As talk of war with Russia increases daily, former GCHQ chief Ciaran Martin sits down with our Writer at Large to discuss the threat that enemy cyber-attacks pose to us all

CYBERWARFARE is a deadly business. But it can also, sometimes, be just plain weird. Take the night of November 25, 2019, just before the December General Election, when Boris Johnson won his landslide victory.

It was 8.30pm and Ciaran Martin was leading his team at GCHQ – the UK’s secret intelligence listening post – monitoring the government Register to Vote website for suspicious activity. The threat of Russian interference was ever-present.

“At any point, there should be about 3,000 people on the site,” Martin explains. So that night, come half eight, the site is working perfectly, “3,000 people just ticking away beautifully, no malicious activity at all. Then the next thing we see, at 8.31pm, is the chart go from 3,000 to 48,000. We went ‘what the hell’.”

It looked like the Russians were coming for the election. “It took us an hour to work out what happened.”

And here’s how the murky world of intelligence can go from tragedy to comedy in seconds: just before that huge spike, the grime star Stormzy told his fans to make sure they voted. Result?

“A 16-fold increase in traffic”, causing panic within British intelligence.

Martin was one of Britain’s most senior intelligence chiefs. As founding head of GCHQ’s National Cyber Security Centre, he sculpted Britain’s response to cyber-threats. Martin also held the post of director of security and intelligence at the Cabinet Office.

Now retired from intelligence, he’s a professor at Oxford University’s Blavatnik School of Government, and free – well free-ish, as much of his past work remains top secret – to explain the realities of cyberwarfare.

With the threat of war with Russia now a constant refrain in our news cycle, Martin sat down for a wide-ranging exclusive interview with The Herald on Sunday.

 

Ciaran Martin (UK National Cyber Security Centre) during a Five Eyes session: International Panel Discussion on Global Cyber Issues during CYBERUK held at the Scottish Event Campus in Glasgow..

Ciaran Martin (UK National Cyber Security Centre) during a Five Eyes session: International Panel Discussion on Global Cyber Issues during CYBERUK held at the Scottish Event Campus in Glasgow..

 

Former GCHQ chief Ciaran Martin warns that if powerful cyberwar technology was to fall into the hands of terror groups, ‘all bets are off’

Attacks

First, Martin wants the public to get the threat in perspective. We don’t live in a world where hackers can start nuclear war by breaking into Pentagon computers. That’s Hollywood.

Leon Panetta, he says, CIA director under Barack Obama, talked of “a cyber Pearl Harbour and cyber 9-11”. Martin adds: “That’s not the way it works.”

Cyberattacks have killed people, but it’s rare. Primarily, they cause huge economic losses and massive disruption to civilian life. Martin says we should think of the National Air Traffic Control system failure last August. That wasn’t a cyberattack, but an accidental IT failure. Nevertheless, it bore striking similarities to what a major hack might look like.

“Loads of people got delayed, weddings and funerals were missed, holidays ruined, and board meetings cancelled. But nobody suffered so much as a nosebleed. Why? Because when something is safety-critical, we don’t just rely on computers.”

Nuclear systems have manual checks and overrides. If air traffic systems fail, planes land by radio. If train signals break, the engines will be stopped.

That doesn’t mean, however, that havoc isn’t being wrought by enemy states like Russia, North Korea, China, and Iran, and criminal gangs mostly based out of Russia with tacit Kremlin backing.

In 2017, just before another General Election, Martin explains, there was a cyberattack on English and Scottish hospitals. “The hospital equipment remained fine, but they couldn’t admit people. It damaged their ability to schedule operations.”

This was a North Korean operation, known as the WannaCry ransomware attack, that went horribly wrong. The NHS wasn’t the target. The real victim was meant to be an Asian financial institution but the hack was so badly coded it ended up going around the world.

Four years later in Ireland, the Health Services Executive – a major logistical part of the hospital system – was “completely taken out. Cancer diagnosis consultations and operations were postponed, antenatal care was severely restricted. People probably got hurt as a result”. That was an attack by a Russian criminal gang.

Also in 2021, Russian criminal cyber gangs attacked America’s Colonial Pipeline. “Taking out a pipeline is hard,” Martin explains. “It’s not quite as secure as a nuclear missile, but there are all sorts of people inspecting it, so hacking its controls and finding the off-button digitally is difficult.”

However, you can cripple any major infrastructure if you hack company “emails, invoices and safety rosters”. The result? “The company switched off the pipeline.” A ransom of $4.4 million was paid to the Russian hacker gang DarkSide.

Currently, the British Library is in chaos after a Russian criminal cyber ransom attack. “It hasn’t been properly working for three months,” says Martin. “Its main catalogue has gone offline. It’s got 170 million items. They’ve no way of knowing what’s in the catalogue.”

He adds: “The undeclared policy of the British state is that public bodies won’t pay ransoms. So [the British Library] is locked out [of its systems] and they won’t buy the key to get back in, which is the right decision as it’ll only encourage more attacks. That means reconstructive surgery. For a database of 170 million items that’s a lot.”

Russian criminal hackers are even suspected of hitting a “lovely” Orkney charity, running disability bus services. “The criminals knew what they were doing. They asked the British Library for £600,000 as it’s a big publicly-funded institution, but demanded £1,000 in Orkney. They research. To say they’re amoral is an understatement.”

It’s estimated in America that repeated attacks on health systems between 2016/21 killed 67 elderly people.

Russia

CYBER gangs also carry out “double-extortion ransomware” attacks. This sees targets locked out of their systems, and the theft of sensitive files which will be leaked online unless blackmail money is paid.

In Australia, Medibank, the largest health insurer, was hacked by Russian criminals, believed to be the hacker gang REvil, who stole the private files of 9.7 million Australians. However, Martin says “Australia handled it brilliantly”.

The government and media agreed not to publish leaked material. Google and Facebook, Martin explains, were ready to take down stolen information, so files could only be uploaded to the dark web.

Nevertheless, hackers released abortion files, then mental health and addiction records, before dumping the entire cache. “However, it stayed on obscure corners of the dark web. Nobody reported it.”

Australia did the world a favour, Martin believes, showing how societies can come together and limit the damage caused by malevolent attacks.

As these events prove, “the criminal threat comes mostly from Russia”, Martin says. Occasionally, Western hackers are caught but their criminal careers don’t last long. “Russia is a safe haven.” The Kremlin tolerates cyber gangs targeting Western victims as long as they don’t bother Russians.

Although these gangs aren’t state-controlled, the Kremlin does hold power over them. The Irish health service attack was seen “as an embarrassment to the Kremlin”. It’s not a good look knocking out hospitals. So the Kremlin “leant on [the criminal gang] and they gave the decryption key away free”.

When it comes to cyberwarfare by enemy states like Russia, we need perspective too, says Martin. “You can’t cyber your way up rivers, you can’t hold ground with cyber.” That needs troops.

But cyberattacks are now central to military doctrine. At the start of the Ukraine war, Russia took out Kyiv’s Viasat satellite system “in a very well-executed operation which meant that in the first weekend of the invasion, Ukrainian high command found it very difficult to do secure communications at the time it mattered most”.

Ahead of the invasion, Russia “intimidated” Ukrainian civilians with actions like taking out digital payment systems. Thousands suddenly found themselves unable to pay for a coffee. “That’s menacing,” Martin says. It also “jolts the central economy”. Mobile provider Kyivstar was also taken out for a while. Russia has used cyberattacks to spy on critical Ukrainian infrastructure like “energy plants before they bomb them”.

Espionage

CYBERwarfare revolutionises the world of espionage. “Say you had a spy in the International Atomic Energy Agency in Vienna. How many documents could they exfiltrate per day? Now, let’s say you’ve hacked the IAEA’s core system. How many docs can you get now?”

If an intelligence agency is “confined to human assets to gather information, that’s expensive and risky. Do you deploy someone to have a go at spying on Holyrood, a minor British political party or a major council in Wales? Probably not. But if you can send a few phishing emails to see what you can get, do you have a go? Probably”.

One Kremlin speciality is using cyberattacks to destabilise Western enemies politically. Think of the Hillary Clinton hack-and-leak operation before the 2016 presidential election, or targeting the World Anti-Doping Agency “after the expulsion of Russian athletes”.

The Chinese state tends to focus on “commercial espionage, stealing patented information”. Iran – like Saudi and Israel – is a “fairly serious cyber power”. One “devastating operation” saw Iran target Saudi’s oil company Aramco. “They got battered with something like 32,000 hard drives deleted. No rigs were blown up, but it was hard for Aramco to run its business.”

When it comes to state actors, North Korea is “probably the most dangerous of all”. Pyongyang is “desperate for hard currency”. The regime has been described as “the world’s first state-sponsored cybercriminal”.

Currently, “we suffer a lot of harm in cyberspace, but it’s more pernicious than catastrophic”. Damage is done to key services, there’s “massive economic losses”, but not loss of life or “complete systems meltdown”. That’s due to the fact that we still “don’t allow areas where human safety is at risk to be completely dependent on computers”.

 

Computer hacker in room with computers looking at camera +++ text on computer was generated by photographer and is copyright free +++.

Computer hacker in room with computers looking at camera +++ text on computer was generated by photographer and is copyright free +++.

 

According to Ciaran Martin, the Kremlin tolerates cyber gangs targeting Western victims as long as they don’t bother Russians

Terror

ADDITIONALLY, cyberwarfare capabilities are mostly in government hands, and even though some of these governments are enemies they “aren’t completely irrational and reckless”. North Korea is the exception. “If you look at some states we regard as adversarial, you can at least impute some rationality to their actions. You’re not always there with North Korea. To put it crudely, they might just be mad enough to do anything.”

However, if powerful cyberwar technology fell into the hands of terror groups, all bets are off. The Pegasus scandal was a warning shot. This saw sophisticated digital spyware developed in Israel go on sale. It was used by some governments to spy on citizens and linked to the murder by Saudi agents of the journalist Jamal Khashoggi.

It also fell into the hands of organised crime. “Journalists covering Mexican criminal gangs were suddenly at risk,” says Martin.

“The one thing that keeps the equilibrium in cyberspace, just about, is the fact that the barriers to entry – to becoming really destructive cyber actors – are high, state-level high mostly. But if that ever cracks – and Pegasus is an example that it could – that’s my worry.”

Martin is also concerned that artificial intelligence could “make it easier to become a powerful cyber actor”.

If Islamic State had got hold of “globally devastating computer viruses, I imagine using them wouldn’t have troubled their morals”. Currently, terror groups – even wealthy ones like IS at its height – need to keep a low digital footprint for fear of air strikes.

“Cyberspace has been full of ‘sickliness’, not disaster. Ideally, we’ll continue to treat the sickliness and avoid disaster. We’ve more or less managed to maintain peace in cyberspace and kept the most devastating capabilities away from the most reckless actors. The most reckless actors have caused quite a lot of grief, but they haven’t brought the world to a halt.

“It’s still quite hard to kill large numbers of people directly as long as we’re sensible enough not to put our public safety entirely in the hands of computers.”

Martin compared state cyber capabilities to the biological and chemical weapons researched at Britain’s military laboratory at Porton Down. “If those capabilities were released, they’d poison lots of people. The issue is making sure that complete reckless nutters don’t get their hands on it.”

Politics

WHEN it comes to politics, enemies like Russia use cyberwarfare for one key objective: “To destabilise the political systems of country X. You can do that through hack-and-leak, disinformation and deepfakes.”

The Hillary Clinton operation is the best example of hack and leak. “It’s unknowable to what extent voters were influenced by her leaked emails, but from Russia’s point of view, the fact that it’s still a deep wound in American society shows that the operation was successful.”

Major British figures have been targeting including Sir Richard Dearlove, former MI6 chief and hardline Brexiter, and MP Stewart McDonald, former SNP defence spokesman. Given they straddle different sides of the political spectrum, Martin says the motive for the Russian state-hacking operation was “to mess with our heads, to mess with the system, to destabilise, to fragment national cohesion and scare people”.

With political cyber defences now fairly robust, disinformation and deepfakes are more easily deployed for political interference.

Disinformation – deliberately spreading lies online to damage target countries – is hard to defend against. Cybersecurity experts “can do nothing to stop it”. The best defence is for politicians to agree to not “exploit” disinformation or hack-and-leak operations against their opponents for “political advantage”.

That’s the case in Britain, Martin explains. “Whereas obviously in America that completely wasn’t the case.”

With deepfakes, “making a video [of politicians], putting it online and convincing people it’s real is easy”. Both London mayor Sadiq Khan and Labour leader Sir Keir Starmer have been targeted by deepfakes.

One successful deepfake operation took place in Slovakia ahead of recent elections. The target was the leader of Slovakia’s liberal pro-Nato Progressive Party. The fake showed him discussing rigging the election. The Progressive Party lost and the pro-Russian party won.

The operation was perfectly timed. It took place during a 48-hour moratorium on election reporting ahead of polls opening, meaning the media couldn’t rebut the fake, despite it circulating widely on social media.

Martin quotes former MI6 chief Sir Alex Younger who said “you can’t divide countries with cyber. What you can do is massively exploit existing divisions. This deepfake in Slovakia wouldn’t have worked in a country not as divided as Slovakia. In America, people have made hay with what were essentially crimes perpetrated against their opponents. In Britain, we’ve decided not to do that. This is as much a test of our social cohesion as our tech security”.

When the media and politicians refuse to publish or exploit these operations, the target country gains “agency”, Martin adds.

Scotland

WITH 2024 a likely UK election year, the current big concern is deepfakes, says Martin. In previous elections, it was hack and leak. There was “some cyber activity around the Scottish independence referendum”, he adds. “But as far as I know – and I would know – it was very peripheral. I don’t think it could have impacted anyone’s vote.”

The Kremlin would certainly look at Scotland in terms of cyber operations destabilising Britain. “The Russians are no more and no less interested in Scotland and questions of separation and union than they are in other fissures in British politics,” Martin says.

He adds: “They’re interested in division. Are they interested in fissures in British politics? Yes. Is the union versus separation one of those fissures? Yes. So are they interested in it? Yes.

“I couldn’t stand behind an assertion that there’s a systematic campaign fixed on that issue from any foreign actor. There may be, and there may be one in the future.

“This isn’t a warning. It’s just a statement of the obvious as they’re interested in exploiting divisions. There’s no evidence that they’re acutely or more particularly interested in exploiting this one than they are a bunch of other ones.”

In terms of the Kremlin spying on Scotland, he adds: “Would a hostile foreign actor be interested in the machinations of various politicians in Holyrood or Stormont [the Belfast parliament] as well as Westminster? The answer to that is ‘yes, they would actually’. At least, they’d be interested enough to go and acquire some data and see if there was anything interesting there. So the espionage risk is big.”

Myths

MARTIN wants to dispel myths about GCHQ. Spy chiefs – as he once was – “don’t hang around police stations” waiting to recruit teenage wannabe hackers. “You don’t pick up people who have wilfully flouted the law and say ‘would you like a go on the most intrusive, sensitive train set in Britain?’.

“If you’ve a criminal conviction does that mean you can never work [for GCHQ]? No, not necessarily, but at the same time we don’t go raiding police stations for hackers who have shown wilful disregard for the law.”

The reverse can be true in Russia, where cybercriminals are sometimes ordered to work for one of the intelligence services – like the FSB, SVR or GRU – and “aren’t in the position to resist”.

In China and Iran, there are “semi-state actors” who “don’t technically work for the state, but put it this way, if they didn’t have some relationship with the state they’d be arrested and in some very unpleasant place”.

These hackers might come across valuable material – patents or secrets – during criminal endeavours and share it with the state. But as long as they cause the state “no trouble, they can do what they like”.

Official Chinese cyberoperations come from the 3rd People’s Liberation Army, however. They are hackers in uniform who work from military offices.

While he won’t go into details due to the classified nature of the information, Martin says what worries him about Britain’s cyber defences is our “soft underbelly” – not nuclear submarines, but trains and hospitals, which if knocked out would cause havoc.

“Think about the British Library case transposed onto healthcare,” he says. Or the mass deletion of every train timetable. “It’s that stuff we need to pay attention to.”

The cost of “messing up an advanced digital economy” is what also troubles Martin. However, he adds: “Does the UK have good defensive [cyber] capabilities? Of course.”

 

AI technology

AI technology

 

Power

MARTIN also warns about “conferring magical powers” on cyberwarfare. With a shrinking British military, cyber won’t stop enemy armies or navies, though it could “cripple air defence systems”.

And what about our offensive capabilities? Offensively, we’re “very sophisticated”. Britain could run “our own information campaigns, sow seeds of doubt and all that”, but Martin says: “In what circumstances would they be used? “Are we going to mess up the healthcare administration of Russia? There are not many conceivable circumstances where we’d do that. Is it possible? Absolutely. Would Britain do it, would you want people in power doing that? Probably not.

“There might be some extreme situation where we might reluctantly concede it would be necessary, but they’re not there now.”

The “potential use” of these capabilities is “limited by the desire to be ethical and not cause the sort of mayhem in other countries that other countries seem to want to cause in our country”.

And what about cyberwarfare being turned on British citizens? Even political parties like the SNP? Firstly, Martin says, legislation means Cabinet ministers must sign off all “foreign and domestic security operations”. Judges also have oversight. Operations must be “necessary and proportionate”.

UK cyber operations have targeted British citizens like paedophiles and terrorists, but in terms of “the way the law is framed I can’t see how a warrant could get past a judge for anybody seeking peaceful, political change through lawful means, and I doubt it would get past a Cabinet minister”.

Citizens pursuing “peaceful constitutional change aren’t legitimate subjects of interest”. Martin adds: “Hand on heart, the intelligence services are not a means of suppressing legitimate domestic political activity.”