Many experts expected Russia’s war with Ukraine to be accompanied by a large-scale cyberattack, but that hasn’t yet materialized. Azeem Azhar speaks to Robert Hannigan, the former director of the Government Communications Headquarters (GCHQ) – the UK’s equivalent to America’s NSA, to find out how the conflict is playing out in cyberspace and what might happen next.
AZEEM AZHAR: Hello, and welcome to Exponential View with me, Azeem Azhar. Now, the world is changing at an amazing pace. We are entering the exponential age propelled by radical, remarkable technologies. And on this podcast, I want to explore the themes, topics, and questions that will help you make sense of it. For many years, we’ve heard that the wars of the future will be fought using cyber capabilities, not tanks, planes, and missiles. But Russia’s invasion of Ukraine has so far used traditional arms. Contrary to the expectations of many analysts, Ukraine has yet to suffer severe cyber attacks in the course of this war. Why has activity been so limited in the cyber theater of war, and what will happen if it ramps up? My guest this week is particularly well placed to answer those questions. Robert Hannigan is a former director of GCHQ, the UK’s intelligence, cyber and agency. He’s also served as a security advisor to the UK prime minister. He is currently chairman of Blue Voyant cybersecurity in EMIR. Robert, welcome to Exponential View.
ROBERT HANNIGAN: Thanks, Azeem. Great to be here.
AZEEM AZHAR: Now, our audience, which is spread across the world, will be familiar with the idea of a cybersecurity startup. They may know less about what GCHQ is.
ROBERT HANNIGAN: Yeah. So if you’re in the US, GCHQ is the NSA equivalent. So signals intelligence, and these days, cyber. And it’s been around for 100 years, involved in Bletchley Park during the Second World War, and works very closely with the NSA and other Five Eyes partners and, indeed, other agencies in lots of other countries. So, that’s what GCHQ does. And the NCSC, I guess – in US terms – is the CCR equivalent. So, the civilian cybersecurity wing, which comes under GCHQ.
AZEEM AZHAR: 100 years, actually, of course, is quite a long time. So, you’ve stepped across a number of different technology transitions. And when I left university, GCHQ was really all about hiring mathematicians.
ROBERT HANNIGAN: Now, it’s still, I think, the largest employer of mathematicians in the country, and cryptography and cryptoanalysis is still the heart of what it does, as it was at Bletchley. But it isn’t just mathematicians. So, lots of physicists and engineers and others in involved.
AZEEM AZHAR: When we think about the digital revolution, much has been made about the emergence of new strategic domain. Beyond the physical domain, we talk about the information domain and the cyber domain. And the thing that has struck me in the first eight or 10 days of the Russian invasion of Ukraine, that we haven’t really seen any enormous amounts of cyber activity coming out of Russia. Is that right? Or, it is happening, but we’re not seeing it?
ROBERT HANNIGAN: I think it is happening. But I agree with you that the cyber domain, though it is very important because it underpins everything else, and so much else is dependent now on the networked world, and increasingly will be in defense in the future, particularly with the move to AI and machine learning. But it’s easy to exaggerate it. Clearly, when bombs are falling and cruise missile are arriving, cyber seems rather less important. But there has been a lot of cyber activity from Russia in particular in the run up to the war, and, of course, going back to Estonia back in 2007-08 and Georgia. So, the Russians have been investing in offensive cyber for at least 15 years very heavily, and using it for political effect, and also using proxy criminal groups for political effect. So, I think they would see a cyber as an important part of hybrid warfare short of armed conflict, but then as an accompaniment and an underpinning of that armed conflict when it starts, as it has in the last few weeks. And we have seen a lot of softening up, if you like, in the cyber debate. People keep asking, Why haven’t they taken the internet down? Which, of course. they could do kinetically. They could do it with weapons. But, of course, if you want to run a country, if you want to get propaganda through to the population, and then you want to install a puppet regime, you need some networks. So, there is a kind of dilemma, I think, for an invader like Russia, in this case, as to how much do they want to destroy and have a sort of cyber scorched earth.
AZEEM AZHAR: The point being that, even though the internet is more distributed and decentralized than traditional phone networks, there are data centers in Kyiv and Kharkiv and Odessa, where a dozen internet service providers locally will come in and peer their information. And those will be the landing points for the external fiber out to the tier two and tier one internet providers. So, if you hit those nodes with bombs, you could essentially bring the internet down in the Ukraine.
ROBERT HANNIGAN: Exactly. And some of that is already happening. So we’re seeing in some of the cities that are either under siege or, in one case, been taken, the electricity taken out. So I think as the ground war steps up, you will see less and less networks availability.
AZEEM AZHAR: So, you keep the internet intact, but let’s come back to this idea that you can use cyber as a softening up. Now, using different tools for a softening up is a common military tactic. It was used in “shock and awe” in the Iraq invasion. Of course, in World War I, the artillery was meant to do that, and often didn’t do its job. You would only ever do that for 44 days or four hours before an attack. But the interesting observation is if this all starts with perhaps that cyber attack in Estonia back in 2007, that’s quite a long period of softening up. That’s 15 years of strategic posturing.
ROBERT HANNIGAN: Yeah, absolutely. And I think one of the problems for Ukraine is that they’ve been a live testing ground for Russian offensive cyber capabilities since at least that time. Because they’ve been so embedded in the infrastructure and in the networks of Ukraine, the Russian agencies have used this place, and we saw with the NotPetya attack here that was clearly a politically motivated attack. And, of course, the taking out of the power for a quarter of a billion people for about six hours, I think, in the winter back in 2015, if I remember rightly, was a very overtly political use of cyber to deliver a political pressure message. So, they’ve been doing it in Ukraine for a while.
AZEEM AZHAR: Yeah. NotPetya was fascinating. It was, what, 2017, and it starts with a small attack on Linkos, which was a software provider to the Ukrainian banking system. And it snuck in and started to hamper Ukrainian systems. But because the internet is quite leaky, before we knew it, it was in the Mondelez systems in the US, and Maersk, I think, most famously in Denmark. I wrote about NotPetya in my book, and I presented it as a state action that wasn’t really met by any other state response. Do you think that was the right kind of response to something like that?
ROBERT HANNIGAN: No, and I think it wasn’t, and I think right through the last 22 years of Putin’s rule, we’ve failed to put red lines down, and we’ve failed even where we have put some lines down to do anything about them. So he’s taken a message from that. And we, or particularly Ukraine, are paying a price for that. So I agree that not much was done after NotPetya, and not much has been done about the other incidents that they’ve been involved in. The really interesting thing about NotPetya, I think – apart from getting ransomware into the consciousness of the average boardroom in a whole new way – was the illustration of a brilliant supply chain attack, and the Russians have specialized in that. So, SolarWinds in the United States is another extension of that methodology, where you find a poorly protected company, get your way in, and then it gives you access to a huge range of customers through trusted links. That might be software, as it was in the case of NotPetya, or, for that matter, SolarWinds, but it might be all sorts of other supply chain companies. So it’s the obvious thing to do. If you’ve got a hardened attack surface, you find a soft way in, and the Russians have been very good at that.
AZEEM AZHAR: That’s a really fascinating way to look at it, because one of the key drivers of the success of the Washington consensus economic model has actually been the creation of enormous supply chains and the ability to spread corporate activity from within the walls of an owned and managed business into one that has a lot of outsourcing, a lot of third parties. The frame of a traditional Western company in 2022 is much more porous than it was in 1985. When you even owned your own computers in 1985, by 2022, you’re leasing them from somewhere. So that has been the driver of the economic and system success, but it’s also constructed this vulnerability, because you don’t have end-to-end visibility of every vulnerability amongst your suppliers.
ROBERT HANNIGAN: Absolutely. And I just read your piece on supply chain, Azeem, and it immediately made me think of the cyber supply chain problem and the ecosystem. Because it’s hard to get visibility, and we are only, in recent years, waking up to the problem that the ecosystem represents of the threat to you, and you may have spent a lot of money and done a very good job in protecting your own networks. You’ve suddenly realized that the thousand or more companies, and the average company – certainly in Europe – has at least a thousand vendors. For big banks, it’s going to be 10,000 plus. And each of those represent some risk to you. And it may not be a software or even a networked risk. Look at Toyota. If a company that supplies a critical to you is paralyzed by ransomware, unable to provide the goods to you, you can’t manufacture cars. So, there are different kinds of supply chain risk.
AZEEM AZHAR: There’s been this embedded risk in the rapid growth of these supply chains that’s a hidden negative externality that has not been considered by companies. They’ve effectively taken a free ride by saying, “We don’t need to worry about either the network security or the creation of single points of failure.” And that has almost been a business sine qua non over the last 25, 30 years. Is that something, in your commercial role in Blue Voyant, that you start to see as becoming important? And boardrooms are starting to say, “We can’t simply just assume that this supply network is going to be resilient and reliable and trustworthy. We’re going to have to take many, many more steps to go in and secure it.”
ROBERT HANNIGAN: Absolutely, Azeem, and that is one of the key drivers behind what we do. Because the option cannot be to just go back to the 1980s and not have a large supply chain. That is just not a possibility. Getting visibility of the supply chain is what matters, and then not just assessing the risk, but reducing it. That’s the key thing. And this is not an impossible task, because certainly coming from an agency like my previous agency, there is an inherent understanding of the attackers’ mindset, because you’re worrying about attackers. And attackers are constantly scanning companies from the outside to look for weaknesses. So they’re not going to go necessarily for the hardest and best defended company. They’re going to go for the one that has ports open that shouldn’t have, or that hasn’t patched, that hasn’t upgraded, that’s running old browsers, that clearly has poor authentication and poor practices. And it is amazing how many companies fall into that category. So you can see that from the outside. You can’t see everything, but you can see most of it. And one of the frustrating things, I think, from being in the business is that so many of the attacks, which are always described as sophisticated, and, of course, once they’re in, they are sophisticated. But so many of them are delivered through those old vectors that we’ve been talking about for years, including spear fishing, of course, and fake websites. So we have to raise the baseline of security, get the basics right. And to be fair, I think most companies are now getting this, especially at the larger companies.
AZEEM AZHAR: It’s funny, I’ve invested in a very early stage company which does that supply chain coherence checking. So, essentially, the model is give us your suppliers, and we will constantly run searches on them in the dark web in particular to look to see if there are credentials of the suppliers that have been sold or compromised. And they won’t do the network surface because other companies do the network surface, but they will do the sort of OPSEC and human dimensions to where those weaknesses align. And, actually, to be honest, I didn’t realize quite how important what they do is until you explained it to me three minutes ago. So thank you. I feel good about that investment now.
ROBERT HANNIGAN: Well, that’s good to hear. I think there are lots of ways of looking at the supply chain. So another one, which particularly is the case with China, people are worrying about a lot now is, can we understand the ownership models and the actual staffing model of a company, and who is really subcontracting to whom? And those are things that I know our governments are really worrying about now. So there are lots of ways to provide assurance on the supply chain, and most of them need doing, especially if you are facing a sophisticated nation state.
AZEEM AZHAR: One question to explore though is you said it’s unlikely that we would move back to a 1980s model because these supply chains are here. But is it possible that there might be some form of rethinking about exactly where suppliers are, and understand that, perhaps for certain domains, we want to make sure that they’re all within the Western sphere of influence for sake of argument, and also then look at those vulnerabilities and say we do need this minor component, but we’re going to make sure we have four resilient suppliers for each of it. And that looks different to, I suppose, where we were going a few years ago pre-COVID, which was as long as they can meet the kind of contractual specification at the right price and the right time, we’ll do the deal and wash our hands of it.
ROBERT HANNIGAN: I think this is a great challenge because the business drivers to do what you last mentioned are huge, obviously. But I think the pandemic maybe as much as cyber has reminded people that supply chains can be fragile, and a crisis can cause a huge business disruption. So there may be areas where you can bring the supply chain closer to home. And I think particularly in critical industries, in government-related industries, in critical national infrastructure, there’s going to be a push, there already is, from governments in the West to get their arms around those suppliers, and know exactly where they are, and who’s running them, and how the software development security looks. But I still think so much of this is about software development, and increasingly open source software development. You don’t quite know what you are taking on board if you are building software from open source code. So certainly in the UK and I know in the US, governments are worrying a lot about how do we improve security for software development? How do we test it better? How do we set better standards? How do we ensure that the people doing it know what they’re doing? Because I think there’s an assumption that all technology companies must be good at security because they’re good at technology, and that’s clearly not the case. And you’ve seen many, many examples over the last few years where sophisticated technology companies just don’t have a security mindset and are not really worrying about it. You look at the telco sector, which is rushing now to catch up, but really wasn’t very good at cybersecurity. Look at their managed service providers, MSPs, hacked by nation states for supply chain attacks, and huge worry about these companies that are underpinning lots of other companies but haven’t really got the security they need. And I think that’s a joint effort between governments and industry.
AZEEM AZHAR: When we think about the attackers, it’s also never clear whether the attacker is an independent criminal, whether they are a part of a group contracted to a government, whether they’re part of a group set up by a government and spun out, or whether they are literally wearing the military uniform of the armed forces. So, how does that ecosystem of malign actors actually look?
ROBERT HANNIGAN: Well, I think it is a great question, and if you take Russia, for example, there is a spectrum here. So, as you say, there is everything from ordinary criminal groups who are just making money, as criminals do, and probably paying off law enforcement through to groups that are essentially being used as proxies, and some evidence of moonlighting between agencies and those groups, and then state agencies doing stuff to false flag as criminals. NotPetya, I think, is quite a good example because you couldn’t pay the ransom. And I think it’s really significant that if you look at some of the ransomware in recent years, most of it actually coming out of that part of the world, you can’t install it. It is coded so you can’t install it on a machine that is running Cyrillic language or 15 other languages around the region. So, that’s a pretty clear indication that that is off limits, and there is some kind of tacit agreement between the state law enforcement and those groups. I think that’s a very technical evidence of that relationship. You wouldn’t get the parallel in United States or Europe.
AZEEM AZHAR: In the attackers’ mindset, which you know better than most, why would you choose to have third parties and criminal gangs and affiliated units doing this for you rather than just build the capabilities yourself?
ROBERT HANNIGAN: I think it’s partly about deniability. So the advantage of cyber offensive weapons is that you can just about deny that you were involved, and you can blur the edges. And it’s also about scale. So it gives you options that you don’t have as an agency, in the case of Russia. So I think outsourcing it to criminals is quite a good option for them.
AZEEM AZHAR: How far can these attacks really go? I think the most kinetic perhaps that we’ve seen has been what happened in Natanz with the Iranian centrifuges, when the real time operating system of some Siemens industrial controllers managed to get hacked by something produced by someone. And it got these centrifuges to malfunction, and reduce Iran’s ability to separate out uranium. But I can’t think of many cases where these doomsday scenarios of simply getting a power station to overheat, or shutting down an electrical grid, or getting a plane to fall out of the sky has taken place. Is that because it’s much harder to do that than we think, or is it because people have shown some restraint?
ROBERT HANNIGAN: Well, I think it is harder to do and harder to make stick, because one of the problems with destructive cyber is it’s very short lived, and people get back up and running quickly. But a more recent example would be, in the pandemic, the attacks on Israeli water treatment plants. Now, that’s potentially very, very dangerous. If you change the components of the water treatment, you could do it a lot of damage, or you could shut off water treatment. So it’s quite a contained tactical example of what two nation states could do to each other in cyberspace. Everybody talks about what will the cyber 9/11 be. My own feeling is that it’s probably not going to be the meltdown of a plant. Although, there have been attacks on, as you know, German steel plant that did a huge amount of damage. I think it’s more likely to be miscalculation. So, that I’m aware of, the first cyber homicide was a year ago when a woman was being transferred to a hospital in Dusseldorf, had to be diverted because of ransomware attack on the hospital, and died on the way. And German police classed that as a homicide. But you could see that on a much larger scale if ransomware gets out of control, and systems are just brought down – and it’s as likely to be an accident or a miscalculation than something deliberate.
AZEEM AZHAR: It’s interesting because it’s so messy. It’s a little bit like a dirty bomb compared to a precision-guided munition. You don’t know when the effect will happen. You don’t know how long it’ll last. You don’t know who else will get impacted by it.
ROBERT HANNIGAN: Yeah, absolutely. And I think one of the worrying things about the Russian history is that they don’t really care too much about collateral damage, and they’re not ruled by international law. So a Western agency looking at any of this and a Western government would be concerned about impact on civilians, for example. Clearly, Russian agencies weren’t when they switched off domestic electric supplies or did the many other things they did inside Ukraine even before the war. So there is a threshold of risk which goes with international law, and that doesn’t really apply in some state actors.
AZEEM AZHAR: And, in fact, that’s a modus operandi that allows us to imply who might be behind certain types of attacks. So, for example, Stuxnet in Natanz was extremely precise, and so that makes you think those capabilities are quite tough, difficult to achieve. There was no spillover. So, it feels like it might have been state driven from a nation that’s governed by international law. Whereas NotPetya was messy, and dirty, and went all over the place, and the candidates for whose behind that point again in a particular direction. It’s quite fascinating.
ROBERT HANNIGAN: It is, and if you look at the criminal groups, well, they occasionally put out apologies for attacking a hospital, but actually they’re still doing it. So, they don’t really care about the damage. It’s all about money. So, I think in both those nation states and criminal groups, ethics and law don’t really come into it.
AZEEM AZHAR: When we talk about these things being sophisticated, one of the things that strikes me is that there is just such a wide variety of cyber attacks that are available. At the bottom end, there’s a renter bot net for a few dollars, and thousands of compromised computers sort of hammer away. And then at the higher end, there are these really complex interactions finding very, very deep vulnerabilities right next to the silicon. And I think about the stuff that NSO group, the Israeli group did around spyware on the iPhone. When we think about the cyber capabilities of, say, Russia – because that’s relevant with respect to Ukraine – do they have that depth of very, very sophisticated attack?
ROBERT HANNIGAN: It’s commonly agreed that they have a very sophisticated capability as well as access to all that criminal world. And one of the biggest problems outside nation states over the last 10 years has been this emergence of a commodity market hacking as a service. Recently, ransomware as a service. So, you don’t really need to know what you’re doing, you just need to pay the money and have a target, and the rest will be done for you. And that’s a huge problem, and some of that is pretty sophisticated. But at the nation state level, I think it’s generally agreed that Russia has some very sophisticated advanced research on this, and they are doing stuff that is quite separate from the criminal world. And if you look at what they did in NotPetya and, most recently, in Ukraine with some of the wiper viruses, with WhisperGate and other attacks, this is very sophisticated stuff. It doesn’t always necessarily get in through a sophisticated vector. So, in NotPetya, I think when Cisco did the report on the company you mentioned, it hadn’t patched its servers for three or four years or something. So it was not a difficult company to compromise, but once in, the way that ransomware moved around and the way it operated, it was very sophisticated, and deeply buried, and hard to find. And we have to assume there’s quite a lot there we haven’t seen yet, and some capabilities they haven’t yet deployed.
AZEEM AZHAR: What we’ve learned so far with Russia, there’s cyber mischief that’s been going on, and a lot of emphasis in Ukraine over the past seven or eight years. Is your sense that this cyber domain will become very much less important as a field in terms of bringing this conflict to an end?
ROBERT HANNIGAN: Well, I think the interesting question will be does Russia choose to use its cyber capabilities and its criminal capabilities to hit back against sanctions, for example. So as well as all the collateral damage that’s going on from cyber in the region, does it decide to go after financial services in Western countries because its own financial services are sanctioned? Does it decide to go after the critical infrastructure of countries who it has decided are at the forefront of imposing sanctions? Which is most of Europe and the US. So I think the targeting may change. There are really two phases to the use of offensive cyber. One is precisely in the period when there isn’t kinetic violence, because one of the attractions of cyber weapons is that they’re just below the threshold of conflict. And they’re, to some extent, deniable. Once you’re into a ground war, or an air war for that matter, cyber, I think, just becomes part of the package of things that nations use when they’re fighting a war. And why wouldn’t you use that to support your attack? But I think they’re two relatively different uses of offensive cyber.
AZEEM AZHAR: Well, one of the things that’s been fascinating in Ukraine and Russia has been how the different criminal and independent cyber groups have started to take sides. I read that The Conti Group, which was behind a malware ransomware attack a couple of years ago, had initially come out in favor of Russia, and then there’d been some disagreement within the group. On the other hand, you have Anonymous, which is, I guess, a loose affiliation of interested hackers saying they were going to push back against Russia, and they claim a couple of things. One was to somehow control Russian state TV for a few minutes and play the Ukrainian national anthem. And then, secondly, perhaps more seriously, to list the names of all of the Russian soldiers who’d been billeted down for this invasion. What do you think we are seeing with these disparate groups coming into the battle?
ROBERT HANNIGAN: Well, I think this is one of the genuinely new developments. So we’re kind of used to Russian state actions, even though they’re developing all the time, but this development of the criminal groups, I think, is really interesting. So I think it was last Friday The Conti Group, which as you say, has been responsible for lots of ransomware as a service attacks, including the Colonial Pipeline attack, which was major news in United States. So that group put out a statement on the Friday, I think it was, saying “We support Russia and we’re going to fight for Russia,” at which point the Ukrainian members took a different line, because, clearly, there are lots of hackers in Ukraine and Moldova and those countries that were former Soviet Union. And then I think Conti backed off, at least in public terms, and one of the Ukrainians has leaked a very large amount of documentation and data from The Conti Group, which is a really interesting source for security researchers. And then you’ve seen other groups lining up. As you say, Anonymous attacking the Moscow Stock Exchange, Brazilian criminal group align with Russia. So, iit is a very strange kind of fight going on under the surface, which we haven’t really seen before, and we’ve never really seen those national affiliations challenging the criminal affiliations. And just to add to it, for the first time, we’ve had the Ukrainian Ministry of Information asking hackers to fight for Ukraine in a digital army, and giving them a list of targets in Russia to go for. That hasn’t really happened before. So that’s a very interesting development to watch. It’s hard to know how much of that will spill into the West. Some of it will certainly spill over through unintentional damage, but it is definitely one to watch. And we haven’t really come across this before.
AZEEM AZHAR: And would you imagine, again, getting into the minds of the attacker here, that if you are sitting in whatever the equivalent of cyber command is in the Russian military, that you are on internet chats over Tor with these groups, encouraging them and directing them to be more useful for the cause, or are they doing this off their own back?
ROBERT HANNIGAN: Well, I think it’s absolutely clear that the state will be sending a message that they are unleashed essentially. There have been some at least presentational efforts from the Russian state to suggest that they are clamping down on some ransomware groups – not much evidence they’ve actually done it, but a few arrests, for example, which they’ve then publicized. But I suspect the opposite is happening now, and Russia is essentially saying, “Off you go. Do what you want,” and that’s probably where The Conti Group announcement came from. And it’s very difficult to know how it will impact on us, except that there’s also a lot of criminality and money making going on here. Add to this, as in the pandemic, criminal groups are seeing an opportunity, so we see fake sites purporting to be raising money for Ukrainian refugees, see fake information sites on Ukraine, fake spearfishing emails from Ukrainians asking for help. Some of those are state probably and some are criminal groups, but they also sense a financial opportunity as well as a disruption one.
AZEEM AZHAR: Wouldn’t it make sense for Western cyber agencies to be doing the same and encouraging third party groups to prioritize what they do in Russia and Russia’s allies?
ROBERT HANNIGAN: Well, I’m not sure they need much encouraging, looking at Anonymous’s statements. I think there are a lot of people getting stuck in there. I don’t think it’s particularly healthy, because you’re going to get a lot of unintended consequences, and we do operate with different standards, I think. Affecting civilians is not acceptable, but I think it may be a feature of the future that citizen armies, hacker armies, will just decide to do their own thing, and won’t care that they may be breaking the computer misuse act or whatever it is, and just go on and do it. One of the underlying problems, which maybe Russia is just discovering, is that, in the past, this has been an asymmetric cyber conflict world, where Western economies have been very open to the internet, relatively undefended. Russia has had less openness to the internet, and less high quality targets. So, to have that attention of criminals turn towards Russia is probably a new experience for them.
AZEEM AZHAR: But, of course, one of the things they’ve done over the last 10 years is create new regulations to allow them to better control the flow at the network level of data across the internet. And I think you started to see this in bits of Ukraine that the Russian separatists had seized in Donbas and Luhansk, where you can actually see the network structure start to evolve at the nerdy autonomous system level that you could see there was a partitioning of that infrastructure. So, in a sense, it’s not been so open, but they’ve also been building a autarchic resilience to the internet within Russia, which, I suppose, has some impact in terms of being able to reduce the attack surface.
ROBERT HANNIGAN: Yeah, absolutely. It’s a really interesting point. And I think we saw that exercise … Was it last year? When Russia effectively decided to try cutting itself off and seeing what would happen. And that is partly, I think, about political of control of its own people, and that’s a primary objective. It was also about resilience against Western cyber attacks.
AZEEM AZHAR: So, Robert, what happened when they tried to cut themselves off from the internet? Did things work?
ROBERT HANNIGAN: I’m not absolutely sure, to be honest. I only saw the press reporting of it. I don’t think it was a total success because the truth is they’re not completely cut off, and, economically, they are fairly intertwined, or were. It’s going to, of course, change now with sanctions, but they certainly were into intertwined, and it wasn’t really in their interest commercially to cut themselves off. But as a kind of doomsday scenario, it made sense, and they are clearly driven by trying to control information in their own country. That’s probably a bigger driver than the commercial.
AZEEM AZHAR: And how do things like Starlink play into of this? So Elon Musk made his Starlink dishes available in Ukraine, and they’ve managed to bus dozens of them over. And, I guess, the interesting point there is that it provides fast internet access, even if the rest of the infrastructure has been broken. And that’s useful for lots of reasons. I wonder about, again, getting into the attackers’ mindset, whether that simply raises the stakes. Starlink doesn’t work without electricity, so now the importance of actually knocking out the electricity has risen.
ROBERT HANNIGAN: Yeah, exactly. Well, two worries. One is electricity, which is absolutely right, and is already happening in some cities. The other is that there’s a danger of escalating this into space. So we’ve seen Russia and China experimenting with destructive weapons in space. So what we don’t want do is to escalate a war in space that is about attacking satellites. It is a very interesting development. Just as sort of hacking as becoming democratized, so is that open source imagery. And I’m really amazed by the quality of some of the low orbit, bit high resolution pictures that come out of the satellites and Planet.com and other companies that just have this constellation, which is generally used for commercial purposes, but actually has a very clear political and military use for those who want it. It’s amazing.
AZEEM AZHAR: And this, I guess, is called the OS INT community – the open source intelligence community – and they use all sorts of imagery and reporting from smartphone footage through to the over flight footage of Maxar and Planet and Spire’s satellites to tell these stories. I think they were doing a lot of it in Syria, but, of course, in Ukraine now, there’s been an exponential growth of the number of satellite constellations, so there’s much more imagery more regularly that we can track. One of the things I’m curious about is modern commercial grade satellite can take photos at a 30 centimeter accuracy. In other words, it can resolve things at 30 centimeters across the full visible light spectrum, maybe 40 centimeters.
ROBERT HANNIGAN: Yes. And the Bellingcat, I suppose, is most famous for doing exactly what you’ve said, which is not just to take satellite imagery, but to merge these various data sources, including smartphone stuff. And you can get an incredibly rich picture without any access to anything secret just by mashing together these sources of data.
AZEEM AZHAR: And is this actually helpful to one side or the other, or is it just emotional support for people who just want to understand what’s going on?
ROBERT HANNIGAN: Well, I think it’ll be very different in different wars. In this particular war, because the air superiority is clearly with Russia, knowing exactly where everything is and knowing about this now famous column of armored vehicles coming down from Belarus, which has been taking its time, doesn’t necessarily help the defenders. It may help them a little, but it’s not going to be a game changer. I think it is important in public messaging. Although, of course, that messaging won’t be available in Russia. So the audience you want to see that isn’t going to see it. But it’s still valuable that the rest of Europe and the US and the world are seeing what’s happening. I think that has to be a good thing. I think it will change the nature of war. And it will, of course, as you hinted earlier, make nations, particularly aggressive nation states, think a lot about how does it frustrate these open source mechanisms, and that could escalate things further.
AZEEM AZHAR: There’s a lot that any aggressor would learn. For example, Google Maps shows traffic jams as bright red. And so in the hours before the special military operation was launched, it was showing traffic jams in north/south running roads on the Russian border to Ukraine. And people could see that. And, well, what are these traffic jams that are four or five miles long at three in the morning? And so they, Google and Apple, have both taken to shutting off those abilities in Ukraine. Then, so, again, putting oneself in the mind of the attacker, you are going to have to do something, knowing that the buildup of your troops and movement of your troops is going to be absolutely visible. The capability of the imaging is getting better and better, and I suspect that what you can get out of Maxar or Planet today for free is probably better than what you could get militarily 30 years ago. That’s just the exponential trend of these technologies. So with this next conflagration, it’ll be infrared, and ultraviolet, and five centimeter accuracy, and overflights will be more frequent. So again, putting yourself in the mind of an attacker, and aggressor, how would you then deal with that?
ROBERT HANNIGAN: Well, I think there are two sides to dealing with it. One is the pure military side. So, how do we hide from some of this, or how do we try to frustrate or destroy the mechanisms producing it? For example, satellites. Or block them. So, there’s military response. I think on the public side, we’re already seeing the manipulation of this imagery. We saw it back when the Malaysian Airlines plane was shot down by Russian affiliated groups in eastern Ukraine. They were challenged with imagery, which they just denied, or they put alternative truths alongside it, and we’re seeing a lot of that even on Russian TV. The other night, I saw a report that they were using doctored imagery to suggest that the Ukrainians were the aggressors, and to show attacks on Russians. So, you will see a lot more manipulation, a lot more attempts to undermine the authenticity and truth of open source. And so one of the problems, I think, for the growth of open source is how do you authenticate it? How do you show that it is what it shows, and how do you get a sense of trust around these platforms? That’s going to be a big challenge.
AZEEM AZHAR: And the open source community has, obviously, already come under attack. There were attempts to sort of unpick Bellingcat by Russian affiliated groups in the last year or two. And I suppose one response would be, well, the open source community is a bit like open source itself, where the contributors build up their reputations over long periods of time. And within that reputation come their particular strengths, weaknesses, and perhaps biases. But then the community has to be able to self-police, and that in and of itself may not be sufficient if there was a concerted attack to poison it.
ROBERT HANNIGAN: I think that is a great point, but it touches a much, much bigger issue, which is how do we believe anything on the internet anymore? So I think our traditional sources of trust, very often newspapers, or state broadcasters in the West, are no longer seen as necessarily the sources, or the only sources, and not automatically trust. And we’ve got this extraordinary open source world, which, as we’ve seen in manipulation of elections, is open to abuse. So there is a real challenge in the future as how do we establish fact in an open source world, and how do the ordinary viewers like you and me actually know what to believe? Now, it’s just incredibly difficult, and particularly hostile states and some in the West have woken up to that and thought, well, we can use that. We can manipulate it.
AZEEM AZHAR: So I wondered whether the American intelligence services had rather rescued their reputations, because they had, since November, been warning that this would happen, and increasingly loudly. And I say, pardon me, since November publicly. Perhaps longer than that. And, of course, in a way, that makes up for perhaps the intelligence failures around Iraq, which were really as political intelligence failures as anything else. But they can point to this and say, well, we were bang on, right, within a couple of days. And we had given four or five months notice of this all. And does that then create a sense of credibility in the wider public for the sorts of warnings that come out from a group that perhaps had tarnished itself through Iraq and then of course, what happened around Snowden?
ROBERT HANNIGAN: I think they have done well. Whether that cuts through to the average member of the public, I’m not sure. And there’s so much paranoia about the intelligence and the secret world that that’s quite hard to puncture. But I agree that they have warning about this, and it was interesting to see a very deliberate strategy, particularly on the part of the United States, to get that intelligence out really as a way of trying to deter the attack. In the way that, certainly when I was a government, there was huge reluctance to attribute cyber attacks to a nation state for all sorts of diplomatic reasons. But, actually, there was then a sea change, where countries in the west realized that one way of deterring this was to out it and start to talk about who was doing it. And so you’ve seen a really quite regular drum beat of particularly US, Canada, UK saying “This attack came from” Russia or China or whatever. And I think that’s a positive thing. The more you can get out there safely, the more likely you are to make it difficult for your adversaries. You’re not going to stop them, but you’re going to make them be more careful, think twice, and maybe restrain their activity a bit. It’s definitely worth doing. So, I agree with you, but I don’t know which way it’ll go with the public. Will people believe the intelligence community more because they were right on this occasion? And, after all, if you believe what Putin himself has been saying for the last 22 years, you could have come to the same conclusion.
AZEEM AZHAR: So, Robert, knowing everything that you do – and there is so much that you can’t share with us – what keeps you awake at night? And then what gives you comforts and helps you get back to sleep?
ROBERT HANNIGAN: Well, in this current crisis, what keeps me awake at night is the unpredictability of the next few months. And it is very hard to know where Putin will stop. And, in any war, when you unleash this scale of violence, there will be unintended consequences for years to come for all of us, and worrying about what those might be is what, I guess, would keep me awake. What reassures me is that, suddenly, we have seen a Europe and United States which has rediscovered its common purpose, its values, the things that really are at red line for it, and decided to do something about that. Now, how long that will last, who knows, but I think it is a really significant moment in the context of 10 or 15 years where Western democracies have been very fractured, have not really focused on their values, and have been exploited by others from outside, including Putin. And so seeing that unity and sense of purpose at street level by our fellow citizens as well as by governments is, I think, a moment of real hope actually.
AZEEM AZHAR: Robert, I will take those words, the newfound strength of the Western alliance, with me to make sure that I get a good night’s sleep. Thank you so much for giving us your time today.
ROBERT HANNIGAN: Thanks, Azeem. It’s been a pleasure. Good talking to you.
AZEEM AZHAR: I hope you enjoyed this podcast. We’ve got several other great podcasts that tackle questions of cybersecurity. Look out for my discussions with Sir Richard Barrons, with Mario Rosario Tideo, and Nicole Egan. You can find those in the archive.