There are many reasons to fear the consequences of cyber warfare. Digital attacks on infrastructure and systems could cause chaos, even deaths, while the attacker does not have to leave their coffee and computer screen. In response to such threats, governments around the world are equipping themselves for the cyber-front. But is the much-vaunted cyber-Armageddon likely or even possible?
Robert Hannigan, the Warden of Wadham College, should know. He was an early bellwether of cyber danger when, as head of GCHQ, he established, in 2016, the National Cyber Security Centre. So, he is no cyber-sceptic, but he was not expecting a massive cyber-strike, which many predicted, a digital 9/11, to accompany the Russian invasion of Ukraine.
Since Russia developed, and encouraged, such an aggressive cyber-reputation, commentators have been left wondering why there was no massive digital attack. Mr Hannigan points out, Russia had, in fact, been using Ukraine as a test-bed for cyber-attack for over 10 years and, in the run up to the invasion, had inflicted a ‘barrage of attacks’, softening up the target. But, once the ‘kinetic war’ had started – the one with bullets and bombs – a new stage had begun. Nonetheless, Russian state cyber attackers have continued to attack Ukraine and countries in the region, as well as mounting propaganda and fake news campaigns around the world.
And, he says, the Russians, anticipating an early victory, did not want to destroy Ukraine’s systems. They expected to be using the telecommunications and infrastructure. To have destroyed them would have been a self-inflicted wound. Also, cyber-attacks can have an unfortunate consequence of rebounding on the perpetrator – with digital fall-out causing systems to fail far beyond the original target.
According to Mr Hannigan, however, ‘State cyber threats do get overplayed. They can’t do everything and countries over-estimate their cyber capabilities – just as they over estimate their military capability.’
As is widely-believed, Russia’s kinetic invasion has not gone according to plan, although its military prowess had been long boasted of. Perhaps the threat of cyber is not as concerning as believed?
‘The whole conflict has not gone their way,’ Mr Hannigan says bluntly. But, he insists, cyber warfare is very real and he adds, ‘Things can be done and are being done, to build a better defended society. Ukraine’s cyber defences, helped by friendly governments and by the private sector, have been impressive and there are positive lessons to be learned.’
He explains, cyber warfare is very different from the conventional type – and most countries are investigating the possibilities, to some extent. He says, it is a major threat but it will not replace conventional warfare, ‘It is easy to exaggerate the importance of cyber-attacks. It makes good press stories. And they can do a lot of damage of course and cause chaos. But they are most effectively used in the run-up to a conflict.’
Nevertheless, cyber security, both for nations and organisations, has become a major developing industry – as shown by the establishment of the UK’s centre and the time and resources now given by companies to protect their systems.
The potential vulnerability of countries to digital attack has become clear in recent years as utilities’ systems, banks, hospitals and individual households have faced threats from state and non-state actors. Cyber threats have become an integral part of countries’ and criminals’ arsenals.
Having seen the threat early, Mr Hannigan insists, ‘The challenges are ‘moving very fast’, as potential attackers learn fast. Many organisations are not sufficiently well defended and the risk to systems going down, is very real. You will never eradicate cyber crime – which drives most of this – but you can reduce it to a manageable level’.
It was in response to such concerns, Mr Hannigan established the NCSC to bring together ‘bits of government and the private sector’ to combat the threat. He maintains, ‘There was a tidal wave of cyber-crime coming towards us and all Governments were in the same position. A lot of it is outside the government’s control. It’s not like controlling your airspace. Tech companies and networks are in private hands, of course – and the threat is all pervasive.’
Having said that, he insists, it is important cyber actions are only carried out within an ethical framework – not involving civilians – ‘collateral damage’. But not all countries will play by such rules, especially the ones which do not worry about bombing hospitals. They are unlikely to worry about the impact of cutting off the power to people’s homes.
It is not just the offensive cyber threat that is of concern. Mr Hannigan says, ‘AI brings a whole new level of threat…You don’t know if what you’re looking at is real. The possibility of misinformation is huge and trust can be undermined on an industrial scale.’
He adds, ‘In the tech space, I am worried about AI and what it will mean for the security of our networks. There is a tsunami of stuff coming our way and increasingly there is no way of knowing what is false. There is good research going on both into the security of AI models and mechanisms for building trust, but much more needs to be done.’
Mr Hannigan warns, 'We have to get better at regulating tech – our track record to date is awful. Ideas about killer robots undermine the more urgent threat of AI, which is in the undermining of the credibility of everything. Regulators and politicians lack the skills to understand what they are regulating.'
And he is concerned that the business model of the tech industry is not aimed at social good – companies could share more useful data, for the benefit of security, but do not because of commercial concerns.
Since leaving GCHQ, Mr Hannigan has worked with many organisations and countries on cyber security. But in 2021, he came back to Oxford, where he had been a student. It is often said, something has come full circle, even when it has not. In the case of Robert Hannigan, this could not be more apposite. A Classics student at Wadham in the mid-1980s, he returned to college nearly 40 years later as Warden.
He came as a teenager, to study one of the toughest courses in the university – around the same time as Boris Johnson was studying Classics at Oxford, albeit at a different college. Having not come back to Oxford much in the intervening decades, he finds it strange now to be in the city under such different circumstances.
‘Wadham is still very informal and welcoming, but it took a while to adjust to a new role - I kept thinking I’m late, as I was always late in the 1980s,’ he smiles. ‘Oxford is the same in many ways – young people haven’t changed that much - but it’s great to see more genuine diversity.’
Back in the 1980s, Mr Hannigan says, he came to Oxford very young and very shy. He says, ‘I should have come later…after working. I would have got much more out of it.’
He would even, probably, have taken a different degree, ‘I took Classics because I was good enough at it and I enjoyed it at school and someone suggested I do it at university.’
Mr Hannigan’s return is as a distinguished former public servant and intelligence chief (head of GCHQ), who established the NCSC, at a time when many people saw the internet as a way of looking at amusing films of cats. He wonders if he should have read something else as a student, ‘Should I have done Engineering, that might have been more appropriate for cyber security? And I’m very interested in English Literature, perhaps I should have done that?’
But weren’t code breakers notoriously Classicists?
‘There were some famous examples,’ he says. ‘But most code breakers at the wartime code-breaking centre Bletchley Park, including Alan Turing, were Mathematicians. And today, GCHQ is the biggest employer of Mathematicians and Linguists in the country.’
The young Hannigan was unsure what to do on graduating. Thoughts of a career in intelligence were not at the forefront of his mind. He thought about doing a DPhil in Classics, but then took a course in Philosophy in London, before taking a postgraduate teaching course in the Capital. He taught English, not Classics, at a school in Feltham. He seemed to be set for a career in education.
Then, however, in another twist in his tale, he went to Northern Ireland. At the time, most graduates were going in the opposite direction; away from the Troubles and to the opportunities of London. He remained in Belfast for 10 years, joining the Northern Ireland Office and becoming a part of the team who implemented the Good Friday Agreement, with their counterparts from the Irish foreign service.
‘I have very happy memories of being there - our children were born in Belfast. And it was a pleasure working with the Irish diplomats,’ he says.
President Biden recently marked the 25th anniversary of the Agreement, which was signed in April 1998, with a visit to Belfast, and a trip around Ireland, to see where his ancestors lived. Mr Hannigan also made a recent visit to Belfast, with rather less publicity and was pleased to see the change in Northern Ireland. He says, ‘I was delighted to see how dynamic it is. When we were living there, people tended not to go out in Belfast in the evening to eat. But it was great to see that energy now.’
But problems in the North mean the Agreement is looking ‘a little frayed’, says Mr Hannigan, although he is hopeful for the future. As part of the Northern Ireland team, he worked closely with the then Prime Minister, Tony Blair, on implementation of the Agreement. And Mr Hannigan returned to London and Downing Street to work as a security adviser for Mr Blair and his successor, Gordon Brown. From there, he went to the then Foreign and Commonwealth Office, to oversee the intelligence agencies’ operations, where he was based, when David Cameron took up the reins of Government.
His final role in Whitehall saw Mr Hannigan travel the globe to visit UK overseas territories and posts – including the Falklands and Ascension Island as well as Antarctica, but not, sadly, he says, Tristan da Cunha.
As a specialist in intelligence, Mr Hannigan then transferred to the government’s top ‘listening post’, GCHQ – mission: to keep the country safe. Unlike the security services, the post came with no Initial – he was not C or M. But the country was in a state of heightened alert. He recalls, ‘There had been the 7/7 bombing and the number one worry was domestic terrorism.’
‘ISIS was the first terrorist group to make use of social media,’ he says. ‘It was a big change. In Northern Ireland, it had been completely different. It was a generational thing - Al Qaeda and the IRA were pre-digital.’
GCHQ, he says, had some things in common with the senior common room of an Oxford college – full of ‘seriously academic people’ doing research. Mr Hannigan insists people are essential to the process, it cannot all be done by machines, ‘You need human judgement and there is a shortage of the skills needed.’
Now he is back in an Oxford college, albeit in a different role, he says, ‘It’s great to see all the students and wonderful to see how much work there has been on developing access in Wadham. This has always been a strength of the college. There is more to do, of course, and now every college is involved. It helps to make this a great university.’