A conversation with Marcus Willett, former director of cyber at GCHQ
On the morning of February 22, 2022, the world woke to the news that Russia had moved troops into two separatist regions of eastern Ukraine. At the time of writing, it is not yet a full invasion of Ukraine, but Russia did conduct attacks on February 24, hitting cities with airstrikes and artillery in what was called a “special military operation” by Russian President Vladamir Putin.
Just before this maneuver, SecurityWeek spoke to Marcus Willett to get insight into the role of cyber in aggressive geopolitics. Willett is senior advisor for cyber at the International Institute for Strategic Studies where he researches the use of cyber and related technologies as levers of national power. Before then, he had worked at the UK’s GCHQ for 33 years, including roles such as the agency’s first director of cyber.
Strategically, Ukraine is the soft underbelly of Russia. As an ally, Ukraine is a bulwark against NATO. As a member of NATO, it would be a Russian weakness. Preventing this weakness and keeping NATO at least an arm’s length from the heart of Russia, is one purpose of Russian behavior.
But it shouldn’t be ignored that Russia has been increasingly bellicose over the last two decades – including, for example, the invasion of Georgia in 2008 and the almost uncontested annexation of Crimea in 2014. The extent of Putin’s desire to return Russia to the height of its global influence as the USSR should not be ignored.
The big difference between the Russia of the USSR and the Russia of today has been the emergence of cyber as an accepted theater of war. It is this role of cyber that SecurityWeek discussed with Marcus Willett.
Russia has been waging its own cyberwar against Ukraine for many years. For example, on December 23, 2015, Russian attackers accessed SCADA systems in three Ukrainian electricity distribution companies, opened breakers in about 30 substations in Kiev and western Ivano-Frankivsk, and caused a loss of power to more than 200,000 customers. On December 17, 2016, a single transmission substation in northern Kiev lost power.
In June 2017, Russian actors hijacked the updater process of Ukrainian accounting software firm MEDoc and delivered a wiper malware named NotPetya to MEDoc customers. Its worm capabilities subsequently led to the wiper vary rapidly spreading around the world. There are many other examples of disruptive Russian cyber operations against Ukraine between 2014 and the present.
Since the beginning of 2022, however, it seems that Russian cyber activity against Ukraine has increased. This includes evidence that wiper malware has again disrupted some Ukrainian government networks, and attacks from the FSB-linked Gamaredon have targeted around 5,000 entities, including critical infrastructure and government departments. So far, however, there has not been the same scale of disruption as occurred in 2015, 2016 and 2017.
The purpose of such cyber activity is to weaken critical infrastructure, damage government’s ability to respond to any aggression, and to demoralize the population. The advantage of conducting the initial stages of kinetic activity in cyber is the inherent perceived impossibility of accurately attributing the action to any specific aggressor. Noticeably, Putin has consistently denied any Russian (government) involvement in any of this activity.
“What is unknown,” Willett told SecurityWeek, “is the extent to which Russian actors are now embedded undetected within the Ukrainian critical infrastructure – and particularly the electricity grid. This would be the classic use of cyber operations to prepare the battlefield for physical invasion. In the past, cyber activity preceded the physical action in Georgia and Crimea by around two weeks – but Russia may be able to move faster this time.”
There is, however, a major difference between the Crimea and Ukraine incidents. The West seemed largely unprepared on how to respond over Crimea. This time, America has learned the lesson and has been controlling the narrative from the beginning. The U.S. and NATO have signaled very clearly that it knows what Russia is doing and how the allies will respond. The U.S. has liaised closely with its European allies, and sanctions have already begun. Blocking Russian gas exports to Europe will hurt Russia’s economy, while withholding tech exports could also hurt Russian industry. The message is very clear: a physical war with Ukraine could lead to a sanctions war with America and Europe – and that is one war that the relative economic minnow cannot win.
Widespread cyberwar and attribution
The U.S. has been warning the rest of the world against a potential widening scope of Russian cyber activity, and that cyber defenses generally should be tightened.
“Part of the worry,” said Willett, “is that cyberattacks against Ukraine might bleed over, like NotPetya, to affect other countries and cause wider damage unintentionally. There is some concern that the Russians may intentionally do stuff more widely, but that would probably be in retaliation for something that the U.S. or NATO might do.
“I suspect,” he continued, “the Russians will be bending over backwards to make sure that they don’t let their cyber operations against Ukraine spread like NotPetya and cause damage more widely, including in the U.S. and its NATO allies. But we may see an increase in Russian criminal gangs using ransomware against the U.S. and its allies. If any of the Russian government agencies got attributed for causing major damage in the U.S. and NATO, the consequences for Russia would be very serious. Nevertheless, we might well see an increase in Russian cybercriminal activity, including the use of ransomware against the U.S. and its allies.”
This raises the whole question of ‘attribution’. The received belief is it is impossible to do accurate cyber attribution. “That is absolutely wrong,” said Willett. “The problem with attributing in the past has not been a lack of confidence in knowledge, it’s been an inability to release the information in a way that doesn’t jeopardize sources. But over the years, states have become more confident in what they are able to reveal safely, have acknowledged there are thresholds where the risk is acceptable, and the private sector has become more capable in putting together the cyber jigsaw to come up with an accurate conclusion.”
This has allowed the U.S. to be sufficiently confident to indict not just countries but named individuals in both China and Russia. The attacking governments can deny this and claim the U.S. justice system is corrupt, but the effect of being attributed collectively by multiple allied states who say, ‘we know it was you’ is damaging to international reputation. “It would be a mistake for any one nation to think it could attack another without being known,” said Willett.
The danger of accidental global cyberwar
But accidents happen. The two iconic cyberweapons have been Stuxnet and NotPetya. It is assumed that the U.S. developed Stuxnet (although this has never been admitted). NotPetya has been confidently attributed to the Russian government. Both malwares escaped from their assumed targets into the wider world. This was probably accidental – but similar accidents could lead to wider implications during a period of global geopolitical tension.
“The U.S., UK and other like-minded states have declared their intent to use their cyber power responsibly, without giving many indications as to what precisely this means. Comparing Stuxnet and NotPetya is one way of illustrating the difference,” said Willett.
NotPetya was an uncontrolled worm released through a global IT vulnerability that – surprise, surprise – spread beyond the intended target and affected the operating system of any system it landed on. “Stuxnet,” continued Willett, “was very targeted. Yes, it spread beyond the intended target, but it could only cause damage if the specific software that made a centrifuge spin was present (with lots of other conditions). The controlled Stuxnet and the uncontrolled NotPetya illustrates the difference between responsible and irresponsible use of cyber power.”
Willett believes that the U.S. will do its utmost to maintain the principle of a responsible use of cyber power. “If not,” he said, “they end up playing the same game as the Russians, the Chinese, Iran and North Korea. This would leave much of the rest of the world thinking that what the Russians and others have been demanding – new international treaties and conventions to increase the control by governments of their sovereign piece of cyberspace – is the only solution.” The problem is that this is code, in authoritarian states, for mass internal censorship and surveillance, and is the opposite of the ‘free internet’ that we would like to see endure. “So, there are strategic reasons for any U.S. or NATO cyber operations to be very carefully judged to maintain cyber responsibility rather than simply to respond like-for-like.”
In the other direction, Willett doesn’t believe the Russian state will be tempted to run destructive cyber operations against the U.S. and its allies. “They might,” he added, “if subsequent sanctions are particularly brutal; but that would be a mistake – it would be another ‘internationally wrongful act’ under international law, and would invite even more stringent countermeasures and even more international opprobrium.”
In the end, you can’t help feeling that there’s a longer game here: both sides are struggling to understand the potential of cyber in war. Can cyber capabilities be used to have a deterrent effect, can they prepare the battlefield, could they be used for countermeasures against an aggressor? “These have largely been intellectual and doctrinal discussions to this point, but might now be tested in reality with unpredictable results. We are at a very dangerous moment. We should perhaps remember that, before the current Ukraine crisis, Biden said that it would most likely be as the consequence of a cyber breach that the U.S. would find itself in a real shooting war with a major power.”
Nevertheless, the overriding impression given by Marcus Willett is that both sides (this excludes any action or opportunity taken by China, Iran or North Korea) will do everything possible to avoid the actuality of a Russia/Ukraine cyberwar spreading to the wider world. But ‘unintended consequences’ is a risk in all IT and security – and unintended consequences are hard to predict or control.
As this article was completed, the physical invasion of Ukraine began. On the morning of February 24, 2022, Russian troops invaded Ukraine. This was accompanied by a further increase in cyber activity.
Associated Press reported another wave of DDOS attacks against Ukraine’s parliament and other government and banking websites, while ESET has detected new wiper malware on “hundreds of machines in the country”.
Although ESET did not name the targets beyond saying they were ‘large organizations’, Symantec has described three: a financial institution in Ukraine, and government contractors in Latvia and Lithuania. This adds a further geopolitical complication — although Ukraine itself is not a member of NATO, both Latvia and Lithuania are members.
One thing is clear: the marriage of cyber and kinetic warfare has been consummated.
Note: Anything not quoted from Marcus Willett is the opinion of the author.