What is a cyber attack, and who are responsible?

You don’t have to look very far to find victims of them, with the British Library still reeling from a large-scale hack by a shadowy group in the autumn of last year. But where exactly do they come from? The University of Oxford’s Ciaran Martin has been described as “a cyber security ace” and helped set up the National Cyber Security Centre here in the UK.

Ciaran - That's a great question because sometimes you get pretty nonsensical statistics from, say, banks. They say, 'oh, we suffer 10 million cyber attacks a day.' And what that means is there's 10 million micro events where something a bit dodgy touches the edge of the network. Most of the time it doesn't do any harm. I would describe a cyber attack as an unauthorised intrusion into a network that causes significant damage and then I'd split it into two because one type of cyber attack is fairly silent. If you are using the network or running the network, you don't really notice it, but they just steal everything from it. So data theft. But the second is more disruptive, you can't use it. So it's an unauthorised intrusion that either leads to the theft or disruption of a computer network, is what I would call a cyber attack.

Will - How do these nefarious parties then actually get into a system? Is it a case of writing the correct line of code or playing an individual who works there or maybe a bit of both?

Ciaran - There's all sorts of ways and most of these operations that I've talked about have at least one very basic and very old method of intrusion. They get more sophisticated. I mean you can teach anybody to hack. Back in the UK in 2014, TalkTalk suffered a pretty high profile breach and that was something called a SQL injection, which is basically writing pretty basic malicious code into a data entry form on a website. You can teach somebody to do that in 20 minutes. I mean please don't because it's a breach of the computer misuse act, but that's what you can do. Something like taking out a power grid or stocks net operation against the Iranian nuclear program will take years and really sophisticated teamwork and skill and money and and so on. So there's a whole spectrum of cyber attacks from the very basic, to the very sophisticated but most of them involve something very basic. And I actually think most people understand how this works. So it starts with a phishing email. So click on a link and then there's a malicious payload and the hackers are in. Guess a password, so when I was running the National Cybersecurity Center, we partnered with this wonderful Australian called Troy Hunt who just, out of the goodness of his heart, runs this service where he tracks all these data breaches. And we analysed it with him and we noticed that 23.2 million occasions where the password 123456 had been breached. There were about half a million where Liverpool FC had been breached. About 250,000 where Pokemon had been the cause of a breach. So you can just guess passwords. And that's why most people get annoyed by two-factor authentication or multi-factor authentication. But that's why that exists because if you can guess a password, and criminals can guess passwords, most people reuse passwords 'cause they can't remember. So ultimately the basic route of entry and you mentioned, you know, studying people. I mean LinkedIn is maybe a useful professional tool for millions of people, but it's also an absolute treasure trove for identifying vulnerable targets for cyber crime and cyber operations from nation states. There's a sort of joke in national security circles that if LinkedIn didn't already exist, some intelligence agency would probably invent it and that's what you might call a more hybrid form of attack where there's a human element.

Will - Obviously in terms of motive, we feel like it's pretty obvious on a state level it's to disrupt potential aggressors or to attack potential other countries. But in terms of other smaller scale attacks, do we know what the motives are or who the most common perpetrators are?

Ciaran - I would say there's probably three broad reasons why states do these things. So one which is probably the oldest form is spying, is finding out information. And in some respects that's kind of a good thing. Spying, it may be unpleasant to some, that may be deceitful, but actually better informed governments tend to make less rash decisions. And when people talk about international rules of the road for cybersecurity, nobody ever talks about banning or outlawing state on state espionage. So a lot of this started with just governments, including our own. Let's face it, we have laws that allow the likes of GCHQ to do electronic espionage. So that's one big reason. There is then an incentive for some of the more adversarial states to disrupt. But there's a third reason which is related to that, which is not so much to disrupt, but to be prepared to disrupt. In other words, it's what we call pre-positioning. So some people talk about cyber weapons, I really dislike that term. And so far cyber tools are weapons. You can't just pick them up and point them at something. To do a sophisticated cyber operation, as I said earlier, it takes quite a lot of time. So what you sometimes see and indeed the Americans have just accused China of doing this over a period of five years. You sometimes see foreign adversaries lurking in your networks so that if tensions escalate, they have a beach head to attack you. And then finally North Korea has pioneered a new form of state sponsored cyber operation, which is that a cash starved regime that's crippled by sanctions uses it to steal money. So nation states have all sorts of complicated motives for doing cyber operations. Then criminals just do it for money. We talk about big data, like we talk about big oil and just like there's oil smuggling, there's sort of an illicit data economy. But the reason why cyber crime got so disruptive was that the criminals worked out that this ransomware model really worked a treat for them. They made so much more money out of ransomware, out of locking people out of their networks and then getting these terrified companies to pay these huge sums of money. I mean, there was one American food giant that paid $11 million to them in 2021. So they just worked out there was far more money in this sort of disruptive crime than there was in the sort of data theft. So that's why cyber crimes got so disruptive. And the other sort of possible cyber dog that hasn't really barked is terrorism. I think we're legitimately worried about terrorists sort of harnessing cyber capabilities to inflict absolute horrors on our societies, but it turns out that they can't do that most of the time because the sort of skill and infrastructure and money and people and time you need to do a very sophisticated cyber operation that could do loads of damage just isn't available to organisations that are trying to evade detection by the Americans and the British and others. So mostly with a few exceptions, we're worried about governments and criminals.