Britain's building a £1bn ‘army of hackers' – but they have already been outpaced by Russia

Telegraph

4 days ago

'The keyboard has become a weapon of war,' Defence Secretary John Healey announced at MoD Corsham, the UK's military cyber HQ, on Wednesday. Britain's digital defences are facing daily attacks from hostile states, he warned, and the time has come to fight back with a £1 billion injection to fund new artificial intelligence capabilities and an army of hackers.
Yet while the money is certainly a welcome boost, the language used has raised a few eyebrows. It's 'talking about cyber operations as if they're new,' scoffed Matthew Savill, director of military science at the Royal United Services Institute (RUSI) on the BBC's Today programme on Wednesday. 'It's been 15 years since Stuxnet.'
Savill, who it's fair to say has the inside scoop after several years as a senior civil servant in the Ministry of Defence (MoD), was referring to the highly sophisticated computer virus discovered in 2010 that had been used to sabotage Iran's nuclear facilities, widely attributed to a joint operation between the US and Israel.
It was a watershed moment in cyber warfare – proving how nation states could now cause vast damage from behind a computer screen, without a shot being fired. Not only that, but it also revealed – to the concern of many – the impressive cyber operations several countries now had in their locker.
Indeed, the US had made dominance in cyber a strategic goal as far back as the mid-1990s. China and Russia had quickly followed in the early 2000s, with Moscow investing heavily in technology to boost its intelligence units and Beijing openly integrating 'information warfare' into its military strategy.
Britain, however, was slower off the mark. Despite first being hit by state-sponsored cyber espionage in 2003, when malware designed to steal sensitive data was found on a government employee's device, it wasn't until 2010 that the National Security Strategy officially ranked cyber attacks as a 'Tier 1' threat – on par with terrorism. Some 15 years on, as Savill told the BBC's Jonny Dymond, defence chiefs appear yet again to be 'catching up'.
Government systems outpaced by cyber criminals
The danger this lack of action and investment has put the UK in was laid bare earlier this month in a report by the House of Commons' Public Accounts Committee (PAC). Crumbling Government computer systems have been outpaced by cyber criminals, MPs warned, with more than a quarter of all public sector IT systems using vulnerable, older 'legacy' technology.
Britain's critical infrastructure has already felt the impact of these weaknesses – from the devastating WannaCry ransomware attack on the NHS in 2017 to the recent hits experienced by retailers such as Marks & Spencer, the Co-op and Harrods. Each attack only reaffirms the need to improve resilience.
Indeed, the UK Government is in no doubt of the need for – and effectiveness of – a world-leading cyber operation. Just keeping at bay the 90,000 cyber attacks the country has faced from hostile states in the past two years is difficult enough (double the previous number in the same time period up to 2023), less actually going on the offensive.
'One of the reasons you might be seeing a pivot to spending more money on cyber in our armed forces, rather than bombs and bullets, is because it can level the playing field,' says Prof Alan Woodward, cybersecurity expert from the University of Surrey. 'It acts as a force multiplier.
'Smaller countries can get a bigger bang for their buck – there's no longer as much need for an overwhelming physical superiority over the enemy, you can instead just turn off their lights and gas. We are a much smaller military nation than we once were – the armed forces can't even fill Wembley Stadium. So cyber is a way of punching above our weight.
'If you spend the money wisely and you can develop the capability, then there is the possibility you can be ready for some of the threats in what is an increasingly volatile world. It's what allowed Ukraine to make a damn good fist of fighting what on paper should be an overwhelming physical force from Russia.'
Why Britain is still behind
The UK's armed forces and intelligence agencies do in fact possess significant cyber expertise – Britain's GCHQ being the jewel in its crown, helped by its close allegiance with its counterpart in the US, the National Security Agency.
Its offensive cyber unit once conducted a hugely successful cyber campaign against Islamic State in 2017 that made it 'almost impossible' for the terror group to 'spread their hate online, to use their normal channels to spread their rhetoric, or trust their publications,' according to Jeremy Fleming, then-head of GCHQ.
A major problem, however, lies in its size. The scale of its cyber teams is modest – numbering in the low thousands – and often relying on contractors or partner support for advanced operations. In contrast, adversaries like China or Russia deploy vast numbers of keyboard warriors. This was spelt out in the recent PAC report, which warned of a shortage of cyber skills experts, particularly in the public sector.
Woodward points to two main reasons behind this: firstly, the lack of students opting to study engineering, and secondly, the poor pay on offer for those who opt for the civil service. In China, between 30 to 40 per cent of graduates have a STEM (science, technology, engineering or mathematics) qualification – compared to around 5 per cent 'if you're lucky' in the UK, he says. 'They're hard, complicated subjects and people don't want to do them, even though if you do computer science your chances of getting a job are practically guaranteed, and you'll be earning one of the highest salaries.'
Yet the big-money jobs are generally only available in the private sector – where the pay on offer can often be nearly twice as much as their public sector counterparts. 'How do you compete against banks and people like that paying large salaries?' says Woodward. In contrast, other nation states like China are going 'hell for leather' in attracting the best talent to the military and government agencies.
Industry insiders have certainly noted the skills shortage. 'Police, security services and government departments need to recruit and accelerate cyber skills and capabilities to stay one step ahead of the bad actors,' says Ed Dolman, head of Europe, Middle East, and Africa at digital forensics firm Cellebrite, which provides the MoD and other government agencies with the technology to carry out cyber investigations. 'Britain cannot afford to play catch up any more and sleepwalk into this increasingly dangerous world.
'Growing volumes of increasingly sophisticated cyber-attacks perpetuated by rogue states and organised criminal groups mean that ramping up the UK's security capabilities should be at the very top of the Government agenda.'
A £1bn boost to UK cyber defences
The Government has at least been looking to bolster its defences with cyber personnel. In 2020, the Government established a specialist unit called the National Cyber Force to carry out the UK's offensive cyber activity to protect the UK. Its aim is to reach 3,000 cyber experts by the end of the decade. To give a sense of scale of the fight Britain is up against however, estimates for China's own 'hacker army' range between 50,000 to 100,000.
The latest £1 billion injection to the UK's cyber defences will fund a new Cyber and Electromagnetic Command, which will upgrade targeting systems using an artificial intelligence 'kill web' that connects military systems. Experts suggest it hints that the UK may start to go on the offensive with its cyber operations, similar to its allies and enemies.
'The UK has been very cagey about talking about its offensive cyber capability,' Savill told the BBC. 'It's only a very slight cracking open of what remains a pretty secretive world. But it sounds like they want to talk a little bit more about their ability to take on hostile states.'
Woodward suggests the UK may in fact have far more capability than has been publicly acknowledged. 'The UK has definitely been building its offensive cyber capabilities,' he says. 'Indeed, just because we haven't yet used it, doesn't mean we don't have the technology. It's a bit like saying: 'I've got a nuclear weapon, you've got a nuclear weapon, but I'm behind because I've never used it.''
Instead, unlike Moscow, the UK has to be far more careful – and often it's better not to show your hand until you need to, he says.
'Moscow has been far more aggressive and brazen about it. They like the disruption. Putin's regime is very happy to play fast and loose with these things and takes a lot more risk than the British government is willing to.
'We would never admit to it [offensive cyber operations], because if we did it would be an act of war.'
An 'ethical dilemma'
For several years, Russia has carried out cyberattacks on Western critical infrastructure through criminal groups – allowing them to deny any involvement. Yet on the battlefield, particularly in Ukraine, they have been far more gung-ho with trying out autonomous AI weapons, such as drones that can recognise targets and fire. In its fight for survival, Ukraine has also tried such technology out.
For the UK however, this presents an 'ethical dilemma'. 'Britain finds it hard enough with driverless cars,' jokes Woodward. Neither can it use criminal groups as a proxy for its dirty work. Yet, he suggests the UK has already carried out extensive digital espionage and may well be ready to unleash its own cyber weapons in the near future.
'If you're going for real disruption, like taking energy grids down, you don't want to play your hand,' he says, suggesting that it may have already started the process. Stuxnet, for example, was only discovered years after it had been lying in place. 'We may have already planted the seeds in various places. But actually triggering them is a different proposition – you don't want to use it until you really have to.'
So while it might seem like we're late to the party, Woodward believes we may in fact be better prepared than some fear. 'It's not a sudden revolution in thinking, it's an evolution,' he says. 'I just think it's accelerated.'