Russia waging ‘most sustained and intensive cyber campaign on record,’ NCSC CEO says
Russia’s physical invasion of Ukraine has been accompanied by “probably the most sustained and intensive cyber campaign on record” according to one of the United Kingdom’s most senior cybersecurity officials.
Lindy Cameron, the chief executive of the National Cyber Security Centre (NCSC), told the Chatham House security and defence conference on Wednesday that her agency had “not been surprised by the volume of Russian offensive cyber operations, nor have we been surprised by their targeting.”
Even before NCSC was founded in 2016, its parent organization GCHQ had spent decades studying Russian cyber doctrine and tracking the threat it poses, a period during which Russia “invested significantly” in its offensive cyber capabilities.
“This has given us a deep understanding of the Russian threat in cyberspace, both by state and non-state actors,” explained Cameron.
These state actors in Russia, which include units that are part of its intelligence apparatus and part of its military forces, “have been busy launching a huge number of attacks in support of immediate military objectives,” she said.
Despite some of the more extreme warnings from people on the fringes of the cybersecurity sector, those attacks weren’t apocalyptic — nor were they intended to be. Russian attacks persistently attempted to reduce the Ukrainian government’s ability to communicate with its population, to interrupt the financial system and spread panic, and to distract Ukraine’s cybersecurity resources from their other priorities.
These operations have varied in sophistication, from DDoS attacks to the Viasat attack launched an hour before Russia’s tanks and missiles started targeting Ukrainian cities. The goal was to “disable or downgrade the Ukrainian government’s ability to communicate,” explained Cameron, “a visible example of Russian doctrine in action: using cyber operations as a tool in support of wider military objectives.”
“But for me, in many ways the most important lesson to take from the invasion is not around the Russian attacks — which have been very significant and, in many cases, very sophisticated. It is around Russia’s lack of success,” she added.
“Try as they might, Russian cyber attacks simply have not had the intended impact.”
She credited Ukraine’s own cyber defenses — which have developed through almost a decade of attacks, stretching back to Russia’s annexation of Crimea in 2014 — alongside private sector and international partnerships.
“If the Ukrainian cyber defense teaches us a wider lesson – for military theory and beyond – it is that in cybersecurity, the defender has significant agency. In many ways you can choose how vulnerable you can be to attacks,” said Cameron.
This lesson was key, she warned, because although the world has yet to see significant offensive cyber activity from Russia that wasn’t directly targeting Ukraine, this could change.
“In response to significant battlefield set-backs, in the last week we have seen Putin react in unpredictable ways… There is still a real possibility that Russia could change its approach in the cyber domain and take more risks — which could cause more significant impacts in the UK.”