CIARAN Martin is mulling over the risk of a “hack-and-leak” operation by a hostile foreign state like Russia against Scottish political parties and politicians – similar to the one used to destabilise America in 2016 when Russia hacked the Democratic Party, released information that damaged Hilary Clinton, and tipped the scales for Donald Trump.
His view? It could happen here. He’s a man who should be listened to – until just last year Martin was one of Britain’s leading intelligence officers. He was at the top of GCHQ – one of the three arms of British intelligence along with MI5 and MI6 – and set up and led its National Cyber Security Centre (NCSC).
“Russia, in particular, is interested in the destablisation of Western societies in any political debate – whether it’s about Scotland’s constitutional question, future British general elections, or future relations with Europe,” he says. “It shows that routinely. The risk to any possible second independence referendum has to be taken into account. Grown-up cyber security and political maturity is needed to price it in and deal with it. There’s a clear risk but it’s not inevitable it will happen.”
Martin, now a professor at Oxford University’s Blavatnick School of Government, took part in multiple operations countering cyber attacks on Britain. He believes any overseas cyber threat to Scotland is a “cross-party concern”. So, at a future referendum, a hostile state might target the emails of someone like Nicola Sturgeon or whoever leads a reincarnated Better Together campaign.
Martin pointed to the cyber attack on the Scottish Environmental Protection Agency last Christmas as “a barometer of vulnerability”.
“In terms of the resilience of key services and companies, there’s verifiable evidence that Scotland is at risk. Hacking is a strategic threat and political interference is on the list,” he says.
A cyber attack might be similar, Martin says, to “what the Russians did to the Americans in 2016 – that’s a cyber operation called ‘hack and leak’. Hillary Clinton was frontrunner for the presidency. The Russians hacked into the Democratic National Committee database and John Podesta’s emails [Clinton’s campaign chief] then leaked the information to maximise political disquiet and rancour in America.
“Organisations connected with politics in the UK, including Scotland, have to think about the protection of politically sensitive information from that sort of operation.” Martin’s NCSC unit “did some work” evaluating these risks in 2017 “in the aftermath of what happened in America”.
Political outfits like the DNC are “classic vulnerable targets”, he says and similar organisations in Britain and Scotland “need to think about cyber hygiene”. A nation’s “critical infrastructure”, Martin adds, “includes political infrastructure”. He says: “A healthy society depends on healthy institutions – so there’s a risk there.”
However, Martin cautions: “Yes, there’s a risk, but let’s not overstate it.” There is a difference between “intent and impact”, he points out. Many operations are unsuccessful. Russia tried to destabilise France with another hack-and-leak operation during the 2017 election when Emmanuel Macron’s campaign was attacked. This operation was clumsy though. “Hackers released data on the Saturday before voting on Sunday – seemingly oblivious to the fact that French electoral law precludes media reporting of electoral campaigns the day before voting,” says Martin.
“So let’s no glamourise these people – let’s have a realistic assessment of the threat.
“Most of what I saw in my time, in terms of attempted interference in British politics, made no strategic impact at all and quite a lot was rather poor quality.
“So the risk is there but I’m not going to sensationalise it.”
Martin referenced the view of Sir Alex Younger, former head of MI6, saying: “People can only seek to exploit serious divisions if people are ready to have serious divisions exploited. Insofar as [Russia] is exploiting serious divisions and polarisation, we’re doing this to ourselves – so let’s not give ourselves a free pass out of this, let’s not take the easy way out and say our democratic process will be ruined by some foreign interference.
“A huge amount of the responsibility for clean, moral, efficacious politics is on us. Don’t do it to ourselves. Let’s not absolve ourselves from responsibility through threats of the Russian Bear.”
Russia’s cyber spies
“FOR the first time in human history,” says Martin, “it’s possible to inflict sustained damage on another society without ever setting foot in it.” Russia and China are “the top two” threats to the “West when it comes to cyber attack, but they’ve very different motivations and methods”.
“Russia is less prolific than China, but has the most elite capabilities,” he says. “Russia is acting from the position of declining power but it’s a very sophisticated digital spy.”
Martin cites the SolarWinds hack in 2020. SolarWinds is a digital company which provides services to the US government. Russia carried out “a very sophisticated reconnaissance hack by poisoning a software update” from SolarWinds to its customers. Hackers got access to around 18,000 systems but “only exploited a handful so they wouldn’t be found out. They honed in on the federal government, big tech and cyber security companies”. The hack was by Russia’s SVR – equivalent to Britain’s MI6.
Martin points out that although it was a “classic, skilful spying operation” nobody was harmed and “if there ever was … a Digital Geneva Convention this wouldn’t have fallen foul”.
Russia tends not to act dangerously or “recklessly” in the West although elsewhere it’s different and the Kremlin can be “pretty nasty”. In 2015, Russia shut down power in Kiev for six hours in midwinter, putting lives at risk. “It was destructive,” Martin says, “it gives you a sense of what they can do.”
That same year, Russia is suspected of hacking France’s TV5Monde (similar to BBC World). “The screens went blank, then the black flag of the Caliphate went up with the words ‘Je Suis Isis’. For a while, we thought ‘is this Isis under our noses acquiring unbelievably sophisticated cyber capabilities that can take out broadcasting systems – because that’s really hard. Nobody knows why Russia did it – maybe they were just practising?”
Russia was also behind “one of the scariest incidents” Martin dealt with – the 2016 NotPetya attack. Initially, it looked like a ransomeware operation by cyber criminals extorting money. However, it was actually an attack by Russia on the Ukrainian subsidiary of a global company that went on to infect other firms around the world using the same software. “Maersk, the shipping giant, was reduced to controlling the movement of ships by WhatsApp. Companies around the world suffered billions in commercial damage.”
Such Kremlin operations, says Martin, “are a way of reminding the world of Russia’s destructive capabilities”.
“CHINESE hacking, by contrast, is fundamentally economic in motivation. It’s basically part of their rapid economic expansion at the start of this century,” says Martin. “Often the intention behind China’s “industrial-scale hacking” is to steal intellectual property like “elite defence technology and drug patents”.
China, Martin adds, believes it is hypocritical of countries like Britain to condemn such operations as Beijing feels “the West cheated and pillaged its way to dominance in the 19th century”. The UK, he says, no longer carries out industrial espionage – although he notes, with irony, “this stopped all the way back in the mid-1990s and only became unlawful all the way back in 2016”.
Some Chinese operations – like the Hafnium attack on Microsoft – saw hackers “boobytrap infrastructure on the way out. The Americans were outraged. It took a very sophisticated FBI operation to covertly uninstall Chinese boobytraps”.
Combating China may well become much harder with the rise of the “splinternet” – where China’s own tech ecosystem separates from the West. China has a strategy for “digital supremacy” by 2025. “That’s a pretty scary model,” Martin says.
Iran and N Korea
PYONGYANG was behind the infamous WannaCry ransomeware attack that infected some 200,000 computers in 150 countries causing billions in damage. WannaCry hit the NHS and Germany’s railway system. “They were trying to extort money from Asian financial institutions and it went wrong. It was a horribly misconfigured attack. It spread virally – malicious computer capabilities are called viruses for a reason,” says Martin.
Enraged by the satirical movie The Interview, which mocked Kim Jong-un, North Korean hackers hit the entertainment company Sony. North Korea also attacked Saudi oil firms over tensions with Riyadh. These revenge operations aside, North Korea has “turned into the world’s first state-sponsored cyber criminal – they’re desperate for hard currency because of sanctions”, says Martin.
Pyongyang successfully “had a go at the Bank of Bangladesh making off with $81 million”. Martin says: “They were even cashing it in at casinos in Manila. An eagle-eyed regulator at the Federal Reserve in New York spotted what was happening. Had they not, the estimated cost would have been $850m.”
Iran, Martin adds, is an “asymmetric retaliator. If you’re in tension with them, they do something to let you know they’re there”. Tehran has a history of DDoSing – overwhelming a target’s computer systems. The country is “now a large-scale data acquirer”, stealing information from targeted organisations “to find nuggets”. Martin says: “For Western corporations, that might mean your entire customer database is gone because [Iranian intelligence] thinks you’ve dissidents in there who they’re interested in.”
Terror and proliferation
“TERRORISM is the major theoretical cyber threat that hasn’t really happened,” says Martin. “To do large-scale sustained cyber attacks – offensive operations – you need stability, digital infrastructure, people with skills, a headquarters to hang out. You also emit lots of data to the internet unless you’ve got very covert capabilities you draw a lot of attention to yourself.” For now, that puts cyber attacks out of reach for most terror groups.
Terrorists like Isis are currently constrained to using the cyber world for propaganda and recruitment. “People prepared to kill themselves in the course of killing civilians wouldn’t have any qualms about cutting power to hospitals but they don’t have the skills or infrastructure to do it,” Martin adds.
What scares Martin is proliferation “where an international terrorist group buys capabilities from a rogue nation”. Again, like possible hostile state attacks on British or Scottish politicians, Martin says he wants to be both “truthful and rational about risks. You can’t just scare people witless – that makes for bad security. Contrary to predictions the threat of terrorism in cyberspace hasn’t materialised yet. They may have the intent but they don’t have the capabilities for now”.
Nor does he think the return of the Taliban makes Afghanistan a possible cyber-terror base. The process of becoming a “highly-capable cyber actor is long and arduous”. The West would detect any such moves and there would be a “response” before strikes happened. “It’s not beyond the realms of possibility but I’m not sounding alarm bells,”
MAJOR organised cyber crime gangs – motivated by money, not ideology – are mostly based in nations like Russia, and parts of Africa and south Asia. “People tend not to get hurt, though sometimes they overreach,” Martin explains. A ransomware attack on the Irish health service, for example, saw cancer operations and maternity services affected. The chance of “zero day attacks” – where “ordinary criminal hackers” use system flaws known only to them and are therefore hard to counter – are “vanishingly small. They pick off low-hanging fruit”. Nevertheless, these gangs are “highly sophisticated”. They research targets, working out how much victims can pay and whether they’re insured.
Russia doesn’t extradite citizens, rendering it “a state that tolerates and indeed derives some economic benefit from large-scale criminality”. US President Joe Biden remonstrated with Vladimir Putin in Geneva this year over “harbouring organised cyber criminals” following the Colonial Pipeline hack by the Russian gang Darkside which left Americans queuing for petrol after ransom demands of 75 Bitcoin ($4.5 million).
Many cyber criminals became rattled by the Colonial Pipeline and Irish healthcare hacks as they brought too much attention. “Most were quietly extorting rich companies without anyone really noticing,” Martin adds. Now, Western governments are focused on ransomware gangs.
“An environment of proliferation” is a looming problem. Legitimate companies and criminals sell each other capabilities. One group, Shadow Brokers, stole highly sophisticated hacking tools from America’s National Security Agency (NSA) causing fears of further proliferation. Edward Snowden’s NSA leaks also ramped up proliferation fears, Martin points out.
What’s the UK up to?
Clearly, there are limits to what Martin can discuss, but he says he wants “a healthy, open debate” about how Britain uses cyber weapons. Firstly, he dismisses any notion that Britain is “just as bad as Russia”.
“The government doctrine, with which I concur, is that given the nature of modern threats an offensive cyber capability is something well-defended democratic states should have,” he says.
Britain, Martin insists, would never behave with the same “recklessness” as Russia. In terms of intercepts – which could include surveillance against British citizens – “subterfuge is licensed”. Both a secretary of state and judge must sign warrants. “Necessity and proportionality is adhered to,” he adds.
Martin regrets that at the time of the Snowden leak – seen by vast swathes of Western public opinion as mass surveillance on citizens by their own governments – “the state should have said more about the nature of these sorts of things”.
Instead, the government “basically said nothing – that set the narrative as the most dangerous possible interpretation. He adds: “If we’d said more about it, said ‘look, this is the way traffic flows around the internet, this is how you look for one piece of communication in a gigantic data set, this is what you do with all the other stuff you might have incidentally intercepted’ – we would have been in a better place. We’d command more confidence from an informed, engaged public. We can’t publish specific capabilities, but it’s fair to talk about our approach. Silence doesn’t help. We need more transparency. The more free and open a society is, the safer it is.”
Martin says citizens would support hacks targeting Isis propaganda, but would also understand why it would be “against our values” to “take out power to Russian hospitals” if Moscow acted “nefariously against the UK”.
How safe are we?
“THE last thing people should do is think we’re facing some existential threat from omniscient, all-powerful hackers. The picture I’ve tried to paint may seem scary but there’s no cause for general panic – I know because I was part of setting up our top-end capabilities for detection and prevention,” says Martin.
In a relatively simple operation, GCHQ was able to stop 500 million attempts to use HMRC branding for cyber crimes. However, basic hacking skills aren’t hard to learn.
What really worries Martin is “the aggregation of small harms” – mounting economic damage caused by cyber crime and a growing lack of public confidence in the digital world. One big fix would be addressing the legacy of old computer systems. Many more modern systems are pretty safe so British smartmetres, which would plunge the country into chaos if successfully attacked, are really robust. However, older systems like some Government databases, are nowhere near as secure. Martin says we should think of cyberspace like the environment. “It’s full of pollutants. That leaves us vulnerable. We should all become digital environmentalists.
Simple personal security goes a long way. One Chinese attack on Japanese firms used the Melissa virus, dating back to 2000. “Windows 10 would have stopped it,” says Martin. “It’s basic cyber hygiene.”
Internet of Things devices – hardware like cameras or home gadgets connected online – are also vulnerable. Hackers hijacked CCTV cameras in America, used them to target the internet firm Dyn, and from there took down Twitter and Amazon. “It was the biggest DDoS [Distributed Denial of Service] attack in history,” says Martin.
Most systems have safeguards that stop disaster. A hack attempt to poison the water supply in Florida this year –purportedly by a disgruntled employee – failed when computers noted strange chemical readings. Meanwhile, hacking railway signals would lead to trains stopping, not crashing while hacking air traffic control wouldn’t cause planes to fall from the sky – they’d have to land through radio contact instead.
The bottom line is stark but not terrifying. “I don’t want to say don’t panic, but – don’t panic,” Martin says. “We’re going to have to get used to medium to high levels of cyber harassment.
“This is a chronic not catastrophic problem. It’s much more like a disease you have to manage and mitigate, like the pandemic.”