In late October 2021, Iran suffered a cyberattack that disrupted the use of the government-issued electronic cards many Iranians use to purchase subsidised fuel. The result was predictable and widely reported. The Iranian Government has since blamed Israel and the US for the attack, who in turn have denied responsibility. Such events are far from uncommon.
A notable example of this occurred in late 2015, during the conflict in Ukraine when its power grid was subjected to a cyberattack thought to be by the ‘Sandworm’ Russian cyber military unit. This led to power outages for 230,000 people. In that case, the attack might be considered overtly political, whereas others have a more basic financial purpose, such as the use of ransomware to extort money from the victim. The same perpetrators could be involved in both, with the second helping to give practical experience and help fund the former. Whatever their motivation, the intent is to interrupt the normal services of the country or organisation that has been targeted.
At the more modest end, the denial of service is damaging for the organisation involved, both financially and to its reputation. At the other end of the scale, the impact could force the closedown of a country’s power network, with all of the implications this entails. No lighting, no bank transactions, shops unable to operate, and potentially no medical records available. At this level, the implications can reach beyond political advantage to become part of military strategy in times of war.
Whilst such events can be caused by malicious intent, the recent COVID-19 pandemic has vividly demonstrated that naturally occurring events can have an equally devastating impact and governments need to have the infrastructure in place to deal with these as well. It was noticeable at the outbreak of the pandemic that when a considerable volume of PPE equipment was suddenly required, domestic supply of this was lacking, as was the domestic capability to produce vaccines in sufficient volume. The same global pandemic has also disrupted international supply chains, and this can easily spin out of control, making it difficult to source goods or components that may be of crucial importance for defence or medical purposes. The supply chain disruption may even be viewed as a tactical issue in certain circumstances, in much the same way that concerns have been raised over gas supplies to Europe from Russia. As a result, the issue of national resilience has assumed a higher profile and the government has begun to respond with a greater degree of urgency.
Between July and September 2021, the Cabinet Office held a consultation for the development of a national resilience strategy, with a response due in late December. This followed the March 2021 policy paper ‘Global Britain in a Competitive Age: The Integrated Review of Security, Defence, Development and Foreign Policy. This review, the first undertaken since 2015, was felt necessary considering how circumstances had changed, and whilst it did place an emphasis on foreign policy, it also outlined the need to strengthen homeland security, building on what was described as “firm foundations” in areas such as cyber security, countering the proliferation of CBRN weapons, intelligence, and counterterrorism.
In 2017, the Institute for Risk and Disaster Reduction described the cascading effects of power failures and the ranging impacts of this, attempting to raise awareness of these issues. They cite both the cyber-attacks in Ukraine as an example of causes that are manmade and deliberate but also instance other manmade examples in North America and Europe in 2003 and 2006 where the case was largely the result of management failure. Natural hazards also have a role, as seen in Cyclone Kyrill in January 2007 which caused widespread power outages across Europe.
Currently underpinning the authorities’ responsibility in such matters is the Civil Contingencies Act 2004. This was introduced following the fuel crisis and severe flooding in 2000 and was intended to replace and update the Civil Defence Act 1948 that had been introduced to deal with a ‘hostile act’ from a foreign power, mainly dealing with the consequences of nuclear war. In the post-cold war era of 2004, the elaborate civil defence precautions that had existed for nearly half a century were considered outdated and in the conditions that existed in 2004, the emphasis was to be more on the ‘civil’ aspects rather than ‘defence’. With a new national resilience strategy currently in development, the implication is that a reappraisal of that approach is underway and that defence in its various forms is again considered an equal or more serious threat than civil problems such as flooding. The 2004 Act allows for the implementation of emergency regulations under certain circumstances and defines the government’s powers, the conditions for making regulations, and their scope. It also defines certain limitations and the Cabinet Office guide to the act indicates that these are open to challenge in courts.
The Cabinet Office had also published a document: ‘National Business Resilience Planning Assumptions’ based on the National Risk Assessment of 2014. This provided details of eleven types of potential disruption, examples being a disruption to the banking system, to international trade, telecommunication systems, and a national loss of electricity. The eleven are then graded from extreme to moderate. The solutions suggested in the document are little more than recommended sources of information to be consulted in the event of a disruption, with little evidence provided as to what any government plans actually consist of. The suspicion is that this is now being viewed rather more rigorously. In September 2021, the Local Government Association welcomed the call for evidence to be given for the development of a new national resilience strategy and a review of the Civil Contingency Act 2004. In their initial response, it is notable that cyber issues form a significant part of the document. Probably not a topic they would have viewed with such concern in 2014. The change no doubt due in part, to the experience of cyberattacks received by Redcar and Cleveland, and Copeland councils.
A more robust form of national resilience planning would probably meet with the approval of a majority of the general public. Many will have experienced cyber-attacks of their own and will view the seeming inability to adequately tackle these as a matter of concern. Equally, reducing the necessity of importing power and involving foreign governments in UK power generation and telecommunications networks would be viewed as sensible measures. The question is what form any changes made will take, for despite general support for measures that would increase national resilience, the experience of the measures put in place during the COVID-19 pandemic using the Coronavirus Act 2020 do offer a note of caution. There are some who view these as an attack upon civil liberties with the scope of the powers granted to the police and other authorities unnecessarily wide and employed with seemingly little parliamentary or legal oversight. The pandemic will have been a steep learning curve for both central governments, local authorities, and law enforcement agencies. The powers granted at the beginning of the Second World War should serve as a warning, and the balance between public interest and official convenience is not an easy one: emergency powers are easy to create, but far harder to control and dismantle once in place.
Written by Frances Rigby