This May, the Irish national health service was hacked by criminals. The entire system could not be accessed, which resulted in patient records becoming inaccessible, mass cancellations of appointments, the wrong medication being prescribed, surgeries and treatment such as chemotherapy being delayed, and critical tests such as X-rays and blood sampling grinding almost to a halt. We will never know what effect on illness and deaths in Ireland this cyberattack caused.
British readers will be haunted by the similar WannaCry ransomware hack on the NHS in 2017. The North Korean state, the uppermost outcast of the world’s pariah states, deprived of all the offensive resources the world could deny it and 8,600km away from London, still managed to spill blood on British soil.
The message to governments and businesses is clear: protect yourself in cyberspace or be destroyed, with private citizen records, customer data, and trade secrets scattered across the internet and your finances emptied .
Cyberattacks threaten companies and individuals on a scale never seen before, and without collective intervention, this trend will only go one way.
The first responsibility of a state, no matter how primitive, is to protect its citizens from external threats. In Western Europe, especially after 1990, physical invasion threats receded to the point that NATO started sending ‘expeditionary’ forces to various conflicts in other parts of the world. This trend has gone into reverse this year, with troop withdrawals from the Sahel and Afghanistan, but Western Europe and North America are still not physically threatened by any physical threat .
Economic warfare is the second dimension along which conflict in the 21st century is currently occurring. Before China started flexing its financial muscle in the past decade (to be precise – when Xi Jinping took his country’s foreign engagement strategy in a different direction), US sanctions were a near death sentence to almost all economies they chose to target. Russian money was not nearly enough to make up for being cut off from almost all developed economies, led by the US. This calculation is changing, given that China is willing to extend a much bigger lifeline to US targets – as illustrated by the $400bn investment deal signed with Iran in March (although public details on this transaction are, however, scant). What this means for the UK is that our economic sanctions’ efficacy will be decreased compared to previous years. Will this mean that we will see fewer sanctions, just as we pass the Magnitsky legislation? That is a difficult political choice with many consequences.
That brings us to cyber warfare. Cyber warfare is fundamentally different in two ways: first, the cost of conducting attacks is low enough that it is accessible to small groups of people – whereas the other two options require comparatively huge scale and are easily detectable. The cost of obtaining off the shelf attacks and stolen data records is a mere few hundred dollars.
Second, cyber warfare transcends the barriers that prevent attacks from happening in the first place. Cyber attackers do not care about physical barriers or difficulty getting tanks and ships across rough terrain and unfriendly weather. Neither do they care about sticking to legal precedent, and attacks cannot be countered by the huge array of tools available to powerful governments.
The increasing risk of open cyberwarfare
On 15 June 2021, the heads of state and government of the 30 members of NATO took steps to ensure that Article 5 applies to cyberattacks, extending the principle of collective defence. This explicitly extends the collective responsibility of NATO members to protect each other from hostile threats in the cyber domain.
The devil is firmly in the detail, and it will be interesting to see how this will play out in practice. What is the definition of a state-backed cyberattack? How will cyberattacks be attributed to states without giving away crucial information about how those attacks were traced? To what extent will nation states help each other? Will they even invoke Article 5 at all under the new rules? How much will the public be allowed to know?
If NATO wants to take cyber threats as seriously as kinetic threats, it is clear that the details of this approach must be worked out – as well as convincing member states that acting on a united cyber front is in their best interests. Given the highly disparate capabilities within member states and limited resources relative to the vast cyber domain, observers should expect a high degree of prioritisation and therefore guidance on self-defence for many smaller businesses not deemed critical to state security.
How should the UK itself behave in this new field of conflict? As Andrew Dwyer, a cyber academic, writes for the Fabians’ defence and security policy group: “questions must be asked of the use of [offensive] cyber and whether such a move is in the best interests of the security of the United Kingdom.”
Cyber warfare is now everywhere and affects everybody. It is up to all of us to pressure governments into acting in a way that protects us best.