GCHQ headquarters

GCHQ lauds new UK cyber weapons created to hit back at hostile states

Image credit: GCHQ headquarters

Hacking tools have been developed by Britain’s secret service which are capable of inflicting real-world damage in a manner comparable to the Stuxnet attack on Iranian uranium enrichment centrifuges.

Britain’s secret service now has cyber weapons capable of shutting down key parts of a hostile state’s national infrastructure in retaliation for an attack on the UK, the government’s intelligence and security watchdog has confirmed.

In an official submission to the Intelligence and Security Committee (ISC), the watchdog chaired by former attorney general Dominic Grieve, spy agency GCHQ reported that it had “overachieved” and delivered almost double the number of offensive cyber capabilities it was aiming to have in its arsenal.  

Though the precise nature of the new techniques and capabilities was not divulged, unnamed figures from the intelligence agency who are leading on a hitherto little-known programme to build effective deterrents that could inflict real-world damage in return for any similar attack on the UK hailed a “spectrum of successes” over the past two years.

In his committee’s partially redacted annual report, Grieve stressed that offensive cyber capabilities normally take the form of “highly tailored and system specific” hacking tools, as opposed to a “one size fits all” weapon in the manner of a conventional military tool like a bomb or missile.

He later singled out Russia, China and Iran as “state actors” capable of carrying out advanced cyber attacks.

Grieve said that “their use of these methods has historically been restricted by the diplomatic and geopolitical consequences if the activity was uncovered”, but added pointedly: “Recent Russian cyber activity appears to indicate that this may no longer be the case.”

Russia is believed to have been behind attacks on the Ukrainian power grid and a French TV station.

The Stuxnet computer virus attack on Iranian uranium enrichment centrifuges, which is believed to have been launched by Israel as part of the country’s defence strategy and which reprogrammed Iranian control systems in a nuclear facility, was the first widely reported instance of a cyber weapon being used to cause significant real world damage.

The phrase ‘offensive cyber’ covers a swathe of capabilities, ranging from the ability to shut down the source of an ongoing attack to the means used to enact retaliation after an enemy onslaught has wrought its damage. The ISC said such tools could potentially be used in conjunction with conventional weaponry to try and neutralise a threat.

Areas the secret service has been working on include the development of bespoke malware, testing of new interception tools to detect emerging threats and investigation of different delivery methods used for gaining access to an adversary’s networks.

Instances of alleged state-sponsored hacking have prompted Nato to agree that a cyber attack could trigger the military alliance’s mutual defence clause, but the norms and protocols associated with cyber warfare are much less advanced than those linked to conventional battles.

International law applies to state acts in cyber space, but there is currently a lack of binding international mechanisms designed to enforce it, and accurately attributing a cyber attack to a particular source can be notoriously problematic.

In written evidence to the committee, one GCHQ insider remarked: “It’s not like arms control, were you can point to something and say they’ve breached the rules and we can attribute this activity to this person.”

Speaking earlier this year at a cyber-security event held in Cambridge for would-be GCHQ hackers, technologist Dr Jessica Barker called retaliatory cyber operations a “terrible idea”.

She said: “If we can’t attribute who’s hacking, how can we hack back?

“Also, we can’t defend ourselves 100 per cent. What makes us think we can attack and that that’s a good idea?”

Today’s ISC report also suggests households’ cyber security could be beefed up if a government-backed accreditation process for approving new Internet of Things devices – like smart fridges and Amazon Echo-type gizmos -  was developed.

The report warned that “until consumers or regulators demand better security, many manufacturers are likely to sideline cyber security considerations, given their potential impact on time to market and, therefore, profits”.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles