UK will retaliate against state-sponsored cyber attacks, Chancellor warns
Middle path between cheek-turning and all-out war
Microsoft Future Decoded Britain will strike back against nations launching cyber attacks on the UK’s critical national infrastructure.
Chancellor Philip Hammond promised retaliatory measures against state-sponsored hackers while unveiling an expanded $1.9bn, five-year national cyber security strategy.
Crucially this isn’t new money - Hammond’s predecessor George Osborne had announced this in November 2015, during the last spending review.
What was new was the pledge Britain would go on the offensive against attackers and not simply turn the other cheek. The alternative, Hammond, warned was armed war.
Also new was a sharper focus, announced by Hammond, around tactics and strategy around cyber security to protect the nation’s critical national infrastructure and business.
In October defence secretary Sir Michael Fallon said Britain had used cyber warfare against ISIS as part of the bid to retake the Iraqi city of Mosul.
“We will deter those who seek to steal from us, or harm our interests,” Hammond told Microsoft’s Future Decoded conference in London on Tuesday. “We will strengthen law enforcement to raise cost and reduce rewards,” he said of criminal attackers.
He promised the UK would “continue to invest in cyber defense capabilities - the ability to trace and retaliate in kind is likely to be the best deterrent.
“If we don’t have the ability to respond in cyberspace to attack that takes down power networks or air traffic control systems we would be left with the impossible choice of turning the other cheek or resorting to a military response - that’s a choice we don’t want to face.”
“No doubt the precursor to any state-on-state conflict would be a campaign of escalating cyber attack. We will not only defend ourselves in cyberspace but will strike back in kind when attacked.”
Moments before Hammond, who chairs the Cabinet’s cross-department cyber-security committee, had listed high-profile cyber attacks against other nation’s critical infrastructure.
He didn’t name those responsible, but many attendees inferred the attacks were sponsored by Russia.
He referenced the April 2015 takedown of French TV network TV5 initially blamed on ISIS but subsequently attributed to a group of hackers with links to the Kremlin. A power blackout in the Ukraine following an attack on power utilities has also been blamed on Russia-based hackers.
Moscow has backed separatists in the former Soviet republic seeking the reunification of the USSR.
Hammond asked that suggestions as to who might be behind those attacks should be written on a postcard and posted to No. 11.
Under the new cyber strategy, Hammond pledged a five-year plan to “work to reduce the impact of cyber attacks and to drive up security standards across public and private sectors.”
This would involve ensuring government networks are secure and see UK government “taking a more active cyber defence approach” using tactics such as automatic protection to secure UK users “by default”.
He pointed to the recent rollout of software to cut to zero an estimated 50,000 fraudulent emails a day from hackers purporting to be from HMRC offering tax refunds in order to obtain people's bank details.
Hammond promised “increased investment” in the “next generation” of students and experts and talked up the formation of a virtual link-up between universities to secure laptops, tablets and smartphones.
The Chancellor also laid responsibility for greater security at the feet of Britain’s chief executives.
Having name-checked TV5 and the Ukraine, he referenced last year’s TalkTalk attack - which is almost certainly not the work of a nation state. Altogether five suspects, all based in the UK, have so far been arrested in connection with the 2015 hack.
That breach saw details of 156,959 customers sprung with TalkTalk fined a record £400,000 by the Information Commissioner.
“CEOs and boards must recognise they have responsibility to manage cybersecurity,” Hammond said.
“Similarly, technology companies must take responsibility for incorporating the best possible security measures into the technology of their products. Getting this right will be crucial to keeping Britain at the forefront of digital security technology.” ®