Running through the maze of tunnels that form the Churchill War Rooms under Whitehall, ducking past the security barrier, and off the tourist trail into a darkened side-room, amid the gloom, a low light picked out a face among the dozen shapes around the table. A quintessential Englishman straight out of Le Carré, down to his pocket hanky, professor Sir David Omand, former director of GCHQ and the first UK Security and Intelligence Coordinator, was giving an authoritative briefing on the threats that the internet currently posses to civilisation itself.
From its actual role in wartime Britain, reprised for the recent film Darkest Hour, the bunker's theatricality lends itself to the topic under discussion - hybrid threats - ranging from psychological impacts of social media that normalise and amplify deviant behaviour, to the use of cyber-attacks in warfare, and the insidious undermining of democracy itself.
As Hugh Njemanze, CEO of event host Anomali described the issue, “It's the most far reaching topic we can be discussing. All nation states are affected, large enterprises and every voting age person.”
Omand described hybrid threats as really just another phrase for subversion, comprising Intimidation, propaganda, and dirty tricks - an approach common in history, now facilitated on a grander scale and more easily by digital means.
Russia's use of RT (English language television station) and Sputnik allow it to frame the debate, thus act as a classic propaganda tool, combining malinformation (material that might be true but stolen and released strategically), disinformation (spreading false information), and junk information (including click-bait websites adding to the noise to drown out factual information).
“This deliberate dissemination of conflicting and confusing messages, has been made possible by the digital age. So people will say, ‘we'll never find the truth', 'is it ever possible to know?' There are points of view a and b, then with c, d, and e thrown out there, it leads to an erosion of belief in truth itself,” suggested Omand.
Omand concludes that we will need separate defences against all three threats.
Against cyber-intimidation, we need better cyber-defence, with critical infrastructure key.
To combat propaganda, we need to encourage free speech and rebutting, so the government needs to have a reputation for telling truth. And we need to rebut quicker. So where RT is framing arguments, this needs to be countered and won on the arguments.
As to dirty tricks - we need intelligence, and to be more transparent with that information and get the media to investigate and expose fake news - with the exposure of the troll factories a good example of this.
Sir David Omand
Our vulnerability is not just to technology but also human. Omand told participants, “Subversion and sedition is going on day by day. It affects major policy issues such as the future of Ukraine, the Baltics, to survival of our democratic process. Threat intelligence is needed to pull together the different information and spot patterns.” He added that another problem is our willingness to accept things not rationally true because they fit our world view, and to help overcome this, schools need to teach critical thinking.
Another problem in the UK is that it can be quite difficult to work out who in government is in charge of countering this threat - is it the Ministry of Defence, Digital Media & sport, Home Office, Foreign office - all need to work with government and the private sector - plus Nato and Europe and its institutions such as the Helsinki Centre for the Study of Hybrid Threats. In latter discussion it was suggested a key UK role would be played by the National Security Council in the end.
From this macro-state-level overview the discussion then drilled down to the individual, led by Dr Mary Aiken, Adj Associate Professor University College Dublin and advisor to EC3 Europol, a cyber-psychologist looking at criminal and deviant behaviour online.
Aiken noted how in many spheres activities in the real world had shifted to cyber-space, and how, alongside this shift, human behaviour mutates in a cyber-environment. She explained: “People do things they would not do in real life - partly due to the role of anonymity.” Of course there is wide agreement on the benefits of anonymity for good, such as allowing dissidents in repressive regimes to express their views, but Aiken suggested that it is outweighed by the “awful power of anonymity for bad, from bullying to cyber-crime,” and she suggests we now need to ask about achieving the greater good.
The psychological insights were not all about behaviour mutating at an individual level as the process was also seen to work at a sociological level. An example cited was online syndication. “ Previously deviant behaviour was limited by proximity. [Deviants] Won't meet to normalise and socialise this deviant behaviour.” She added that this is not just about paedophiles but applies to every deviant group, from those with eating disorders to criminals, who associate and normalise their activity or view.
Another issue raised by Aiken is the importance of creating context and understanding about the domain of operation to provide a contextual framework, otherwise people will find it difficult to make sense of the information they receive. Using physical world analogies - it's easier to 'plant evidence' online, making attribution difficult and (compared to needing physical access) this increases complexity. Though sometimes it's as simple as motive.
Consequently, to cope with this complexity we will need to use machine intelligence and mathematical models to aggregate real world and cyber-information, which includes everything from a speech by a politician, to job losses in a particular part of a country, to a meme online, all factored together. The thousands of datapoints on individuals currently used to target them for sales and advertising could potentially be used to provide predictive power to identify things such as insider threats. And now with a trillion IOT devices coming, there will be even more data. But it can also enable Cyber psy-ops on a national scale to interfere with the democratic process.
Another James Bond observation came when Aiken added that, while it is very expensive to be a superpower in real world, you only need a dozen brilliant minds to be a superpower online and pose a threat to nation states.
Self-referentially within the meeting, Aiken then cited a soon to be published article from Omand (for the Journal of Cyber Security - a Chattham House publication) describing how states and non-states can use cyber-space to mount covert operations to impact states' own populations. And that this can then constitute an insider threat on an unprecedented scale that currently has little policy or technology solutions. The call is for the need to recognise the scale of the problem. The need to invest in training, and develop machine learning to tackle this.
The reason for the concern is that, “The internet is more than an infrastructure - it mediates human behaviour and so can have unprecedented impact on human behaviour. Our freedom of speech is dependent on freedom of thought.”
It's not just government and individuals that are impacted, but also businesses. Concern about erosion of trust in truth was expressed by Andzej Kawalek, CTO and head of strategy and innovation at Vodafone, a company operating globally, with its mobiles increasingly used for new services including payments (Eg in Kenya its mobiles handle 1/3 of GDP, as, like many African countries, people have smartphones but not necessarily bank accounts).
Kawalek suggested that, “Most don't understand the threats and have a misplaced sense of trust and so we need to engender some distrust. We need people to be cyber-resilient and cyber-ready."
He adds that some of the burden of explaining threats and how to deal with them falls on enterprises, saying: “Ethics play a huge part - the organisation's ethics. How you behave and how you should behave online.” Kawalek said that Vodaphone research had found that four out of 10 organisations don't know who to turn to for cyber-security help and this rose to six in 10 among SMEs.
He also highlighted generational differences in how we approach cyber risk, with over 55 year olds very cautious and fearful of data loss, which does stifle innovation. Whereas under 55-year olds can understand risk but it's not stopping them trying new things, but they do so with less caution.
Enterprises need to innovate, but securely, and the problem is how to deliver that enterprise level intelligence and approach for the masses who find it difficult to understand the risk.
Omand later commented, “People don't have sense of relative risk. Everyday there is risk - or business wouldn't make profits - but somehow you have to manage it.”
Leveraging the power of all the disparate data that feeds into threat intelligence clearly creates complex issues around how to usefully disseminate that information in a way that it is understood by the right people, thus enabling it to inform your strategy said Valentina Soria, head of intelligence, Morgan Stanley. She asked, “How do we process the information to inform senior managers of resulting threats? You rely on this information to make an informed decisions and fake-news makes the whole thing more difficult.”
Consequently, accurate cyber-intelligence is key to make sense of the mass of information coming in, including fake news, to see the potential impact on organisations. Soria adds that false flag operations also made attributions far more difficult, but that it is important from a business perspective to know who is targeting you, and companies have moved from reactive to proactive to inform their actions.
Soria also noted how cross pollination was increasingly seen between criminals and state actors leading to an explosion of tools use. As the boundaries between these threat actors blur, so it makes it increasingly difficult to understand who is responsible for what when the same tools used by both.
Njemanze agreed about the collaboration between criminals and other adversaries, and suggested for defenders there is a need to bring transparency, so that people who need to collaborate but find it uncomfortable to do so - for fear of losing competitive advantage - need to be provided with tools that align with what is needed to make that organisation comfortable.
He acknowledged that tech only scratches the surface, but suggested that Anomali sits at the intersection of an arc of tech and cultural/social enablement.
“Staff may feel they are leaking IP, so they need to be able to distinguish between leaking IP and promoting safety of herd,” said Njemanze, adding that they, “Thus look at tools to analyse data at a large scale, for enterprises, nation states. Monitoring so that the first victim of certain type of attack can rapidly share that information. We must publicise large scale attacks, then find rapid ways to disseminate best practice and information on known threat actors to allow them to react.”
First defenders want to know if the attacker has breached their network before strengthening defences. And Anomali wants to help organisations discover links, multiple resources used by an attacker (because if one resource is burned they switch to an alternative). So it is important for defenders to know about certain actors and their approaches. As Njemanze described it: “We need to make sure people who need to know, know, without telling the bad guys. It's cat and mouse with the stakes getting more horrific - it's more about survival these days."
In conjunction with the roundtable, Anomali released its UK Threat Landscape report.
Key findings include:
As a Nato member, kinetic warfare is unlikely but cyber-attacks from power rivals such as Russia are increasingly likely.
Areas others may seek to undermine include political influence, international engagement (military and diplomatic), industrial and economic spheres.
Areas of innovation likely to be subject to IP theft
Health and Pharmaceuticals among top sectors for data breach costs
Terrorism, espionage, cyber-attacks, dissident republican groups pose threats to critical infrastructure (current threat level ‘severe', thus highly likely)
Feb 2017 UK was 38th most attacked country via cyber means (Checkpoint)
UK fourth highest detection of Ransomware in 2016 (Malwarebytes)
Ninth highest for Android malware
UK second highest detection rates for all types of malware
Geographic clusters of certain CNI creates physical vulnerability
There have been successful cyber-attacks on all sectors: Communications - disruption of service due to attacks has happened, plus suffered data breaches.; Defence - has been subject to Russian, Chinese and domestic hacks - plus impacted by hack of suppliers, eg Australia; Emergency services - badly impacted by WannaCry, NHS failing to meet required standards in 2018, various police hacks; Finance - have been successful attacks; Energy , Health, Space, Transport, Water, Government - various hacks.
SQL injection, DDoS and Ransomware account for many of the attacks, but there have also been sophisticated nation-state attacks including from Russia, China, North Korea and Iran.