countries that seek to inflict more fundamental harm on us. If violent extremists targeted a British election, for example, officialdom and the public would be outraged. But as a report by the Intelligence and Security Committee of the British Parliament lamented in 2020, MI5 appeared to miss completely the Russian interference with the 2014 Scottish independence referendum.

Such attackers risk little. Sanctions are ineffective. Asset freezes and visa bans hold few terrors for Russian rumour-mongers, North Korean generals or Chinese military hackers. Legal remedies are too flimsy: it is hard to prosecute people who live in lawless countries. At the same time, the law strictly constrains any response involving the use of force.

We need an urgent rethink. One element is better defence, involving close co-operation between private and public realms. We should pay particular attention to the security of information. Authentic public debate is at the heart of our political system. But unscrupulous attackers can exploit our reverence for free speech.

Making attacks less effective is a form of deterrence: countries such as Finland that work hard on resilience become unattractive targets. Yet we also need punishment. Kello suggests that collective responses, ideally through Nato or coalitions of the capable, will be more effective than a single country acting alone. His main notion is “punctuated deterrence”,  in which the accretion of mischief prompts abrupt, punitive responses. He gives few specifics, but one could imagine options ranging from drone strikes to asset seizures — and of course cyber-attacks. The vital point is to worry less about escalation  and more about the cost of not responding. If Putin chooses to lash out against the infrastructure or financial systems of Ukraine’s western backers, he will do so with  a well-founded sense of impunity.

Edward Lucas writes a column for The Times of London