Of all the domains of defence today – sea, land, air, space and cyber – cyber is the most recent and the least understood.

What is important to grasp is that cyber attacks can cause physical damage, and on a large scale. And, in causing physical damage, they can kill people. 


This article was submitted to the UK Defence Journal by Rebecca Campbell. Rebecca is British and permanently resident in South Africa, where she works as a science and technology journalist, covering, among other things, the aerospace, defence and nuclear sectors.

She has a MA degree, with distinction, in International Relations from the University of the Witwatersrand in Johannesburg. Her thesis was entitled Armed Forces as Instruments of Foreign Policy: Some Case Studies. This paper is entirely her own opinions and does not reflect the views of her employers. Rebecca Campbell is not, and never has been, on Twitter or Facebook.


As early as September 2007, according to the US Centre for Strategic and International Studies, Israel used a cyber attack to disrupt Syrian air defence networks as part of an air strike against an alleged Syrian nuclear facility. The Stuxnet computer worm, discovered in 2010, inflicted physical damage on more than 900 uranium enrichment centrifuges in Iran. In late 2014, a cyber attack manipulated and disrupted the control systems of an unidentified German steel plant, resulting in massive damage to a blast furnace. In December 2015, a cyber attack on Ukraine’s power grid disconnected 30 electricity substations from the grid and cut the electricity supply to 200 000 people for several hours. Physical damage was inflicted on industrial control systems and the 30 affected substations had to be manually operated for several weeks.

Don’t forget that shutting down electrical networks also shuts down wide swathes of the economy and national infrastructure: electric trains cannot run, financial services cannot take place, civilian telecommunications are severely disrupted, hospitals are crippled – and can patients die – traffic control systems go down, and so on.

In all these actual cases, the level of damage inflicted was previously only achievable by the use of strategic bombing. 

But the potential is much wider. Chemical plants are also vulnerable. Cyber attacks which give hackers remote control of the industrial control systems in chemical plants would allow them to disrupt the entire process control system, exceed safety parameters and wreck equipment, accompanied by the spilling of dangerous chemicals and/or the release of poisonous gases, endangering the lives of many, perhaps thousands, of people. That the risk to people is real is shown by the consequences of one of the worst, if not the worst, industrial accident in history.

In December 1984 more than 40t of methyl isocyanate gas leaked from a pesticide plant in Bhopal, India, immediately killing at least 3 800 people, with up to 6 000 more dying in the following few days, and a further 15 000 to 20 000 people suffering premature death over the next 20 years.  And many people who survived, and still survive today, suffered permanent damage to their eyes, as well as their neurological, reproductive, and respiratory systems. Survivors also suffered from genetic damage, with increased levels of chromosomal abnormalities.

It should now be obvious that the military potential of cyber warfare is very real. State-organised and coordinated hacking could attack electricity grids at multiple points simultaneously, overwhelming repair crews, and, at the same time, attack multiple chemical plants and other essential systems. An entire country could be “taken down”, with recovery requiring (depending on the sector of the economy) anything from minutes to months. Now imagine such an attack combined with a simultaneous full-scale conventional assault against that country or a small, weak, ally of that country. The chaos resulting from the cyber attack would pretty much neutralise any military response to such an attack for crucial hours, maybe even days.

Both Russia and China could attack the UK through Cyber warfare, as could countries like Iran and North Korea. In fact, Cyber warfare is the ideal weapon for weaker countries against stronger ones. Because it has global range and can inflict potentially devastating physical damage and loss of life, it can substitute for strategic air power and conventionally-armed ballistic missiles, and at a fraction of the price. Cyber attacks must be guarded against.    

However, protection against Cyber attack is complicated because the sphere of cyber defence embraces the military, civilian government, and civilian commercial realms. Perhaps different terms should be used for each – “cyber defence” for the military realm, “cyber security” for the civilian governmental realm, and “cyber protection” for the commercial realm. Cyber defence would be the responsibility of service personnel (whether regular or reservist or both), cyber security would be handled by civilian government agencies, while cyber protection would involve the private sector with government support. Coordination and cooperation would be required across all three realms. 

As the threat is real, Britain must make serious investments in Cyber defence. The idea that the armed forces should protect national industrial infrastructure from air or submarine-launched conventional cruise missile attack but not from equally (perhaps even more) destructive Cyber attacks is completely irrational and, in fact, absurd. 

Of course, what is sauce for the goose is sauce for the gander. Britain can also use Cyber warfare to attack foes. I am no expert in the law of war, but I suspect that, to be legal, Cyber attacks would have to be carried out by uniformed personnel. Moreover, it would make no sense to take such a potentially powerful offensive capability away from the armed forces and give it to a civilian agency. 

But who should be responsible for strategic level Cyber defence in the UK, especially given the general perception that the types of people best suited for Cyber are not really amenable to military discipline and hierarchy?

The RN and RAF are probably better bets for hosting such people than the British Army. The RN in particular has a well-established record of successfully operating ‘quasi-piratical’ and quite informal organisations that relied on self-discipline much more than formal discipline, such as the early submarine service and coastal forces during the two World Wars.

But whichever service gets to form the framework for Cyber defence operations (which would obviously fall under the control of Strategic Command), each of the armed forces must have their own tactical and higher-level Cyber defence and offensive capabilities, just as, for example, they have their own EW capabilities. 

To reiterate and conclude: cyber war is not virtual war, it is not video game war; it is real warfare that produces kinetic results previously only attainable through the use of strategic bombing.

Cyber warfare has the potential to kill large numbers of civilians. It can wreck essential national infrastructure and key national industries.

In purely defence environments Cyber warfare can be used to “crash” defence command, control, communications and computer systems, sensor systems, integrated defence (such as air defence) systems, thereby blinding, confusing and disarming military forces and allowing an aggressor to inflict severe losses and seize key locations using its conventional forces.

Spending on Cyber defence does not and will not take money away from defence, for it is now an essential part of defence and investing in it strengthens defence overall.

Notes

  1. This discussion of cyber warfare is based on: Centre for Strategic and International Studies “Significant Cyber Incidents Since 2006”   https://cisi-prod.s3.amazonaws.com/s3fs-public/200403_Significant_Cyber_Events_List.pdf?.tlmv65Bm5D0d5UVqRtac3qdYqd.BYtLj, accessed 26/04/2020; Gabrielle Desarnaud Cyber Attacks and Energy Infrastructures: Anticipating Risks, Ifri, Paris, January 2017, www.ifri.org/sites/default/files/atoms/files/desarnaud_cyber_attacks_energy_infrastructures_2017_2.pdf, accessed 14/06/2020; Kim Zetter “A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever” in Wired 8/01/2015, www.wired.com/2015/01/german-steel-mill-hack-destruction/ accessed 16/06/2020; and Emma Stoye “Security Experts warn chemical plants are vulnerable to cyber-attack” in Chemistry World 10 June 2015, www.chemistryworld.com/news/security-experts-warn-chemical-plants-are-vulnerable-to-cyber-attack-/8632.article, accessed 16/06/2020.
  2. Edward Broughton “The Bhopal disaster and its aftermath: a review”, US National Library of Medicine, National Institutes of Health, www.ncbi.nim.nih.gov/pmc/articles/PMC1142333/ accessed 15 November 2020.
Rebecca Campbell
For the past two decades Rebecca has worked as a science and technology journalist for South Africa's leading business and technology journal. Her technology beats are aviation, defence, civil nuclear power, & space.

10 COMMENTS

  1. Money has to be found to give our countermeasures the funding it requires. However, the burning question is, how much it will (or does) cost to develop our own offensive systems??
    Less dependants on national grid systems and increased focus on localised system cells, with their own code protection, unless that is already in place may be the only way to avoid mass disruption?

  2. Excellent article. I particularly liked the obvious point that cyber warfare is not virtual warfare, but real warfare. It needed saying as I have seen the ‘virtual war’ used in the cyber context. Given the kinetic effects, it is not virtual at all.

    I liked the ‘quasi-piratical’ desciption for certain branches of the RN. I bet there would be a few navy types who would smile at that. On a serious note though it is a good point. The hacker community often sees itself as ‘free-booters’ resisting the dead hand of the over controlling state machine so are unlikely to fit well into the class military disciplinary structure. Yet this is where the talent is. Another point to note is that they are often very young too and perhaps vulnerable to online grooming. It is a very complex area legally and socially and obviously crosses over between state and criminal activity.

    Good to see that Cyber is getting a considerable investment in the UK.

    Cheers CR

    • Unfortunately the more ‘free spirited’ approach has slowly been removed from the Submarine Service over the years, the S boats were pretty much the last of it and it was on the way out then too.

      A bit of a personal ‘thing’ of mine is going back to trade pay as opposed to just promoting people to give them more cash. I would guess (and it is a guess) that a lot of these guys would see themselves as the ‘pilots’ rather than the ground crew, I’m not sure how that would all work, at least for now. There were issues when the Forces started introducing IT back in the 80’s, people were being sent on the courses and being paid for, only to be head hunted to work elsewhere. Its been an ongoing problem that certainly in the recent past ending up with a ‘monkey see, monkey do’ approach to training the IT operators.

      I would imagine it would be easier to make it a Civil Service problem in the short term.

    • Co-incidentally, I am currently reading ‘The Fox’ by Frederick Forsyth. Can’t put it down.Very appropriate to today’s article.

  3. The article talks about “could” and “possible”, but as we know from a recent speech by the head of the army this is not theoretical. We are currently fighting a cyber war.

    • Hi Sean,

      Agreed, and given recent annoucements it appears to be one that the UK is willing and able increasingly able to engage.

      Cheers CR

  4. I have a son who works in the commercial world of cyber security, you would be amazed at some of the incidents that occur and the counter measures employed to mitgate attacks.

    Real wild west stuff

    • Hi Mike,

      Probably not, well may be on a technical level I would be, but not on the behavioural level because there is in effect no enforcable law. As you say real Wild West stuff and until there are proper international treaties in place it will remain so I think.

      Frankily, I do not much chance of any treaties so long as countries see it as a reasonable tool of state.

      The big danger is that someone pulls off an attack that has unforeseen consequences on a state wide level that is interpreted as a deliberate attack. Such a circumstance could quickly move into the realm of physical forces. In effect I think that the threshold for an accidental conflict has been lowered, especially given that state players are attacking commercial targets and criminals are attacking state targets…

      Cheers CR

      • Well it amazed me, the dark web is a terrible place it would appear.

        I don’t see how it can be controlled, we must strengthen and monitor our defences to prevent any possible attack

  5. Short, but punchy. The stuff of Sci Fi and Techno thriller writers for the past 20 years +.

    Unfortunately, now the stuff of reality.

    I know HM Gov is / has setting up a cyber section, but saying the RAF and RN is better suited to lead because they need ”types of people best suited for Cyber are not really amenable to military discipline and hierarchy”.
    Based on the back of the Silent service??
    How about the LRDG? SAS? or the army commandos?

    Anyway, going forward.
    Should it be a pure military asset or an intelligence asset?
    Should they be part of GCHQ? who, i’m pretty sure already do this kind of work, defencivly and, dare i say, offensivly.

    But what is the best defence against a room full of hacker somewhere on planet earth?

    The Tom Clancy way, find and eliminate?
    The Battlestar Galactica way, no system to system networking?
    Or do we need to develop a ”very British response”?

    What ever the future bring, the fact of the matter is, we are now facing, to quote Tom ”a real and present danger”, that could lead to the collapse of technology dependet peoples and countries.

LEAVE A REPLY

Please enter your comment!
Please enter your name here