Editor’s Note: This piece is brought to you by Isaac Sackville-Adjei, a recent Master’s graduate from the University of St Andrews. His dissertation ‘Ctrl+Alt+Defeat’ on the topic of cyber warfare achieved the Dean’s List award as well as the ‘Rt Hon Lord Campbell of Pittenweem Prize for the best MLitt dissertation written in the School of International Relations’. Be sure to follow Isaac on his LinkedIn.
Popular media like Fast and Furious 6 (the second best IMO) or the upcoming Netflix show Zero Day imagine a world increasingly threatened by the highly destructive, if vaguely defined, capabilities of cyber weapons. They imagine a world where great adversarial powers like China or Russia, or even small terror groups acting alone, can mount huge cyber attacks that kneecap nations as large as the UK or even US. Hollywood shouldn’t be blamed for these outlandish ideas however. They are simply taking cues from countless articles and think pieces from well respected institutions such as Politico, RAND, War on the Rocks, Chatham House and many more.
These ideas fail to appreciate that offensive cyber capabilities (OCCs) are simply too cumbersome, ineffective and expensive to be worth developing or deploying, as explored in my thesis last summer. Yet, cyberpower is still likely to play a much more dominant role in global politics and security in years to come. Online misinformation and deep fake social media posts are likely to erode the sovereignty and political agency of any single nation that does not insulate itself from these forces, and it is these mechanisms that may ultimately imperil the UK.
Below, I give a brief overview of the arguments made in my dissertation, applying them to a UK context. I then outline why this means we shouldn’t be too scared of falling to a wave of cyberattacks, and we should take the threats that stem from online political subversion much, much more seriously.
The Good News
The idea that a cyber attack could independently cripple a vital military system is unrealistic, if nothing else but for the fact that military systems typically have some of the best cyber defences found in the country. Examples of this happening are few and far between, and all of them showed that these attacks took years to develop, significant financial capital and manpower, and produced very limited tactical impact. Moreover, all known incidents of this occurring were on targets which had much weaker cyber defences than is typical of the British military.
Contrary to popular opinion, defending programmers have a distinct set of advantages against attackers. In essence, a successful cyber attack relies on constantly maintained stealth, for if an attacker is detected they can easily be ousted from a target system. Most vital military or civilian systems have automated security protocols, and are coupled with routine manual security checks conducted by skilled defence programmers. This makes maintaining stealth deeply challenging, especially in the systems of greatest value to attackers, since these are typically given the best defences.
It’s best to think of cyber attacks as an incredibly rare, niche and demanding special forces operation. Unlike special forces teams however, found in some form or another in most militaries on the globe, less than a dozen countries possess the capability to even hypothetically mount an effective cyber attack which physically disables another’s military equipment for a tactically significant period of time. Moreover, rare is the time in history when a single special forces operation has been able to produce a strategically significant and decisive outcome.
Similarly, the theory posited by many that a nation may be held hostage, brought to its knees, by a cyber attack aimed at vital civilian functions (think water, transport infrastructure, hospitals, electricity grids, nuclear power plants) shows just as great a paucity of coherent thinking. For one thing, just as the Blitz was unable to bring Britain to its knees in the early 1940s by an operation that incurred serious financial and physical costs upon London and its people, it seems unlikely that a few (extra) cancelled trains, electricity outages or even attacks on our healthcare infrastructure will impel the surrender that cyber evangelists envision.
For another thing, the idea that a team of programmers can disable large swathes of critical infrastructure entirely through cyber means is fanciful. The closest known example we have of something like this occurring is by Russia, who spent 19 months preparing an attack on Ukraine’s energy grid in 2015. The damage was stymied within 6 hours and the outage affected less than 1% of the population, most of whom didn’t even register it on account of being asleep. This attack can hardly be considered a knockout blow.
Since the beginning of the war in Ukraine, Russia has begun to realise how ineffectual and costly attacks aimed at military systems or critical infrastructure is, and has ostensibly shifted their cyber resources away from attacks of this nature. This would suggest that the UK is put at no greater risk of military invasion as a result of the advent of offensive cyber capabilities; even the greatest powers are coming to understand the limitations of applying cyber power for military success.
Even more good news: if one of the world’s foremost cyber powers is unable to produce strategically meaningful results through cyber attacks, it is unlikely the UK will ever be under serious threat from small actors conducting so-called “cyber terrorism”. Since there have never been any cyber attacks that directly and independently created violent effects, and those which came close came at an extremely high cost, cyber attacks seem both an unsuitable and unattainable means for any group to sow “terror”. Terrorists may certainly be able to deface a government website, or perhaps even extract poorly protected private information to hold ransom, but this is hardly violent and certainly not enough to meaningfully disrupt the daily lives of everyone in the country.
Does this mean the end of history in cyberspace?
Well in short, no. The domain of cyberspace is one which presents many opportunities, so cyber powers such as Russia or China will continue to use cyberspace to degrade their enemies or strengthen their own militaries. It is also still relatively new, and anyone who claims with certainty to know the direction in which cyberspace is heading is a false prophet.
The possibility that a radical technical development will upset the balance within cyberspace and make attacking much easier and more effective cannot be discounted. These conditions may very well be met some day through AI or another revolutionary development, and if that were to happen cyber weapons may truly represent an existential security threat.
Secondly, regardless of the direction the technological balance takes, dozens of countries are capable of carrying out cyber network exploitation (CNE) for the purposes of espionage. Many states are able to use CNE to extract valuable intelligence about another states vital interests, capabilities and intentions. China is infamous for extracting thousands of pieces of intellectual property to advance its commercial interests or stealing state secrets from countries like the US and their F-35 program in the hopes of matching their technological superiority. As cyber capabilities continue to proliferate, albeit slowly, across the global security environment, cyber espionage contests are likely to deepen and widen.
However, I believe the most concerning threat lies in the likely increase in political subversion and online misinformation. Russia has a long documented history of using DDoS attacks, website defacements and online misinformation in an effort to politically subvert their targets and sow chaos amongst the population. When Russia realised near the start of their invasion that offensive cyber capabilities could not be used to degrade a military, they adjusted their cyber stratagems accordingly; they put greater emphasis on sowing political chaos within Ukraine and amongst its allies so that support would weaken and unity would fracture. Not only does this speak to the serious security challenges facing the UK and Europe, but it suggests a global trend that may come to the fore within cyberspace. As states come to see how inadequate cyber weapons are for creating military failure, they will channel greater resources into attempting to precipitate political failure instead. Hence, in the medium-to-long term, the advent of cyberspace as a means for political and security contests may assert itself as a truly destabilising phenomenon.
What should the UK do?
Given the opaque nature of cyberspace, it is impossible to know how much, if any, emphasis is placed upon developing cyber weapons in the UK. However, given their inefficacy, the UK should look to divest from OCC development and instead direct investment toward cyber defences. The defence-dominance of cyberspace is not intrinsic to the domain, but rather predicated upon the structures of cybersecurity which make good defence exponentially easier to implement and maintain than strong offensive capabilities. Hence, investing in defence will both help to insulate the UK from malice in the near term, and propagate a system of defence-dominance which discourages cyber attacks globally in the long term.
As discussed above however, as actors steer away from cyber attacks, they will readjust their doctrines toward other means of disruption within cyberspace, namely as online political misinformation. I believe it is paramount to the political stability of this country, not to mention peace and security, that the government does all it can to combat online political misinformation. Misinformation can be so cheap to produce and proliferate, so trying to stem the flow at the source would be a sisyphean game of whack a mole.
However, the government can adopt strategies that help make Britain more resilient to misinformation. Firstly, they can make it much more challenging for misinformation to survive on social media. The government could introduce laws that compel social media platforms such as Meta or “X” to be far more rigorous in its suspension or banning of accounts, as well as more labelling of pernicious accounts and fact-checking of misleading posts.
Going up against tech giants like “X” and Meta might seem impossible, but they are not as indomitable as they’d like to appear. For instance, last Autumn, the Brazilian supreme court was able to elicit concessions out of “X” and insist that they remove accounts spreading hate speech. The line between censorship and fact-checking is hotly contested, and likely to be seized upon by key opponents of the Labour government such as Kemi Badenoch and Nigel Farage. However, to do nothing is to resign the country to preventable hate speech and online toxicity, and to allow the integrity of our political culture to slowly be eroded.
Somewhat less contentiously, the government could also look to improve online media literacy. This would mean equipping people with the critical thinking skills to pull apart misleading posts online, detecting when claims are unsubstantiated and figures cited are fabricated. Media literacy training would also be invaluable in a world where AI driven deep fakes of important figures in photos, videos and audio are becoming ever more common. Posts such as these are already frequently used to attempt to manipulate people’s views and opinions online, and showing the population how to discern these from authentic sources will be pivotal as these posts become more realistic [authentic]. Implementing policy that makes tech companies watermark and label AI content would also be an apt tactic to tackle this growing problem.
It’s tempting to buy into the narrative often popularised in the print media and Hollywood movies that the UK could fall prey to a devastating wave of offensive cyber attacks, but the reality is both much less exciting and much more scary. I appreciate the inertia that a Labour government may hold against implementing such contestable policies, especially given their shallow majority and burgeoning threat from the populist right. However, in a world of uncertainty and entropy, where those in politics are becoming less and less accountable for the lies they spread and the division they sow, the survival of the UK’s cultural and political fabric depends upon strengthening ourselves against the rising tide of political misinformation.
The UK will not be conquered overnight by a wave of devastating cyber attacks, but if we allow misinformation, hate-speech and political subversion to run amuck, the country will be defeated all the same.