The evolution of cyberwarfare and espionage

There are battles we never see at all. No tanks, no sirens, no smoke - just clever computer scientists and mathematicians going about their daily business. In the 21st century, conflict often plays out in cyberspace: through data breaches, ransomware attacks, sabotage of infrastructure, and the silent theft of state secrets. Power grids are disrupted, hospitals paralysed, and elections manipulated - but it rarely looks like an act of war. Modern espionage has evolved alongside it. Once it was characterised by briefcases in smoke-filled bars, now it involves malware, quantum encryption, and digital surveillance at the kitchen table. Ciaran Martin founded the UK's National Cyber Security Centre and he’s now based at the University of Oxford…

Ciaran - Cyber is pretty much always and everywhere a secondary or enabling effect. Now let's say you've got a well-designed power grid that doesn't have a single off switch and can detect intrusions. You might get a little bit of disruption, but you couldn't take out the whole thing. There are a couple of interesting examples going back to the pre-full war period in Ukraine. In 2015 and 2016, in December of both years during winter, the Russians targeted Ukrainian power grids. According to some studies, one attack took a year and a half to prepare and the other two and a half years, because they were enormously technically complicated. They achieved limited outages: about seven hours in one case and under two hours in another, affecting millions of people. It was pretty inconvenient and scary, but compare that to what a fighter jet, a bomber, or a missile can do. In the Russia-Ukraine war, you're seeing a fierce intelligence contest where the Russians spy to find where Ukrainian civilians are hiding. They discover they're in the Mariupol theatre, use cyber to work out what's happening there, and then send in the bombers, which are far more devastatingly effective. You see a huge information war, digital reconnaissance before fighter jets strike power grids, and so on. In the words of the former head of the British Army, General Sir Patrick Sanders: you can't cyber your way up a river, you can't hold ground with cyber, and you can't conquer a territory the size of Ukraine with just cyber. But it's an important and very nuanced supporting capability for intelligence, information, and enabling disruption and military effect.

Chris - And you can of course also, through propaganda, influence elections, which means you can put the right person in the right job at the right time, which might load the dice.

Ciaran - You can, and I think when we're talking about that sort of issue, it's not just about elections; it's about the whole dynamic of democratic politics in many different countries. In the context of the Russia-Ukraine war, the manipulation of media and political discourse is enormous. One of the things you're seeing, for example, in terms of community relations in Western countries—many of which are divided over conflicts such as in the Middle East—is local Facebook groups being infiltrated with malicious, misleading content designed to provoke and divide.

Chris - And presumably the rise of AI is making some of these things a lot easier.

Ciaran - Again, it's important to look at the detail. At the end of 2023, people were looking ahead to the following year, which was going to be the year of elections, with most of the democratic world coincidentally holding national plebiscites. People were warning about the risks of deepfakes ruining elections and so forth—and none of that really happened. It's very hard, even with a sophisticated deepfake, to deceive an entire population. People notice, it gets exposed, and that spreads. What we actually saw in the US, and a bit in the UK, was what I just mentioned: clever, small-scale fakes in local areas and targeted agitation that flew below the radar of national media and discourse. A counter-example was when the Russians produced one of the most technically sophisticated deepfakes I’ve ever seen, pretending that the Ukrainian deputy national security adviser went on TV to claim Ukraine was responsible for the terrorist attack in Moscow in March 2024. Technically, it was brilliant—the voice and appearance were convincing—but it was completely implausible. Many people had seen the original show it was supposed to be from, where no such statement was made. The TV company released the original recording, and it just didn’t pass the smell test. There was no way a senior Ukrainian official would go on live TV and claim responsibility while the government was vociferously denying it. So you have to look for those more micro-targeted attacks. For example, turnout in the 2024 Democratic primary in New Hampshire was depressed because AI-generated robocalls went out to Democratic supporters telling them to stay at home. People who were isolated and vulnerable were far more susceptible than those engaging with peers who could immediately point out that it wasn’t true. So it’s a risk to watch, but again, the details of how that risk manifests really matter.

Chris - Where do you think we are vulnerable in this space, then? Where do we need to put our efforts to, A, showing that there’s a deterrent effect, and B, tightening up security to make sure we don’t fall victim?

Ciaran - We have to plan for every organisation, particularly critical ones, to be able to cope with the loss of a key network. Of course, try to defend against attacks, but you can’t defend against everything. How are you going to manage to an acceptable level if you are hacked? That’s the big worry, and it requires, to use the cliché, a whole-of-society defensive approach. Deterrence is much harder. People talk a lot about cyber deterrence and say we should hit back hard. The question you have to ask is: what activity are you proposing? We can, potentially—and we wouldn’t disclose this if we were doing it—hold other countries’ critical infrastructure at risk. But it’s unlikely that we’re going to hack civilian hospitals or put innocent people in other countries at risk. So deterrence is actually quite hard in that respect. That’s why one of the key strategies is deterrence by denial—making attacks harder—which brings us back to your point about protecting ourselves better.