The late J G Ballard once told the Guardian that in cyberspace ‘the entire human experience seems to unveil itself like the surface of a new planet’.
Whenever we log on we carry our essential human nature with us. Like people, cyberspace has a dark side and it is already shaping our future security environment. The openness of our society, our connectedness with the wider world and our high-tech way of life, is a source of strength. But openness also brings vulnerability.
Threats do not just come from malicious viruses or organised criminals stealing people’s identity or money. Digital networks are now at the heart of our transport, power and communications systems, and our economy as a whole. This reliance brings the capacity for warfare to cyberspace.
The consequences of a well-planned, well-executed attack against our digital infrastructure could be catastrophic. In this way, a single networked laptop might be as effective a weapon as, say, a cruise missile.
The National Security Strategy identifies cyber attack in the top tier of risks to the UK over the next five years. An extra £650m has been allocated to create a National Cyber Security Programme to fund work across government in partnership with business and other experts to strengthen our understanding, our resilience and our defences.
Understanding is key. In the military sphere, whenever a new domain opens up, like air and space flight in the last century, the temptation is to devise wholly separate doctrines to address the new environment.
But we must remember that cyber crime, cyber terrorism, cyber espionage or cyber war are simply crime, terrorism, espionage or war by other means. Cyberspace adds a new dimension, but its use in warfare should be subject to the same strategic and tactical thought as existing means.
Action in cyberspace will form part of the future battlefield, but it will be integrated rather than separate, complementary rather than alternative. Suggestions that cyber weapons will replace traditional weaponry are fanciful to say the least. Cyber will be part of a continuum of tools with which to achieve military effect, both defensive and otherwise, and will be an integral part of our armoury.
That is why this will link into work being taken forward across government to ensure a comprehensive approach.
We need to be comprehensive, because cyberspace has specific characteristics that blur traditional boundaries. First, the technology is similar to that used by people going about their daily business. With nuclear or biological weapons, the technical threshold is high. With cyber, the finger hovering over the button could be anyone from a state to a student. Second, establishing who is behind any attack and its purpose is difficult, particularly where aggressive state-sponsored activity is undertaken through proxies. Third, there are no geographic barriers in cyberspace. An attack could originate from anywhere.
This is why, as Britain reinvigorates its national cyber security architecture, we need to do the same internationally. In an environment of cyber anarchy Britain would be more vulnerable. Cyberspace should be considered within a rules-based system just like the physical world. Existing international frameworks can be applied to cyberspace too - we don’t necessarily need to invent new laws.
Top of the list of the UK principles on activity in cyberspace is the need for governments to act proportionately and in accordance with national and international law. These principles should apply in the civilian and military sphere alike. There is a lot of work being done bilaterally and multilaterally to develop common understanding and common positions. But this work needs to be guided by discussion of how states should act in cyberspace.
Some argue that the difficulties involved in detecting and attributing cyber activity mean any international consensus would be worthless, so why bother trying? Others argue that the West has a technological advantage and shouldn’t tie itself down to multilateral policy. I disagree.
First, a new international consensus won’t extinguish threats but it will help manage them. Consensus would provide legitimacy for action. At the very least, dialogue seeking to reach a common understanding about how states should behave would crystallise where we have significant problems or form the basis for building trust, confidence and transparency. The conference, which William Hague announced the UK will host later this year, is an important step in this direction.
Second, it is inevitable that the West’s technological edge will be challenged as other countries, particularly China, rapidly develop modern economies, modern militaries and modern technologies. It would be foolish to assume the West can always dictate the pace and direction of cyber technology. Instead, we should act now to influence positively the evolution of behaviour in cyberspace.
The bottom line is this. There is no point hiding behind national strategies or constructing a mythical Maginot Line in cyberspace. We need to think and act internationally because cyberspace is international space and the rules that govern it will be international too.