The Washington PostDemocracy Dies in Darkness

Hyping the cyberthreat sabotages policymaking, ex-British intelligence official says

Security specialist Erik Dickmeyer works in the Cyber Security Operations Center at AEP headquarters in Columbus in 2015.
Security specialist Erik Dickmeyer works in the Cyber Security Operations Center at AEP headquarters in Columbus in 2015. (John Minchillo/AP)

Hyping the cyberthreat undermines sound policymaking, according to a former senior British official, noting that after nearly three decades of warnings, a catastrophic cybersecurity event has yet to occur.

In prepared remarks to be delivered Friday, his first speech since leaving office last month as the head of Britain’s National Cyber Security Center (NCSC), Ciaran Martin said no one has been killed by a state-sponsored or terrorist cyberattack.

So “understanding the nuance, complexity and detail of the sorts of attacks we have lived through is crucial to making our digital homeland safe,” according to a copy of the remarks he will deliver to the Royal United Services Institute, a British think tank.

Martin argued against the perception that Russian interference is ubiquitous. For instance, he said, the Russians fomented dissension in the U.S. election in 2016, but there was no evidence of interference in the Brexit referendum the same year.

British Parliament says government failed to investigate possible Russian election interference

Similarly, he said, there was no evidence of any serious campaign to influence the vote in the Scottish referendum in 2014, in the first such disclosure by any individual who served in the British government at the time.

“It does us no good to overhype the adversary, or to imply damage where none has been caused,” he said. “Our democratic processes are at risk of strategic harm from outside interference, but they’re also much more robust than they’re often given credit for, and it’s in our interests to say that and retain public confidence in them.”

His remarks come two months after a parliamentary report accused the British government of having “actively avoided looking for evidence that Russia interfered” in the Scottish referendum, the Brexit vote and the 2017 general election in Britain.

Martin, who now teaches at Oxford University and advises the Paladin investment firm, is among a number of cybersecurity experts urging avoidance of doomsday metaphors in discussing the array of digital threats that confront governments and the private sector.

American analysts have been making a similar argument. “It’s easier to imagine a catastrophe than to produce it,” James A. Lewis, a cybersecurity policy expert at the Center for Strategic and International Studies, wrote last month.

The California wildfires are a catastrophe and so is covid 19, especially in countries with inadequate responses, Lewis wrote. To achieve mass effect, he argued, either a few central targets — such as an electric grid — need to be hit, or multiple targets would have to be hit simultaneously, which is an operational challenge.

Martin noted that on Thursday there were media reports in Germany of a woman with underlying health conditions dying in an ambulance because a ransomware attack on a hospital resulted in her being sent to a more distant hospital. If confirmed, the tragedy would be the first death resulting from cyberattack, he said. He noted, however, “it would have been caused inadvertently by criminals seeking money, not an act of state aggression.”

Martin said after 6½ years running the NCSC, he observed that the harms caused by cyberattacks fall into three categories: getting robbed, getting weakened and getting hurt. Understanding the differences should help policymakers fashion the most effective deterrents, he said.

North Korea robs banks, Russian criminals steal money, and China filches intellectual property and databases full of personal information — all using cyber-means, he noted.

Adversaries seek to weaken opponents through political interference, he said. Hacktivists weaken firms by doing things such as defacing websites to embarrass a company.

Destructive attacks cause serious harm on targets of critical importance, he said. In 2015, a Russian cyberattack left a quarter-million Ukrainians without power for several hours in late December. And though ransomware attacks are a form of theft, the extortion works only because the attacker has crippled the system. So, Martin said, it is the likeliest way someone is going to suffer serious disadvantage or get hurt.

Along those lines, top U.S. homeland security cyber official Christopher Krebs said his big fear for November is ransomware attacks that could disrupt state and local election systems.

“Right now, cyberattacks are more a threat to wealth than our safety, to our sense of liberty, happiness and well-being rather than life and limb,” Martin said. “They add up to a significant national security and prosperity problem.”