Will the next World War be a cyberwar?

Charlotte: It seems every week we hear a new report of a cyber-attack. Recent prominent examples include the hack on retailer Marks and Spencer's which has reportedly cost the company around £300 million. 

 Other recent attacks include those on Jaguar Land Rover, Harrods, several European airports including Heathrow, and the Co-op, all causing massive economic disruption.

While it seems, at this stage, that most of these attacks, have predominantly come from cyber criminals working within the UK rather than other nation states they highlight the destruction that cyber-attacks can wreak. What if those attacks were on our critical infrastructure, our national grid? Our water supply? Is the UK prepared?

Welcome to LSE iQ, the podcast where we ask social scientists and other experts to answer one intelligent question. I’m Charlotte Kelloway from the iQ team where we work with academics to bring you their latest research and ideas and talk to people affected by the issues we explore.

In this episode I ask: Will the next world war be a cyberwar?

I talk to a former spy about when a cyber-attack could constitute a declaration of war, learn why sanctions aren’t very effective and find out how some countries actually rent out their cyber warfare capabilities.

But first, what do we mean when we say cyberwar and how do cyber-attacks differ from cyberwar? I asked Nigel Inkster, the former director of operations and intelligence for the British Secret Intelligence Service - MI6.

Nigel: A cyber-attack, it is a hostile intrusion into a network for whatever purpose, sabotage, espionage, criminality, ransomware, that kind of thing. Cyber warfare is a difficult and I think contested term. I think anybody really knows what it means. And to talk about cyber warfare as something that implies that it is separate and discreet from any other form of warfare, I think is highly misleading. 

If we look at real world examples, and until recently, we didn't have that many real-world examples, we look at, for example, what's happening in Ukraine. We see cyber operations being undertaken by both sides all the time as a subset of other belligerent activities. And I think that is probably the most useful way of looking at the distinction…. 

Charlotte: And at what point does a cyber-attack or series of attacks become a declaration of war? 

Nigel: Yeah. Well, again, that is a contested area and there is no settled international consensus on what that might be. Certain countries have set their own criteria for this. The United States in particular has said that any cyber-attack delivering an effect equivalent to a kinetic attack would constitute essentially an act of war and justify kinetic response. 

Charlotte: So if a cyber-attack causes the same amount of damage as a physical—or kinetic—attack, then it could be treated just like an act of war. And in that case, a physical military response could be considered justified. 

Nigel: Other countries have not committed themselves to drawing any specific red lines, and that of course is both a good and a bad thing. Good in the sense that one doesn't particularly want to see more red lines drawn that determine when kinetic warfare might be legitimate bad in the sense that it creates a degree of ambiguity with the potential for one actor inadvertently to transgress red lines that have not been formally declared and thereby lead to an escalatory situation. 

I think that there are some very interesting developments here in recent years that raise interesting questions about what constitutes a casus belli within the cyber domain. 

Charlotte: A casus belli is an act or situation that provokes or justifies an act of war.

Nigel: And one that interests me in particular is the pervasive nature of ransomware. If we look at the last three or four years, as I say, we have seen levels of ransomware around the world increasing more or less exponentially. Anyone now can get on the dark web and buy an exploit. 

Charlotte: Before we continue, I want to check exactly what Nigel means by the term ransomware so I’ve pulled out my laptop and I’m going to type ‘What is ransomware’ into Google.

One of the top webpages is from the National Cyber Security Centre. Let me click on it.

Ok, here we go, it says: "Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files." It goes onto to explain that a ransom is then demanded in exchange for decryption. Now, back to Nigel.

Nigel: And if one looks, for example, the recent attack on Marks & Spencer, which seemed to have the dimensions and characteristics of a nation-state attack, it turned out to be script kiddies who had sort of got a do-it-yourself Ikea kit. The problem here is, of course, that a lot of these ransomware capabilities are being generated within nation-states, in particular Russia, where we see a lot of state-sponsored or state-condoned criminality, which is designed to have a corrosive effect on society. 

And this is something if you add up the economic and socially disruptive effects of these attacks, the outcomes often equate to or exceed what one might have expected from let's say a terrorist attack. And yet, up until now, nation-states, by and large, have shied away from elevating this to something which constitutes a strategic threat. I'm not sure how much longer that state of affairs will continue to exist. 

Charlotte: And why, in your opinion, has there been this reluctance to retaliate to these cyber-attacks? 

Nigel: I think because taken in isolation, none of them, in and of themselves, constitute and have such a great impact. I mean, I can't remember exactly when two or three years ago, parts of the US healthcare system came under significant ransomware attacks and this generated real-world consequences. People got sick and even died because they couldn’t access essential medication, but this was not considered something that merited a concerted and strategic response. 

Now, if half that number of people had died in a terrorist attack, we would never have heard the end of it and the state concerned would have felt itself under an obligation to respond forcefully. 

Charlotte: What Nigel is referring to here is the 2024 ransomware attack on UnitedHealth subsidiary Change Healthcare. This was the largest healthcare data breach in US history with an estimated 193 million people’s data affected.

 The breach caused significant delays in patient care including delayed prescription filling. Although, no official death figures have been produced as a result of the attack, Nigel is aware from conversations with US counterparts that the disruption led to patients being unable to access medication and treatments. And this could have resulted in premature deaths.

Nigel: So I think it's basically just a case that there is here a degree of ambiguity behind which malign actors are able to take refuge in the hope and expectation that an excessive, the kinetic response or some other kind of forceful response might generally appear excessive in relation to the harms caused. 

Lauren: When we think about deterrence in international conflict, we're talking about the idea that if I can credibly threaten to punish you for some activity, you're probably not going to do it. 

Charlotte: That was Dr Lauren Sukin, an expert in international security, at Oxford university, who has been exploring issues of uncertainty and attribution in cyber-attacks.

Lauren: So maybe states that have large capable militaries are able to deter their adversaries from starting a conflict because they know that the chances that they lose a war or that that war would be very costly or quite high. We often think about deterrence in the nuclear context. You don't start a nuclear war because you don't want to fight one. 

 With cyber capabilities, deterrence is a little bit more complicated. In order to be able to threaten that you're going to punish an adversary, you need to first be able to identify an attack. And attribution is particularly complicated in the cyberspace. It's hard often to discover what has happened to know the extent of an attack or even to know who did it. 

If you don't have that information, you can't effectively punish. Even if you can do attribution, the punishment aspect might still be hard. Let's say an adversary has managed to take out your electrical grid. You might not have the same capability to take a reciprocal action against them, and so the decision space for how to respond and what an appropriate punishment looks like is also much more complicated in the cyber domain. 

That doesn't mean we can't deter the use of cyber operations, at least not large-scale cyber operations, but deterrence becomes harder and harder when we're not thinking about these big uses of cyber capabilities and instead are talking about these more common uses, these low-level information gathering type attacks or economic extortion type attacks.

It's hard to threaten any sort of punishment there that really matters enough to deter, and the disincentives for crossing from the cyber domain to other types of punishments are quite limited. What we see today, in addition to that exchange of limited cyber operations, is that punishment often takes the form of sanctions, but there's mixed evidence on how effective sanctions can actually be at changing state behaviour. 

Charlotte: This situation isn’t helped by the fact there is very little international regulation around cyber warfare. Dr Sukin explains why this is the case.

Lauren: There's very little international law that regulates the use of cyber operations in conflict, although there are some attempts to develop guidelines and shared agreements. Part of the reason to do this is because you want to have limitations on some of the most dangerous potential avenues for the use of cyber operations, but it's very difficult to come to these agreements because of certain features of the cyber domain. 

So for example, if we think about something like arms control or regulation in a much more concrete sphere, something like the nuclear sphere, we're talking about weapons that are observable and countable. You can reveal what you have in order to make sure that you and your enemy can agree to limitations, but you can't do that with cyber weapons… These problems having transparency mean we just don't really get regulation, law, agreements in the same way in the cyber domain as in other domains.

Charlotte: Nigel Inkster, the former MI6 director we heard from earlier, argues there is little incentive for states to develop rules and regulations in this area.

Nigel: ….espionage occupies an ambivalent status in international law. It's neither expressly condoned nor expressly forbidden. An international law like British common law is broadly permissive. In other words, what is not expressly forbidden is deemed permissible. No state wants to go on record as saying that they're engaged in espionage, though almost every state does. 

And one of the factors that I think has significantly shaped the digital environment is that any state now that has a national telecommunications agency acquires, by default, the capability to operate a signals intelligence agency should it wish to do so. And even if it doesn't wish to do so, it can always acquire these capabilities from elsewhere, from China, from Israel whose Pegasus software has become the kind of weapon of choice for autocratic regimes that want to monitor the activities of their opponents and dissidents. 

So we are dealing with a very complex and contested area here. And nobody, as I said, wants to admit that they are engaged in this kind of activity and nobody really sees it as being in their interest to develop rules and regulations that would limit their freedom of action so this is a difficult area.

Charlotte: OK, so we’ve talked about cyber-attacks and the lack of regulation in this area but who are the big players in this game? I’m at my computer doing some research on this and have numerous tabs open. Different commentators seem to have quite differing opinions.

Professor Alexander Evans is a former diplomat and former Director Cyber in the UK Foreign Office. He’s now Associate Dean for Strategic Development at the LSE School of Public Policy. I asked him for his view.

Alexander: The world of cyber conflict has expanded in recent years. Twenty years ago, only a handful of states really had the capability to conduct cyber operations, and most of those were anchored around the United States and its closest allies. That's changed. Today, a range of countries have existing cyber capabilities, and many more can buy or rent them in from private companies. So some of the leading cyber actors in cyber-attacks around the world have been organisations or networks based in North Korea, Russia, China, and Iran, but focusing on that group of four states is misleading because so many states have developed or can develop at pace the capability to conduct cyber-attacks. 

Charlotte: Dr Lauren Sukin agrees.

Lauren: Cyber warfare affects the balance of power because it has this unique asymmetric quality where states that might be traditionally weaker in some domains, maybe they don't have a particularly strong economy or they have a relatively small military can develop comprehensive cyber warfare capabilities. 

 So we see countries like North Korea become disproportionately influential in the cyber domain despite having some of those limitations. The balance of power is something we usually think of as coming out of state’s economies, their conventional militaries, maybe their nuclear assets. 

But as the technology sector becomes increasingly important both economically and to improving military capabilities, states that have more advanced technological capabilities will become more and more influential….

Charlotte: Nigel sees the United States and China as the major players in cyberspace.

Nigel: ….there are a number of states that make the weather here, but it's the United States and China that shape the climate. These two major powers in every sense of the word economic, military, industrial. And in terms of their capabilities in advanced technologies, are the ones who really matter. 

Charlotte: He also agrees that Russian cyber capabilities shouldn’t be ignored either.

Nigel: Its cyber capabilities are considerable, but they have not succeeded in commercializing these in the way that the United States and China have done. Nobody wants to buy a Russian operating system or make use of a Russian social media network like VKontakte. But Russia does have some very significant capabilities in mathematics and hard sciences dating back to the Soviet era. And we have seen the Russian state leveraging these capabilities to engage in what Russia does best, which is to destabilize surrounding countries. And we're seeing this happening all the time. We're seeing it obviously in Ukraine, but we're seeing it in other countries as well that are suffering cyber-attacks that can credibly be attributed to the Russian state or its proxies.

Charlotte: So where does the UK come in all of this? I’m at my desk, reading an article in The Times from the end of August this year. It says that ‘Chinese state-sponsored hackers have been found to have infiltrated critical British infrastructure.’

The hackers are believed to be part of a group called Salt Typhoon and have reportedly targeted 80 countries since 2021 including governments, telecoms, transport and military infrastructure. This includes a quote: "cluster of activity in the UK". 

I asked Professor Alexander Evans how prepared the UK is against a major cyber-attack?

Alexander: So in the UK we depend on technology and data and the internet for almost everything that we do. Just think about an average day, how you shop, how you get to work or school or university, how you conduct your business, how you communicate with friends and family and business associates. The reality is that the cyber risk, the cyber vulnerability for the UK is everything, everywhere, and nearly all at once. It's just not all at once because it's unlikely that a cyber-attack could take down the entire digital infrastructure of the UK one attack, one effect, massive impact everywhere in the UK, but a series of cyber-attacks could seriously disrupt the way we live our life, the values we hold, our economy, and our national security….

The good news is the UK is better prepared for cyber-attacks than it was a decade or so ago. We have much stronger investment in cyber defences, in cyber resilience. GCHQ established the National Cyber Security Centre, which is our national cyber defence agency. And most companies and organizations now recognize the need to invest in cyber security and cyber defence as much against criminals as against other actors. But that doesn't necessarily mean we should rest easy.

….The scale of a challenge from cyber-attacks or cyber incidents is so great that defence will almost always play catch-up with offensive capabilities as they emerge. 

Charlotte: We’ve heard about what the UK is doing defensively in this area but what are we doing offensively?

Alexander: So in cyber defence, countries largely try to plug gaps, make sure that your software is up-to-date, make sure that your systems haven't got back doors into them, make sure that your critical national infrastructure, the infrastructure that underpins how Britain works, is properly protected, defend your banks, defend your universities, and so on. But states also have other tools in their toolkit. Not only can they fortify defence and resilience, they can also develop cyber offense capabilities of their own.

The UK has also been very explicit, but in developing offensive cyber tools. The UK will use those lawfully and proportionately, and the UK has talked about having those tools and having that capability through the National Cyber Force, the NCF. What it hasn't done though is given chapter and verse on exactly what those capabilities are or what they could do in a crisis or a conflict because giving away too much information degrades your ability to be resilient as well. 

[Film trailer montage]

Charlotte: So, what about the kind of cyberattacks often depicted in films or TV? How likely are we to face a major cyber-attack which shuts down our national grid, our internet and our banking. I asked Lauren Sukin how realistic these depictions are and how scared we should be.

Lauren: When cyber warfare started to come on the scene as an object of study, there were lots of fears that we would see a cyber 9/11 or a cyber Pearl Harbor, some big all-out destructive cyber event that would be extremely lethal and would change the playing field for conflict.

Of course, we haven't seen that happen, and it's not just a question of capability limitations, it's also that this type of use of cyber operations is really not strategic in most scenarios.

Instead, the real benefit of cyber capabilities is the software, the backend of military technology, and it's about the ability to manoeuvre below the threshold for the use of force. It's about being able to collect information, to understand environment, to communicate narratives, and those lower level less intense uses of cyber operations are something we see quite frequently that are becoming a dominant feature of international security, but that look very different than those initial fears of a massive destructive cyber event…. 

Many countries have the ability to use some combination of cyber and other techniques to affect major infrastructure, whether that's something like an electric grid or a water treatment plant, and we've even seen cases where these prepositioned technologies are identified or there are attempts to use them and they're able to be stopped. The fact that that technology is there means if we were to see large scale conflict, let's say a war between very technologically advanced countries with large militaries, that war could be much more dangerous and expansive than it would be in the absence of those cyber technologies. 

But what we often see in the media is more this fear of a bolt from the blue. Tomorrow you're going to wake up and there'll be no internet. It's not something that really states have any incentive to do except in the most extreme circumstances, and this fear isn't new. In the Cold War, we often saw a similar worry, you'd wake up tomorrow to a large-scale nuclear war, but that's not really how conflict starts. You have crises, the tensions escalate, they become low-level conflict. Eventually they move up to these larger more dramatic effects. Cyber warfare is part of that long history of escalation. 

Charlotte: Those early fears of a Cyber Pearl Harbour haven’t materialised. Instead, cyber warfare is mostly about stealth and influence, not instant destruction. Nigel Inkster emphasises that cyber-attacks can be serious, although they’re often temporary and reversible.

Nigel: Once they've happened, you can over time and sometimes pretty quickly work out what's been done and take steps to reverse the impact. If we look at what's happened in Ukraine, for example, in the run-up to the Russian invasion, we saw Ukraine coming under constant cyber bombardment from Russia. But the Ukrainians were able to leverage assistance from major Western powers and some major western companies like Amazon, like Microsoft, and were able to rapidly recover from some of these attacks. They're still going on all the time, but self-evidently, Ukraine has not been brought to a standstill by cyber-attacks. 

And the other thing about cyber-attacks, we have to bear in mind, is that some of these will take months, years even to prepare. You need to gather all kinds of intelligence, reconnaissance on the networks before you are able to determine what is going to be an effective form of attack. And these of course are getting more sophisticated and complex all the time. 

The point is once you've fired the weapon, you may not be able to use it again. So there's a lot of capability and a lot of effort has been put into using something that may only be deployed once or twice. And having said that, of course, it remains the case that the architecture of the internet is such that there are, without a fundamental re-architecting of the infrastructure, there are always going to be vulnerabilities that can be exploited. 

We're in a kind of constant battle here. Artificial intelligence is starting to play a factor insofar as AI can potentially identify vectors or attack that had not been previously identified, but may also play a significant role in developing more effective defensive capabilities. So I think we are just going to see the sort of constant evolution, constant dynamic or attack defence counterattack.

Charlotte: So, do our interviewees think the next major war will be a cyberwar? Here’s Nigel again.

Nigel: No, cyber will be a significant component in any future global conflict, no question about it and will play a significant part. But at the end of the day, war is about people. War is between people. Look at Ukraine, we see a battlefield, a battle space that has been transformed by technology, the use of UAVs, cyber, all of these things. But at the end of the day, the decisive factor in the Ukrainian conflict has been what in Edwardian times was termed the poor bloody infantry. 

War is a complex adaptive process and victory normally goes to the side that shows a greater capability to adapt in difficult circumstances. And that adaptation will have a significant cyber component to it, but it will be far from the only thing. 

Charlotte: Here’s Lauren.

Lauren: I believe the next world war will be a war that involves significant cyber capabilities, but it's a misnomer to call it a cyber world war. Cyber capabilities exist primarily to supplement traditional means of warfare, and any large-scale war in the modern era is likely to use that suite of capabilities… 

And finally, we hear from Alexander:

Alexander: War is part of a human condition, and we should expect to see wars again in the future, just sadly, as we are seeing wars today. And cyber tools and cyber capabilities are going to be part of those wars because every war in history has used, adopted, and sometimes accelerated technology. And that historical pattern is one we should expect to continue into the future. 

This episode was written and produced by me, Charlotte Kelloway with script development by Sophie Mallett and Anna Bevan and edited by Oliver Johnson. If you’d like to find out more about the research in this episode, head to the shownotes. And if you enjoy iQ, please leave us a review to help other people discover the podcast.