Hostile states targeting essential infrastructure and services in Britain, by way of international cyber activity, should be dealt with in the same way as any other attack against the nation, the UK Attorney General, Jeremy Wright said today at the Chatham House Royal Institute for International Affairs.
Amid growing tension with Russia, Wright, argued because international law was not developed with cyber space in mind it needed to change.
He said: “If a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us.
>See also: Cyber attacks become number 1 business risk
If it would be a breach of international law to bomb an air traffic control tower with the effect of downing civilian aircraft, then it will be a breach of international law to use a hostile cyber operation to disable air traffic control systems which results in the same, ultimately lethal, effects.
If we stay silent, if we accept that the challenges posed by cyber technology are too great for the existing framework of international law to bear, that cyberspace will always be a grey area, a place of blurred boundaries, then we should expect cyberspace to continue to become a more dangerous place.”
Wright added that the UK is prepared to name and shame states that recruit proxy actors or hackers , carry out cyber-attacks or interfere viv the internet in national elections.
Although this is the first time we have heard a government minister speak about the UK’s interpretation of international law as it relates to cyber attacks on record, arguably, it does not signal a new approach for the UK, in February, Britain blamed Russia for a cyberattack that hit businesses across Europe last year. North Korea was blamed for another attack that hit Britain’s National Health Service in 2017. Furthermore, it does not deviate from the standards set in the UN declaration in 2013.
Comment
Ross Rustici, senior director, intelligence services, Cybereason, comments: “Naming and shaming is a rhetorical flourish that makes litigators feel better about their overall impotence when it comes to cyber intrusions. The United States has been taking this approach for almost five years and it has had little to no effect on overall activity. The only tangible outcome of taking a name and shame approach is to put your own country’s intelligence officials at greater risk. There must be punitive measures associated with the public attribution, sanctions, retaliation or escalation.
>See also: How many UK business can defend a cyber attack?
“In the long run, the sentiment to apply laws and norms to the cyber and tangible worlds equally is a good one. If we continue to treat cyber as a cordoned off domain that is somehow less escalatory, then countries will continue to be emboldened to act in cyberspace in ways they would never act in the real world.
However, if the UK is serious about taking that approach, attribution should only be the first step towards real action. If a cyber attack takes down a civilian plane and the UK’s reaction is not at least on par with Lockerbie and Libya, then we will know that like the US this pronouncement is more a show of frustration at how the world has evolved beyond traditional means of power and control and not one that has any tangible or real-world implications.”