As global conflict increasingly turns digital, we look at the tools, targets & implications of cyberwarfare...
08 March 2022
Presented by Chris Smith, Robert Spencer
Production by Robert Spencer.


Internet connecting continents


Conflict around the world is no longer simply fought on the ground, in the water or in the air but also in the airwaves. As digital devices pervade our lives, so too do they become both agents of and targets for conflict. To navigate us between the bombs in the bitstreams, we speak with a young student from Ukraine, unpick cyberwarfare within society, tease apart the technicalities, investigate how this changes the rules of conflict, and ask what it means for the future...

In this episode

fishing nets

01:08 - Lit fishing nets avoid catching wrong fish

We shed some light upon new fishing nets that help reduce bycatching.

Lit fishing nets avoid catching wrong fish
Charlotte Birkmanis, University of Western Australia

Overfishing has had a major impact on our marine ecosystems. Apart from depleting fishing stocks, catching unwanted fish, known as bycatch, can disrupt food chains, damage the natural world and needlessly further endanger rare species. However, reducing the amount of bycatch while still maintaining profitable fishing enterprises has been difficult. But now, new research is shedding some light on a solution. Robert Spencer asked marine biologist Charlotte Birkmanis, from the University of Western Australia and who wasn’t involved in the study, to take a look at the idea…

Charlotte - A lot of small scale fisheries use gillnets, which are basically a net that is a curtain that is suspended in the water column, and it catches a lot of fish. It especially catches a lot of larger animals that can't swim through the gaps in the net. If you have a boat and a couple of people to help you, you can catch a lot of fish with minimal effort. Like everything, if something is too efficient, if you are catching too many fish, there's going to be implications to the ecosystem.

Robert - How much of a problem is bycatch? Is it a large amount that these nets in particular catch, or is it just every now and then they find something they didn't intend to get?

Charlotte - I think a lot of the time they catch something that they don't intend to get. In fact, a study came out in 2020 and they estimated that 9.1 million tons are discarded annually. That is almost 11% of the global catch. So, they are targeting tuna or something like that, that has a high commercial value, and they actually get these other animals caught in the net as well. It depends on the species: it can be sharks, it can be other animals that they're definitely not targeting like dolphins, like turtles. A lot of fishermen I do believe make a great effort to get them back in the water alive, but there's a lot of them that are already dead when they're pulled aboard.

Robert - Can you describe what the study in 'Current Biology' did in order to try and reduce the problem?

Charlotte - This was actually a very elegant study. This study got green LED lights, and it fixed them to gillnets at every 10 meters on the net. They also had other nets in the water which served as controls, so they put other nets in the water at the same time and in the same area to compare the two, to see what's actually happening with these LED lights. They found that the illuminated nets actually caught 63% less bycatch in total. That's over 80% fewer squid and 95% fewer sharks and rays by weight. So, that is very effective in eliminating bycatch, but the species that they were targeting, they were still capturing. It was a great study that showed that not only can we help conservation and the environment, but we can also ensure that these fishers catch the fish that they want.

Robert - That's incredible that you managed to select out over 90% of certain bycatch species, but not really reduce your target. Do we have any idea how that works? Why do the bycatch fish avoid a lit net and not the target catch?

Charlotte - That is the question and that's what needs more research. We know that elasmobranchs, which are sharks and rays, this group do have highly developed visual systems, and this is what they noted in the study. It's unclear if they were actually attracted to the net or deterred by the illumination but it was obviously some sort of a visual cue for them. The squid that were deterred as well, we know that they actually have enlarged eyes because they're predators. That's something that we need to look at in further depth.

Robert - How do you power these lights underwater? Is it something that you run cables back to land or are they battery operated?

Charlotte - I believe these ones were battery operated, and each one of these LED lights costs approximately eight US dollars. So, if you are in a fishery that can afford it, that's great, but, for a lot of these smaller fisheries, that price could be an issue. So, the researchers are also looking into having these solar powered lights. That would definitely make these smaller subsistence fisheries able to use this method as well.

Robert - Adding lights to your netting is presumably a time intensive and labour intensive process - is it worth it for these fisheries?

Charlotte - As you say, there will be a cost for having these LED lights, but there's also a benefit. It also helps them by eliminating the time consuming and cumbersome task of actually cleaning and untangling these nets and repairing them. If you get a big shark in the nets, it can actually rip your net, which is expensive and you've got to clean it. And it's also dangerous handling these large animals because they're not too happy being caught in this net either. So, there possibly is an increased expense in having these lights, but perhaps it'll be a greater benefit in general of having them.

Meteor heading towards Earth

06:25 - Telling time of year when dinosaurs died out

We now have a new and more specific time-scale for knowing when the meteor wipes out the dinosaurs.

Telling time of year when dinosaurs died out
Melanie During, Uppsala University

About 65 million years ago, an asteroid slammed into Earth in a cataclysmic impact that, among other things, wiped out the dinosaurs. But incredibly, scientists now know at what time of year this happened. PhD student Melanie During, from Uppsala University in Sweden, has found tiny balls of congealed glass made by the impact lodged in the gills of fish that died that day and were fossilised. And because fish grow at different rates at different times of the year, she was able to work out when they must have died, as she explains to Harry Lewis…

Melanie - When the meteorite hits, it's like throwing a bowling ball in a sandbox: molten rock immediately gets expelled into space, and in space they crystallise. But there's no gravity, it's a vacuum. So, the lightest elements, they stay in the centre which means you've got these balls that are often hollow in the centre, or glossy, and then they rain back down on earth. Those are tektites, and they have a fall back time of 15 to 30 minutes. The second thing is that, when the impact was made, you get this shock wave going through the earth. Of course, it's going to generate tsunamis in the ocean, but also, on the continental plate, the overlying bodies of water (lakes, rivers) are going to slosh back and forth like a pool during an earthquake. And so, this deposit with these fishes is caused by such a wave which went back and forth, meaning they alternate in the way that they are stacked up.

Harry - So, the fish are following this motion of the water? They're either pointed East or West - they're in polar opposites?

Melanie - Yep. It's East and West. Some of them are pointing in different directions when they've hit a tree or, if they're split open, it's a very violent deposit. But the majority of them are following the direction we expect.

Harry - We expect that these small spherical bits of meteorite that they...

Melanie - They're actually earth rock that's been ejected into space.

Harry - And they are penetrating actually into the bodies of the fish?

Melanie - No, they're not. They are actually taken up in their gills. They were still swimming and looking for food when the first impact hit, and they just sucked them up like they do with plankton and they choked on them.

Harry - Right. And so, through that, you are able to estimate what time of year these fish died?

Melanie - Yes. So these fish, they must have died on that particular day. The incoming wave and the impact both should have come within an hour. We know that they died on a particular day because these fishes have bones that grow like tree rings, registering a new year every year, but growth is not homogenous. It's not like growth, non-growth, growth, non-growth. No, we can actually tell that in spring growth gets started. You can tell that food uptake begins - but it's not as high as in summer, for instance. And then autumn is much lower, and in winter there's absolutely no growth. That's what we were looking for, and we've got multiple seasons in multiple fish. That what we were documenting and all of them clearly died at the same time and all of them clearly died when they were increasing their food intake again, after winter, but not yet at the summer maximum.

Harry - When this meteorite struck, we know roughly where it was as well, right? So, whereabouts was it?

Melanie - Yeah, it's a little town now called Chicxulub that is closest to the crater and that's in the Mexican peninsula. So if you have the Gulf of Mexico, it's on that arch on the bottom, which was in the Northern hemisphere when it struck. So, I would say it's roughly three and a half thousand kilometers south of the location that I studied.

Harry - What were the effects for the Northern hemisphere and the Southern hemisphere? Did they differ?

Melanie - In the North, it was spring and in the South, it was therefore autumn. So, when you look at the behavioral life cycles of the organisms - in the spring, plants were producing seeds, their first leaves, flowers, animals were looking for food, tending to offspring while, in the Southern hemisphere, they were preparing for winter; plants were shedding their leaves, making them a lot more robust, and many animals were seeking shelter and trying to prepare for winter. That latter category especially, those underground may have just been in the right place at the right time when the meteorite struck.

Harry - So, we know that there's been transition from what's around us today from the dinosaurs to a mainly mammal populated ecosystem and this could have been due to the time of year in which the meteorite struck?

Melanie - Yeah. Which is insane.

Harry - To be able to extrapolate that out as well, as a jigsaw puzzle not just for when it happened but for why our world looks the way it does, that's got to be pretty exciting for you to be able to connect these dots.

Melanie - It really is. And then you start looking up, "Okay. So, what was the recovery time?" And then you see that in the Southern hemisphere, it looks like they recovered twice as fast. Where did turtles survive? Turtles survived in the Southern hemisphere while any of the modern birds survived in the Southern hemisphere. I don't think that's a coincidence.

Desert sunset

12:47 - Desert solar power boost and water generator

Solar panels may now be used to produce electricity and water in hot climates.

Desert solar power boost and water generator
Peng Wang, King Abdullah University of Science and Technology

Saudi Arabia has a lot of sun and a lot of space, so it can grow solar power quite well, but not food: it’s a dry, hot desert. But now that might be about to change: researchers have been testing a system in Jeddah that extracts water from the arid air of the desert and uses it to grow crops in a greenhouse and cool their solar panels so they work better. It hinges on a special material that works a bit like a sponge. This soaks up water from damp, cool air at night. Then, during the day, waste heat from photovoltaic - or PV - electricity generating solar panels drives off the water again, keeping the panels cooler so they work 10% more efficiently. Piped into the greenhouse, the water can then enable you to grow food, even in a desert. The same technology could also help thirsty counties like Cambridgeshire, predicted to face much drier summers in future through the effects of climate change. The technology is the brainchild of researcher Peng Wang…

Peng - The essence of getting water is to have a special material. That material can harvest individual water molecules from the air and this happens typically in the evening or at night, when the temperature is low and the humidity is high. During the daytime, the heat coming from the PV drives the water to evaporate out of this material. Then you have the cooling because evaporation takes heat away. This reduces the PV temperature, and then lets the PV give us more electricity.

Chris - Is the material that's doing the soaking up of the water at night time from the air separate from the panel and you send heat from the panel to that material to drive the water off? Or is it intrinsically within the panel material?

Peng - In our design, we have our material stuck on the backside of the PV panel. This way the heat can naturally flow into the material and drive the water evaporation.

Chris - In essence we've got a system that's storing water at night time, which it's soaking up from the cooler night time air, the system that's capturing heat during the day is passing that heat into this water reservoir, driving the water off, cooling itself in the process, and you are capturing the water, which you can then send to a system that will use that water to grow food.

Peng - Precisely.

Chris - How much water are you able to get out of the system?

Peng - For our experiment, we were able to produce about 1 litre per day, per square meter. We still believe there's a lot of room for further improvement.

Chris - If you talk to your plant science colleagues, do they think this is a viable option?

Peng - Many people believe so because, in Saudi Arabia, there's no river and this technology gets water from nowhere. It does not rely on conventional water sources to produce water, therefore with a small amount of water being produced by this system, if you can utilise this very pressure water for a beneficial purpose to meet very basic human demand, that would be great.

TikTok phone screen

16:26 - Can social media spread tics in teens?

How an increase in time spent online is having unforeseen consequences...

Can social media spread tics in teens?
Dr Jessica Frey, University of Florida

A strange new trend has been reported by psychiatrics around the world: an increase recently in the number of teenagers with new tic-like behaviours. This has become particularly marked since the pandemic kicked off, and it coincides with a surge in social media and online video consumption. So scientists suspect that some people susceptible to tic conditions, like Tourette's, when exposed to videos of others with tics, can develop them themselves. Julia Ravey reports...

Julia - I'm just on TikTok and I'm looking up the # for Tourette’s. #Tourette’s has 5.5 billion views. Some of the top videos are an individual with Tourette’s, trying to do a COVID test. An individual, trying to drink a Coke. There's also a video here of a young girl with these jerk-like motor movements, who's asking, “Why is this happening to me?” This looks like an individual who has recently developed tic-like behaviours. There's no doubt that these videos are raising awareness of what it is like to live with tic-like behaviours, but are they having an impact beyond that? Jessica Frey from the University of Florida told me what they've been seeing in their clinics over the past year or so.

Jessica - Increased onset of tic-like behaviour and there is a concern that there is some social media influence involved in the onset of some of these tic-like disorders. One of the things we're seeing is a lot of the patients that come to us with these new onset tics, they're mimicking a lot of well known social media influencers. They have the same exact or very similar tics to the ones that they've seen in the videos.

Julia - That have been historical incidences of functional conditions spreading through populations.

Jessica - There was something called 'mass hysteria' where one person got some sort of thing and then everyone in the school got the same type of thing. That's on a much grander scale now with social media use because it's everywhere like viral content going worldwide.

Julia - Being exposed to this content with viral videos of tic-like behaviours could influence those who already have tic-like conditions or are susceptible to them.

Jessica - The tricky part of course, is that people who have Tourette syndrome or organic tics have a very common manifestation if they see people with tics that can actually be a trigger for their own tics and make them tic more.

Julia - Since the pandemic, with more teens being isolated and online, the occurrence of people coming across tic-like behaviour videos has no doubt increased, which could be a good or a bad thing. Jessica and colleagues are now trying to understand if social media is impacting tic-like behaviours, and have started with a small study, looking at the link between social media usage and tic severity.

Jessica - We did see some correlative data between the social media use as well as tic severity. There was no correlation between social media use and tic frequency. What was particularly interesting was only 5% of participants actually reported using social media to look up things related to tics and Tourette syndrome.

Julia - This was a surprise.

Jessica - Because our hypothesis going into this was that if you're going to be watching more videos on social media related to tics and Tourette syndrome, that may generate more severe or more frequent tics. We did see a correlation, but don't really have an explanation for the causation quite yet.

Julia - These results can be hard to untangle given that stress is a known influencer of increased tic-like behaviour.

Jessica - Given the pandemic and the increased social media use, which one is it? Which came first? The chicken or the egg? Is it the anxiety's driving the tics? Is it the social media use? Is it the pandemic? Is it one of those causing the other? We don't really know.

Julia - While larger studies go on to unpick this, Jessica and others have seen one technique, which has been found to help reduce tic-like behaviours in some instances.

Jessica - Anecdotally, we've seen that if we educate patients about where they're getting their information from and they stop and reduce their social media use, a lot of times the tics get better.

koi carp

21:06 - Sounds fishy to me...

What the noises from the deep can tell us about our underwater friends...

Sounds fishy to me...
Sophie Nedelec, University of Exeter

If you were to dangle an underwater microphone into the koi carp pond at Kew Gardens, you might be surprised how much sound is picked up. In other words, the underwater realm is a noisy place, and the sounds you hear there can be a giveaway for who’s around and in what sorts of numbers. That, in turn, can be used to gauge the health of the local ecosystem, and scientists want to build a global reference library of these sounds. Evelyna Wang caught up with Exeter University’s Sophie Nedelec to hear what she’s got in mind…

Sophie - There are so many animals that make sounds underwater - it's incredible. All of the mammals that live in the water make sounds, we believe, so that's about 126 mammal species. There's about 34,000 fish species that live in the water. And so far we know that at least a thousand of those make sounds, but the real number is likely more. It's just that we haven't found them yet. And then there's about 250,000 known marine invertebrates, and out of those, we know of at least a hundred that make sounds as well.

Evelyna - I understand how whales and dolphins and seals can make sounds, but how do fish and invertebrates do it?

Sophie - So fish have incredible ways of making sounds. Many fish have a sonic muscle, which they can vibrate or drum onto their swim bladder. It's like a little bubble of gas that's inside their bodies. So we have plainfin midshipman fish that produce a kind humming sound as their love song. Other fish rub their teeth together such as clownfish, like in the film 'Finding Nemo'. And then in terms of the byvalves you can often hear a kind of clacking and shuffling, which comes from the shells knocking together as well.

Evelyna - Even oysters make sounds. I never knew. So you have all of these recordings, what can you learn from them?

Sophie - So all of these sounds can be really useful to monitor where there are areas of healthy habitat or where there are areas where habitats might be shifting in their distribution due to climate change or maybe deteriorating in quality. So snapping shrimp, for example, are very small, but they make one of the loudest sounds that comes out of any animal under the water. They make a snap by clacking together two parts of one of their claws and their claw shuts so quickly that it actually creates a cavitation bubble and that bubble snaps shut with so much force that it momentarily creates energy that's as hot as the surface of the sun. So these shrimp can actually be really useful because they tell us about the health of a coral reef, as well as just, you know, that they're there being shrimp. So the healthier a coral reef is the more of these snapping shrimp sounds that we can find and also the more fish vocalizations that we find as well.

Evelyna - So Sophie, you are part of the team trying to establish this global library of underwater biological sounds. What are the main goals of this project?

Sophie - What we really want to call for is a global level of library, where these sounds are being shared around the world. And that will mean that it's open access so that anybody can contribute to it and anybody can use it. We need now more than ever to be able to catalogue what animals can be found in the ocean and where they can be found as we are losing biodiversity at alarming rates. And to involve citizen scientists in this effort as well. So if a person is to make some sound recordings under the water, then they might be able to upload it to the library and that would help identify what species people are encountering. I think the underwater world often can suffer from an out-of-sight-out-of-mind problem when it comes to engaging with it and protecting it. But this could be a way for an average person to engage more in their local blue habitats.

Ukraine flag

27:42 - Meet Solomiya, part of Ukraine's IT army

How mobile phones can be considered a weapon of modern war...

Meet Solomiya, part of Ukraine's IT army

We’re going to hear from Ukrainian law student Solomiya; she’s part of Ukraine’s “sofa army” of keyboard warriors who are using the power of social media to counter misinformation and share the reality with people worldwide including, critically, in Russia so the Russian public can hear what Vladimir Putin is trying to stop them finding out. She spoke earlier this week with our own James Tytko…

James - Hi Solomiya, how are you?

Solomiya - Yeah, thank you. Hello, we are good. We are in a safe place now and everything's kind of alright.

James - I was wondering if, for the benefit of our listeners, you could tell us a bit about where you're from and how life has changed in the past week.

Solomiya - So, I'm originally from Kyiv. I'm studying law.

James - When the news first broke of the war starting, what were those first few days in Kyiv like?

Solomiya - Ever since it started at 4/5 AM, there were sirens, and it was the most terrifying moment. After two days, when we were in Kyiv, and there were explosions and bombs, we decided to leave the city. Now we are in a Western part of Ukraine with my grandmother. I'm worried for all those people who are in Kyiv right now - I have a lot of friends that decided to stay there. Also, my grandparents are still in Kyiv, and I'm really worried about them. Every night, I dream about something with war in it: it's either, "we need to go to the shelter" or just shootings but, every night, in my dreams, I see war.

James - How are you keeping up to date with the situation at the moment?

Solomiya - We're using TV, of course. Also, we have a lot of information going through Instagram and, I don't know if you know about this messenger called Telegram, but it's really popular in Ukraine and we have some channels on there, verified by our government. Some other verified news sources as well. We are trying to use all of these accounts because others can be fake or spread Russian misinformation.

James - Have you been given any particular instructions on how to act online since the start of the conflict?

Solomiya - Yes. Firstly, our government told us to only use our governmental sites and not to believe any other accounts. We need to check information to know that it's not some Russian propaganda. Also, our military officials, they asked us not take photos of any soldiers, any of our tanks, planes, anything, because it can be used by our enemy. Also, they asked us not to take photos of explosions and bombings, because the Russians can correct their distance and location according to these photos.

James - You talked about government websites. I was wondering if there's been any interference and how, if at all, this has affected you?

Solomiya - The first few days we had some problems with a few of our sites. There were some problems with banks, also with a few of our governmental sites - I think it was the Ministry of Foreign Affairs - but it was only a problem with the working websites; there was no problem inside these banks and ministries. They were working alright.

James - This war's different to any other in the amount of information available online to people on all sides. I was wondering if you felt like you've contributed in any way to the Ukrainian resistance because of the online aspect of this war.

Solomiya - A lot of people my age, they're doing some work online. For example, I was reporting channels and accounts on different social media. There is a problem with accounts that are filming our military and saying where it is located, so we are trying to block these channels. Also, I was reporting some Russian Instagram celebrities because they were spreading lies about the war. They were saying that everything's alright. It's all lies because we've seen all the pictures from Kyiv and there's what I've seen myself. One Russian singer, he wrote something about the whole situation, like saying that Russia hasn't invaded anyone, and now, when you go to his Instagram and you see this post, Instagram is saying that this information is false. Also, I know a lot of people are going to some Russian websites, Russian groups, and they have started messaging them. They are sending them photos of our cities, of what's going on. The same is going on in Google maps. I've seen a lot of my friends, they just go to, for example, some really luxurious Moscow restaurant and in reviews of the restaurant, they are writing what's going on in Ukraine and sending pictures there.

James - Was there anything else about the cyber aspect of this conflict? Anything that has you particularly worried that might happen or has already happened?

Solomiya - We spread some information about the situation in our cities with people we know. So, if you go to someone's Instagram story, it's really likely that you'll see something like, "We've seen some, saboteurs here", or some information like, "We need help. There is a mother and a two month old child, and we need to take them from this city. Who is going there?" If someone needs some medicine or food, we're trying to help each other. We already took some people from a dangerous region and now they're in a safe place.

James - I'm truly in awe of your bravery and the way you've spoken today, and I think you've done something really great. Thank you so much for that.

Solomiya - Yeah. Thank you for asking.

A padlock, superimposed over a map of the world, with binary code written across it.

34:52 - Cyber in context

The techniques used by the world's largest powers to gain the advantage online...

Cyber in context
James Lyne

We know that the Internet and social media can be used to support war efforts. But what about the invisible subterfuge that goes on behind the scenes? Joining us to help unpack this aspect of cyber warfare is Cyber Security Expert from the SANS institute, James Lyne.

Chris - James, what do we mean by cyber a warfare or is this very much a moving target?

James - It is a bit of a moving target and quite a broad term. We are all using technology around us all the time; in our homes, in our hospitals, in our cities, at every moment in our lives as we interact with the world. Unfortunately, building technology without flaws is impossible, so security researchers or cyber criminals or governments can find these flaws and where the former will use that to help businesses become more secure, the latter could use it to gain access to systems, maybe remote controlling them, distributing nasty malicious code that steals usernames, passwords, or maybe even wipes or manipulates data. It can also involve manipulation of sentiment on social media. We've just heard from Solomiya about some very wise practices about caution of disinformation online, checking the validity of news sources, and care in sharing intelligence. Most of the time, cyber criminals take actions focused on making money, stealing data for extortion and so on, while cyber warfare is the idea these techniques can be used as a part of a nation state or integrated military campaign. Cyber war, which is a more serious, but very similar term, is actually a bit of a sticky subject for us experts because war has a very specific definition, a requirement for scale of life and impact.

Chris - It's interesting you bring that up though, James, because one of the criticisms being levelled at Vladimir Putin's attacks is that he keeps on bringing down civilians and civilian targets in the crossfire. What sorts of targets would people tend to go for in the cyber space, or actually are civilian targets the very targets that you want to target in cyber warfare?

James - I think we all, when we hear about the notion of cyber war and cyber warfare in the media, tend towards the idea of targeting missile silos and power stations, which has actually happened. But, a lot of the time it's targeting information sources, it's targeting civilians, it's targeting social media. A lot of the time, it's trying to draw attention away from true motives. And indeed, that's a lot of what seems to be happening in Ukraine at the moment. The UK National Cybersecurity Centre, the Department of Homeland Security warned of potential substantial Russian cyber attacks like have happened before, more on the serious infrastructure side, but to date, they've not really been that advanced; not having a kinetic impact. They've mostly been distributed denial of service, which is knocking a site or service online - a bit like getting 20 of your friends together and going to a supermarket and filling up the rotating doors so no one can get in. Russia, by the way, has form for these tactics. They were used against Estonia back in 2007.

Chris - Is it just that governments of all colours and flavours have got an army of people sitting in rooms at computers, basically just knocking on doors of computers wherever they can all over the world to just try and force entry somewhere and find vulnerabilities? Is that what's happening? You've just got people who are relentlessly ploughing around the world, looking for things that they can hack into.

James - Well, in effect, yes. Espionage has been something countries the world over have engaged in forever. Cyber provides an asymmetric opportunity to get information intelligence or cause disruption. So, of course, everyone is escalating their efforts into this domain. What's interesting, having just said that, so far, most of the examples from Russia have been very basic, there are a couple of attacks they've purportedly executed - it is rather difficult sometimes to attribute these attacks, particularly because nation states will often contract with cyber criminals for plausible deniability, kind of like a cyber reserve with less ethics - they've been known to target power stations. Indeed, back in 2015, causing a blackout, that plunged a couple hundred thousand Ukrainians into darkness for a few hours.

boxing gloves

39:33 - Cyber Attack vs Defence

How does one go about launching a cyber attack, and how might you go about putting up a defence?

Cyber Attack vs Defence
Chris Folkerd & Stephen Crow, ANS

To find out about the intricacies of attacking someone in cyber space, we spoke to two experts from digital specialists ANS, pitting the two of them against each other in a mock scenario. We talked about how you would commence or defend from a cyber attack on a system…

Robert - Between our two experts is our battleground: a fictional online store called Mrs. Miggins' violin shop. Chris Folkerd will be trying to attack it and Steven Crow will be trying to thwart him and protect Mrs. Miggins and her stringed instruments. I'll be your commentator, but it's Chris who has the first move.

Chris - There's something called the cyber kill chain, which is a step by step approach that people will take when they're doing a planned attack. The first thing to do is a little bit of reconnaissance, like you would do in any other operation, so I can get a good idea of what I'm going to try and attack. The next step is trying to gain entry. Normally, as much as the movies like to portray that it's always the technology you attack first, humans are often the weakest link when it comes to the security chain. So, what you'll try and do around that is first look at some social engineering, and that can take the form of me phoning in and pretending to be IT support or their service provider, or me sending them a phishing email.

Robert - Already, Stephen has his work cut out for him. How does one protect the system from the humans up?

Stephen - The best way to try and defend against social engineering and attacks against a human is through rigorous amounts of security training. What might be a "phishy" email? What is a dodgy application that you shouldn't be downloading from the internet?

Robert - But in our fictional scenario, perhaps this hasn't worked and Mrs. Miggins has clicked on a link and revealed her passwords or credentials. What does Chris do with the foothold?

Chris - It depends what's happened. If it has worked, I can move on. If it doesn't, then I need to go into a technological scanning section, and that's where we start looking for vulnerabilities in the system.

Robert - Most often, these vulnerabilities come in the form of bugs in the code; pieces of software that aren't working quite as they're supposed to. The databases are long lists of these bugs found by other people. They're given serial numbers like CVE-2014-0160, more commonly known by the moniker "heartbleed."

Chris - There's databases of thousands and thousands of known vulnerabilities. If I can't find one of those, if I have a big enough development team, you can go in with one known as a zero-day. It's called zero-day because it's been used before, it's been declared to the wider internet, which is one that you found you own, and you can go in without as much risk of being detected.

Robert - So, Stephen has his work cut out, not only against these vulnerabilities published on the internet, but also against the zero-day attacks.

Stephen - Unfortunately, against zero-days, you're completely on the back foot from a defensive point of view, and there's not much you can do about that. But, from a vulnerable application point of view, having a vigorous vulnerability management program in place is the best way to stop that.

Robert - Both sides now watching those lists like hawks, either to exploit the vulnerabilities or patch them up as fast as they can. But, often the defence is a step behind, as with zero-days. What happens when the line is broken?

Chris - It depends really on what the person attacking your website is trying to do. If I'm there to take the website offline, you will have an immediate, very observable cause that something's gone offline. If I'm there because I'm wanting to steal people's bank details, or I want to get day to day intelligence on what's going on in the business, I may have installed my own software inside there to make the system behave differently or ship information out to me very subtly in the background.

Robert - Two very different situations there. What happens in the first case when the site is taken down?

Stephen - The alarm bells go off. What we do there is, if it was due to an exploit that we knew about, we'd have to work out how that's been taken down, work out how we can fix the exploit, and then bring the website back up in a secure manner. If a malicious actor has gained access to our infrastructure, this is where we rely heavily on our technology. We rely on the software to say, hang on a minute, something fishys happening over here.

Chris - That's really where it turns into a game of cat and mouse, especially when you're moving outside of say, Mrs. Miggins' violin shop and into a large corporate network. A lot of the aims behind those sort of attacks it's looking at, can you navigate around the network? Can you start looking at other systems you can get into now you've got this initial foothold into the network, or is there an end goal that you're looking for a bigger target somewhere inside the network? So, it becomes a cat and mouse game there of trying to lay low whilst they're looking for you. There's a number of techniques that you can take to do that, and there's a number of behavioural traits you can do as well around disguising the mass transit of data that Stephen was talking about. Do you reduce it to a trickle and extricate it over a long period of time? Do you disguise that traffic to look like routine traffic inside the organisation?

Robert - So, now we have a game of spy vs spy. Attackers trying to sneak in and around stealing secrets while the defence team have to notice, find and neutralise them. But, if the attackers are being subtle, is there anything the defenders can do?

Stephen - Yes, definitely. This comes back to the term that we use in the industry of defence in depth and thinking of cybersecurity as a bit like an onion; you need to have a lot of layers in there, architecting your infrastructure in a secure manner.

Robert - Much like medieval castles, which had walls within walls to protect your computers, you set up firewalls between them, layering your defences one over the other.

Stephen - You should really put in some blocking or firewalls in between each of those devices to make sure that, if one of them's compromised, there's no lateral movement in your network to stop an actor getting from one to the other.

Chris - It's always one team being on the back foot and then there's always new vulnerabilities being discovered. I don't think there will ever be a point where software is perfect but, equally, as part of that arms race, there's always better and better detection technologies coming out as well.

Stephen - From my perspective, we go by the philosophy of it's not "if" it's going to happen, it's "when" it's going to happen.

Robert - And it's happening, right now, all around the world, in every data centre and server farm. No clear winner and a continual game of cat and mouse. The verdict: so far, a draw, and the audience goes... well, the audience doesn't even know the fight has started.

Matrix glitch

45:51 - Cyberconflict and the Geneva Convention

The legal implications of participating in and being subject to cyber attacks...

Cyberconflict and the Geneva Convention
Heather Harrison-Dinnis, Swedish Defence College

We shouldn’t forget that cyberwar is war. People can get hurt and it has a very real impact on military strategies. Conflict in general is governed by the Geneva convention and other international agreements. Is cyber conflict similarly regulated? We asked Heather Harrison-Dinnis from the International Law Centre of the Swedish National Defence College...

Heather - The basic answer is yes, it is. And the vast majority of states agree that the law of armed conflict applies to cyber operations exactly the same as it applies to other operations. There are a handful of states who disagree with that and those states include China and Russia. The easy part is saying that the principle of distinction (that you have to distinguish between military objectives on the one hand and civilian objects on the other, and only target military objectives) it's easy enough to say, "Well, that applies whether it's bombs, whether it's bullets, whether it's bitstreams," but the more difficult part of that is saying, "Well what amounts to an attack in cyberspace, how does that part work? Is it that you have to cause physical damage? Or is it enough that you just take it offline for a while?"

Robert - How is that differentiation typically done?

Heather - We have this sort of definition of what a military objective is: something that by its nature, purpose, or use offers a definite advantage, and the second part is its neutralisation offers you the advantage. Something by its nature, for example, would be a military communications network - it's military by nature, therefore it's a military objective. We define civilian objects in the law as anything that is not a military objective. GPS is dual use: it's a military satellite system but it's used so heavily by civilians. The trick with that, though, is that just because something is a military objective doesn't automatically mean that you can target it. There are other principles such as principle of proportionality, which says that you need to take into account the effect that it will have on civilians.

Robert - Are there any objects which are specially protected? I'm thinking, in traditional warfare, medical facilities and medical staff enjoy internationally recognised protection. Does the same hold for cyber objectives?

Heather - Absolutely. And those special protections also extend to what we call installations containing dangerous forces. Those are dams, dykes and nuclear power generating systems which are of particular interest.

Robert - Are cyber weapons that precise?

Heather - To be honest, it's one of the beauties of cyber weapons. They can be incredibly discriminate. It would be unlawful to craft a piece of code that could not distinguish - there are other pieces of malware out there (that's malicious software) that we've seen rampaging through the internet that really just don't care whether it's a military computer or a civilian computer, it just tries to spread as much as it can. There's also a distinction in relation to people and, again, it's this broad distinction between the fact you can target those who are fighting - combatants, members of the armed forces of the state - but also civilians who are directly participating in hostilities. I think that's something that people need to bear in mind because what we are seeing in these conflicts, and as we've seen over the past few days, people come out and say, "Well, I'm hacking in support of Russia", or "I'm hacking against Russia," people do need to bear in mind that if you are actively participating in hostilities, you become a lawful target.

Robert - So, sitting behind your computer and attacking in cyberspace is legally similar to taking up arms and attacking in the real world? Is that what you're saying?

Heather - That's what I'm saying. I would also point out there is nothing in the law that says that you have to be targeted in the same manner that you were targeting others. Bottom line: even if you hack, you could still be shot.

QWERTY keyboard, on 2007 Sony Vaio laptop computer.

51:09 - The Future of Cyberconflict

What can we expect from the conflicts of the future...

The Future of Cyberconflict
James Lyne

We've seen how cyberwarfare is changing the nature of modern conflicts, from information wars dictating how we follow the narrative, to hacking and interfering with the weapons and tactics of the enemy. But what does the future hold in store? We spoke to James Lyne...

Chris - James, do you think this kind of vigilante information war and also cyber warfare is something we're going to see more of in the future because it's certainly been something people are commenting on as being almost like a first. That we haven't really seen a war where this has been so prominent in the past.

James - I think there's an inevitable trajectory towards more use of cyber warfare tactics or cyber crime with aligned interests just because we're placing more and more technology around us at every moment. That just makes it rife for opportunities. Now, this has been building for some time. There have been attacks as far back as the early 2000s against industrial control systems and power stations but, of course, this is starting to put it into a new level of light to the public, in light of the horrific events in Ukraine. I would certainly say this is something we are going to see more of, and we need to remember that, as throughout this program we've talked about military actions and intelligence, we've also talked about how individual businesses can be targeted. Whilst the Russians are probably not taking time out right now to target Mrs Miggins' violin shop, that doesn't mean that they couldn't be part of a campaign of cyber criminals, or used as part of a more substantial nefarious attack. It's important we're all following cybersecurity safety practices. This isn't just a government thing.

Chris - I know that this is obviously prominent right now, but have many of these actors already been preparing the ground for many years? For instance, we are buying wholesale bits of equipment from other countries. Is it possible that there are lots of back doors that we are unaware of and they could be then activated to call up an army of devices that we've all got in our homes and all around us, or they can access those back doors when they want them.?

James - Without wanting to cause people to start ripping technology out of their homes left, right and centre, yes, supply chain attacks have occurred on significant scale, attributed to nation states as well as cyber criminals, multiple times over the past few years. Sourcing technology, particularly to put into sensitive places like power, water utilities, and telecoms is something that has to be done very carefully. It is very much an active risk as we depend on technology more and more. It is crucial that, as individuals, we're constantly looking at our use of technology and thinking about the validity of information we're accessing, thinking about how technology may be manipulating us, and then of course governments and businesses have huge responsibilities in securing and sourcing these very crucial pieces of infrastructure, like 5g, like power and water, that have demonstrably been attacked by nation states in the past.

Map of Europe

54:50 - QotW: Can accents influence my brain's voice?

Does your mind also slip into different accents when thinking about things?

QotW: Can accents influence my brain's voice?

James Tytko spoke to Hélène Lœvenbruck from Grenoble Alpes University to rattle our brains and find the answer...

Hélène - Speaking aloud requires sophisticated coordination of the movement of our speech organs: the larynx, tongue, lips, and jaw. We constantly have to adjust the commands sent to our speech muscles so that our movements are correct. Sometimes we make speech errors and we can correct ourselves. And sometimes we can “hear” these slips even before we make them. This is because we have an internal simulator, which allows us to predict the sound that will result from the muscle commands being issued.

James - That inner speech you are “hearing” is precisely this simulator, but without the motor functions being carried out. Commands are not sent to the muscles and articulation does not occur, yet we can “hear” the simulation, or the inner voice.

Hélène - Exactly. This inner voice is a lot like our actual voice, and for some people the voice has the person’s own accent! In an interesting study, researchers at the University of Nottingham have shown that silent reading can be influenced by regional accents.

James - So like how, in the South of England, we might rhyme grass with farce, for example, but someone in the North might rhyme grass with mass?

Hélène - Precisely. To do this, they compared the eye movements of Northern and Southern English participants when reading limericks. The study found that eye movement behaviour was disrupted when the final word did not rhyme, as determined by the reader’s accent. This suggested that participants produced inner speech with their own accent while reading.

James - How interesting. You mentioned that this was only for "some" people, though. What about everyone else?

Hélène - Some people do not hear an inner voice when they read, and some people do not even hear a voice when they talk to themselves. This is called auditory verbal aphantasia. Then there are those who rarely use words when they think at all, but rather images or abstract symbols. There are many questions about the versatility of inner speech which remain unanswered and further research is needed. Researchers in Grenoble, France are conducting an online survey on the diversity of mental imagery (including inner speech). You can participate and find more information on our website:

James - So, Fiona, that inner monologue you are hearing is best thought of as a simulation of your actual voice, kind of like a trial run to smooth out any of the creases before we attempt actual speech. It occurs even when we have no intention of saying anything out loud, and is affected by accents as researchers at the University of Nottingham have found. Thanks to Helene for offering her expertise on this topic. Next week, we'll be tackling this head scratcher from listener Marian.

Marian - I've noticed that when I scract, the itch tends to move to another part of my body. I was wondering why this is the case.

If you have any thoughts on what we discussed today here on Question of the Week, please tweet us on @NakedScientists or log on to the forum on the website to join the conversation. If you’ve got any questions yourself that you’d like us to tackle, send them by email to 


Add a comment