Cyber catastrophe on the horizon
Robert Hannigan, former Director of GCHQ, explains why escalating international tensions could have catastrophic consequences in cyberspace.
A devastating “Tier One” cyber attack, able to cripple parts of the UK’s infrastructure and lead to serious harm – even death – to individuals, is increasingly likely to occur for the first time in the next few years, says Robert Hannigan, former Director of GCHQ, the UK’s intelligence and security agency.
Such an attack “would be damaging to people’s lives and finances” says Hannigan, now a special advisor to Hiscox, in an interview with Matt Webb, Hiscox’s Cyber Chief Underwriting Officer. Although the WannaCry attack in 2017 caused mass disruption and crippled parts of the NHS when their computer systems were locked by ransomware, it was not classified as a Tier One attack.
“Given the way that some nation states are behaving quite recklessly, then it [a Tier One attack] has become more likely – either because they plan to do it or because they miscalculate. It’s very hard in cyberspace to understand the consequences of your attack – they go way beyond what you think they will be,” Hannigan says.
Escalating tensions between the West and Russia, China and Iran are leading to an increased cyber threat. “Geopolitics is reflected in cyberspace,” Hannigan says. “If the nuclear deal with Iran falls apart then I think we would expect to see an increase in Iranian cyber attacks. It has been quite a sophisticated cyber actor, going after financial institutions in the US in 2011-12. They have... been relatively quiet in recent years, but we would expect a rise in their activities.”
The same is true with Russia. “We’ve seen a big increase in their cyber activity in recent years, matching their aggression in the real world.”
Businesses at risk
Companies now face a direct threat from cyber attacks by foreign powers. “Five years ago, we would have said they wouldn’t have needed to worry about nation-state attacks [as] governments would take care of those. These days, that’s not true. The two biggest attacks last year – WannaCry and NotPetya – were [by] North Korea and Russia. States are leaking tools and techniques to criminal groups. It’s a strange mixture now of high-end sophistication, nation state and criminal. [Those are] hard to protect against, but can be done.”
The National Cyber Security Centre was set up by Hannigan in 2017 to help the UK prepare and defend against a major cyber attack. Information sharing about potential threats between the public and private sectors “is pretty good”, he states, saying that the government shares over 90% of the software vulnerabilities it knows about. Full disclosure isn’t desirable, he argues: “Government’s first responsibility is cyber defence. If they don’t hold back anything at all then effectively they can’t do their job.”
He played down the likelihood of the UK launching cyber attacks against foreign powers. “It’s not always straightforward to hack back… It’s very often better to do other things, like diplomatic action or economic sanctions." But he adds: “It’s important to have a capability, if only to deter others.”
Publicly accusing countries of launching attacks can be a potent weapon, Hannigan argues. “It’s important to raise the cost for attackers... It’s not obvious or easy for you to hit back, but what you can do is name and shame them and make it clear that if they do it again they can’t get away with it. That has definitely helped…with North Korea and Russia.”
Running for cover
Cyber attacks will increase in volume and sophistication, Hannigan says, and there are also new threats on the horizon. Billions of new internet-enabled devices, from household gadgets to industrial control systems will be added to the worldwide web through The Internet of Things. “That is potentially very worrying because they tend to have minimal security built in.” There will also be millions of new internet users as more people go online for the first time, while companies are increasingly moving their data and processing into the cloud, creating extra security challenges.
Governments and technology giants are racing to develop new cyber defences to protect the massive rise in the volume of online data. The internet, says Hannigan “was not developed with security in mind [so] we are trying to retrofit security onto it.” Those innovations will reduce the risk in the decades to come. “I’m optimistic in the long term, but in the short term I’m afraid it’s going to get worse before it gets better. “
Cyber insurance can play a key role in protecting companies, says Hannigan. “Insurance can help you to do the right things to prevent attacks, and, if you are hit, it can help get you back on your feet quickly,” Hannigan says. “Big business is really suffering as a result of cyber attacks in the last couple of years…It can absorb those costs to an extent but actually they’re significant hits… For a small business [insurance] can be the difference in survival or not.”