The UK Introduces Nuclear Deterrence Theory to Cyberspace, Raising More Questions Than Answers
Britain’s 2021 Defence Review states that the nation will not use nuclear weapons against any non-nuclear state party to the Treaty on the Non-Proliferation of Nuclear Weapons 1968 (NPT). But it then adds, “we reserve the right to review this assurance if the future threat of weapons of mass destruction, such as chemical and biological capabilities, or emerging technologies that could have a comparable impact, makes it necessary.”
Elsewhere, the Review makes it clear that ‘cyber’ is considered an ‘emerging technology’. Does this mean that the UK will consider a nuclear response to a serious cyber-attack?
Back in 2018, Air Marshall Phil Collins (Chief of Defence Intelligence, UK Ministry of Defence), said the UK’s position “should be to understand first, to decide first, and then if necessary, to act first, across the physical and virtual, to secure decision advantage and then operational advantage, seeking swift yet controlled exploitation of vulnerabilities and the proactive denial of opportunities.”
Around the same time, the UK Attorney General, Jeremy Wright QC MP, said, “The UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self-defense, as recognized in Article 51 of the UN Charter.”
These two statements make it clear that the UK believes that it has the right to respond kinetically to cyber-attack, and that the response can be pre-emptive. The latest statement in the Defence Review expands this position to include the potential for a nuclear kinetic response.
On the surface, this appears to be a major escalation in the possible effects of cyberwar – but is it one that should be taken seriously?
The rise of cyberwar
The key phrase to what might elicit a kinetic response from the UK seems to be “cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack.” This effectively means a destructive attack against the industrial control systems (ICS) and programmable logic controllers (PLCs) of one or more of the critical industries, such as water, power, healthcare or finance.
How close is this scenario?
The reality is that such attacks are not new and are increasingly common. The first, and perhaps still iconic act, was the Stuxnet attack against the Iranian nuclear facility at Natanz. Commonly thought to be a joint exercise between the United States and Israel, Stuxnet destroyed around 1,000 centrifuges in 2010.
In 2016, malware thought to originate from Russia caused power outages in Kiev, Ukraine, and the surrounding district.
In 2017, the Triton/Trisis malware came close to causing a serious explosion at Saudi Arabia’s Tasnee petrochemical firm. The attacker first compromised the IT network and traversed from there to the OT network. Tasnee had neither sufficient network segmentation nor strong enough authentication procedures nor sufficient visibility into either its IT or OT networks to prevent or detect the attack.
In 2019, a physical attack by drones was launched against Saudi oil facilities, causing fires and the temporary loss of around half of the kingdom’s crude oil production. Although not officially confirmed, it is commonly believed that the attacks were orchestrated by Iran.
In 2020, Israel warned of attempts to attack the control and monitoring systems of sewage treatment plants, pumping stations and sewage. Interrupting the water supply, or potentially poisoning it via increasing chemical additives beyond the safety level, could lead to widespread harm.
Today, three trends are coming together to make a planned or accidental serious cyber strike more likely. The first is that geopolitical tensions are increasing. China is concerned about American military presence in the area, with its allies in Japan, Australia, South Korea and India. America simply doesn’t trust China, and there are lingering concerns that the Coronavirus escaped from a lab in Wuhan.
Russia is increasingly bellicose in line with its relatively recent growth in energy wealth. The EU has been weakened by the withdrawal of the UK following Brexit.
The US has to recover from four years of unusual foreign policy during the Trump administration.
The second trend is the growth of the fourth industrial revolution. It is increasingly difficult to keep IT and OT separate – making the potential for attacks (both accidental or intentional) to bridge the ‘gap’ between the internet and the plant more easy, more likely, and more devastating.
The third is the increasing interdependence of the critical infrastructure. “Any cyber-attack that has an effect on one critical infrastructure lasting longer than 72 hours will have chain effects on others and these effects can be massive and comparable to natural disasters (think of the fallout of hurricane Katrina),” warns Dirk Schrader, Global VP of security research at Naples, Florida-based New Net Technologies (NNT). A natural escalation of effects could become an issue.
It is tempting to say that it is not a question of whether there will be a major cyber-attack against the critical infrastructure, but when it will inevitably occur.
More from the Defence Review
There are two other comments in the UK Defence Review (PDF) worth considering. The first is on cyber strength. The Review discusses the UK’s cyber strength in considerable detail. It claims that the UK is the “3rd most powerful cyber nation in the world, ranking top in defence, intelligence, norms and offensive capabilities.”
It also discusses the new ability of the National Cyber Force (NCF) to “detect, disrupt and deter our adversaries… The NCF draws together personnel from GCHQ and MOD, as well as the Secret Intelligence Service (SIS) and the Defence Science and Technology Laboratory (Dstl), under one unified command for the first time. Alongside the MOD’s operational expertise, Dstl’s scientific and technical capabilities and GCHQ’s global intelligence, SIS provides its expertise in recruiting and running agents alongside its unique ability to deliver clandestine operational technology.”
One area that is given little space in the Review is cyber attribution. However, the NCF combination of traditional information gathering (spywork) with GCHQ implies a combination of cyber and physical data gathering. Added to the statement that the UK will “improve its ability to detect, understand, attribute and act in response to aggression across the range of state threats, whether in the physical domain or in cyberspace, and whether military or non-military in nature,” reinforces the notion that the UK will know who attacks it — and will respond.
The overall impression is rather bellicose. Our second statement is the saving grace. “We will remain,” it says, “deliberately ambiguous about precisely when, how and at what scale we would contemplate the use of nuclear weapons… This ambiguity complicates the calculations of potential aggressors, reduces the risk of deliberate nuclear use by those seeking a first-strike advantage, and contributes to strategic stability.”
This statement reduces the document from a threat of what the UK will do to a warning about what it could do.
The question remains, however, how likely is a nuclear response from the UK. The big danger is accurate attribution of attacks, with most cyber experts suggesting that it is impossible to be 100% certain of online aggressors using online detection. More accurate, however, is old-fashioned telephone surveillance of the sort obtained by GCHQ and the Five Eyes alliance. The UK says it will combine both sources in its aggressor assessments.
Tony Cole, CTO at Attivo Networks, believes that the combination of digital evidence and data from the intelligence collection apparatus “may provide clear and high confidence levels of who the attacker is and [a] complete understanding of their tactics, techniques, and procedures.” The physical evidence, however, is unlikely to be made public for fear of giving away the collection methods to other nation states – leaving the aggressor free to deny any involvement.
UNINTENDED LARGE-SCALE CONSEQUENCES
There are other issues. Is it possible to differentiate between a cybercrime group and a government with whom it has occasional loose ties? What about a criminal gang’s ransomware that has unintended large-scale consequences?
“In 2017, the UK’s NHS was hit by WannaCry and the fallout of that attack was certainly devastating,” comments Schrader. “Would that already be considered a triggering event? How about a large-scale attack carried out by a non-state ransomware group, motivated by financial gains, having unintended consequences, chain effects within the power grid…”
The danger in activating a nuclear response is extreme, and it is likely that the UK policy is purely meant to have a deterrent effect. The ambiguity is built into the policy to make sure it is taken seriously – and indeed it should be. For example, if intelligence demonstrates that a major adversarial nation is engaged in preemptive cyber strikes to weaken the UK’s ability to defend itself, then nuclear strikes from the UK’s submarines is the only viable option. The Defence Review is there to say, ‘Don’t do this – we will hit back harder.’
One would hope that the UK’s allies were brought on board with this policy before it was published. Other nations may already have this policy privately – but the UK is the first to publish it publicly. “The real danger, warns Schrader, “is that this reasoning allows other nuclear powers to do apply the same, and some of them might actually be less hesitant to follow through.”
And in reality, the theory of deterrence is based on nothing more than that it seems to have worked so far. It has not been tried at this level in cyberspace. “The challenge of applying deterrence theory to cyberspace,” explains Tom Kellermann, head of cybersecurity strategy at VMware “is that it’s a free fire zone with a multiplicity of nation-state and non-state actors. ’Nuclear’ deterrence theory is only effective if you can discern your enemy and they are a rational actor, which is often not the case.”
Even so, no nation can base its own security on what it thinks the enemy might do – it must be based on what the enemy could do. The UK has stated very clearly that it could do something very severe in response to serious cyber aggression.
Related: Talking UK Cyberwar with Sir David Omand
Related: Talking Global Cyberwar with Kaspersky Lab’s Anton Shingarev
Related: The United States and China – A Different Kind of Cyberwar