LONDON — Of all the ways Theresa May could hit back against Russia over the poisoning of an agent on British soil, a cyberattack seems almost fitting.
The British prime minister would be using Moscow’s own cherished method of cyber sabotage to teach the Kremlin a lesson — highlighting U.K. covert capabilities with little risk of igniting a hot war.
May set a deadline of midnight Tuesday for the Kremlin to explain how a Russian government-manufactured nerve agent came to be used in the attack on double agent Sergei Skripal and his daughter in Salisbury, southern England. Russia denies involvement: “We have nothing to do with this,” said Foreign Minister Sergey Lavrov.
But while media reports suggest that top officials are examining a cyber response to what May has called an “an unlawful use of force,” senior U.K. lawmakers and international experts warned against prodding the Russian bear with this particular tool.
“It is something you would have to continue for some time and Russia would retaliate” — Keith Simpson, Intelligence and Security Committee
Not only does Moscow boast one of the world’s most advanced cyberwarfare programs, they said, in the event of a major British attack, Russian President Vladimir Putin is almost certain to hit back in kind, prompting a spiral of retaliation that could escalate into full-blown electronic war.
“The Russians have got vast capability on this [the cyber front], both state-organized agencies plus all the mafia elements who are linked in with them,” said Keith Simpson, a member of the Intelligence and Security Committee, which regularly probes Britain’s intelligence services.
Despite Britain’s “considerable capacity” to mount cyberattacks, launching one would not be “a one-off thing,” he added. “It is something you would have to continue for some time and Russia would retaliate.”
‘Top tier’ cyber country
To be sure, Britain has been preparing for this sort of scenario for years. George Osborne, formerly the U.K. chancellor and now editor of the London Evening Standard, was behind a major push in 2015 to upgrade Britain’s cyber capability, according to a person close to discussions.
He ordered a new National Cyber Security Strategy, which flagged investment in the National Offensive Cyber Program, a partnership between the Ministry of Defence and the main signals intelligence agency, the Government Communications Headquarters (GCHQ).
“Operationally speaking they have been involved in online covert actions, and they’ve developed their own approach to online covert action” — Alexander Klimburg, The Hague Centre for Strategic Studies
A December report by the U.K. Intelligence and Security Committee said Britain’s cyber capabilities have “more than doubled” in past year. And former Defense Secretary Michael Fallon acknowledged in a speech last year for the first time that London had used “offensive cyber” against the Islamic State terrorist group.
Willingness to deploy offensive cyber weapons puts Britain in the “top tier” of cyber powers, surpassed only by the United States and “on par” with Russia, according to Alexander Klimburg, director of the Cyber Policy and Resilience Program at The Hague Centre for Strategic Studies.
“They [Britain] have a good reputation,” he added. “Operationally speaking they have been involved in online covert actions, and they’ve developed their own approach to online covert action. They have lots of experience in this.”
‘Anything is possible’
In December, GCHQ disclosed that it is developing a “full spectrum” of cyber weapons — from tactical tools to high-end deterrents, which they said may never be used.
Yet the specific tools at the U.K.’s disposal are kept secret. Options available to a power of its size run the gamut from phishing schemes to targeted attacks on individuals’ online identities to shutting down a city’s power grid from a distance and using software glitches only spooks know about to hack networks.
“Anything you can think of is possible in cyber,” said Klimburg. “It starts at macro-level stuff that includes turning off power at the level of a city, to targeted attacks … to very specific like changing bank accounts or identities,” he said.
Britain could justify such a move, which would amount to an act of war. Under international law, the U.K. could defend against what May described as an “unlawful use of force” by invoking the United Nations charter’s Article 51, which spells out a state’s “inherent right of individual or collective self-defense” in the event of an armed attack.
But taking its case to the United Nations would bog London down in diplomatic discussions. And a major unilateral cyberattack against Russia would defeat the weapon’s chief attribute: its covertness, and the fact that the state deploying it can deny responsibility.
“There are a lot of different ways to respond, and cyber will only be a part of that puzzle” — Alexander Klimburg
Another path is to enlist allies to help mount a cyber operation. NATO announced a major bulk-up of its cyber capabilities last year. In a statement Monday, Secretary-General Jens Stoltenberg insisted that the alliance was “in touch with U.K. authorities on this issue [how to respond to the suspected assassination].”
Even so, not all officials are convinced a cyberattack is the best option. For Simpson, it would be better to hit Putin’s allies where it hurts them most: in the pocket.
“Denying him [Putin] and his friends their money or their ability to recycle their money through Western banks is the thing that is going to cause him the most pain,” he said.
For Klimburg, there is yet another preferred route: confiscating assets.
“The U.K. also has a lot of other tools at its disposal, in particular confiscation of assets that are known to be close Putin allies. There are a lot of different ways to respond, and cyber will only be a part of that puzzle,” he said.