Damien Moore (Southport) (Con)

- View Speech - Hansard -

Copy Link

-

I thank my hon. Friend the Member for Harwich and North Essex (Sir Bernard Jenkin) for securing this important debate, in which colleagues have raised important issues relating to Russia’s grand strategy.

It is particularly timely that we are talking about energy security and the extent to which we are dependent on Russian gas exports. It is clear that Russia has the power to influence the rising energy bills that affect many of our constituents. I very much hope that we will continue to increase our domestic energy production so that we become less reliant on Russian exports.

I share colleagues’ concerns about Ukraine’s fate. The events of 2014 and the tragic effects of the war still being fought in the east of the country today should leave us in little doubt that Russia is prepared to violate sovereign territory to further its own aims, as the brief five-day war of 2008 in Georgia had earlier indicated.

I also appreciate the increasing concerns about Russia’s actions in cyber-space, which is perhaps the most complex and difficult of the areas that have been covered in the debate. When cyber-war is discussed, it usually seems to include everything from a Russia-attributed attack on Estonia’s Government and financial institutions in 2007 to the NotPetya ransomware attacks against Ukraine in 2017 and even the SolarWinds espionage of 2020, in which UK Government computers were among the millions across the world on to which Russian agents quietly sneaked, remaining to listen and gather intelligence.

The last point sounds rather alarmist. We are right to make every effort to clamp down on and weed out digital Russian spies wherever we find them. We know what to do when we find a physical spy, so when spying is done via a digital medium, why do we hear respected voices announcing that there has been a “cyber-attack”? When a Russian spy is detected in the UK, we do not claim that Russia has launched an attack; rather, we use the existing tools at our disposal to deal with the situation in the established way. Applying the term “cyber-attack” to cyber-espionage is extremely unhelpful, especially in relation to Russia: rather than seeking to develop and promote the norms that countries should follow when they detect cyber-espionage operations, we lose ourselves in needless sensational hysteria, abusing terms such as “cyber-war” and “cyber-attack”.

When we want to understand Russian cyber-espionage and how we respond to it, we do not need to look much past the rules and norms that we have already established with conventional espionage to understand the role that cyber-espionage plays in Russia’s grand strategy. However, while looking towards traditional espionage helps us to understand some of Russia’s strategy in cyber-space, the fact that the area is still widely misunderstood and lacks rules and norms for operation means that there is still ample scope for Russia to navigate and pursue its grand strategy in what many people call the grey zone.

Let us take the international response to the Russia-attributed denial-of-service cyber-attack on Estonia in 2007. Despite effectively cutting off Estonia from the rest of the world and cutting off its citizens from their Government and financial institutions for some three weeks, it was not deemed an attack under article 5. Qualifying as such an attack would have seen the NATO alliance rise to Estonia’s defence in a war with Russia. Although there was no loss of data or money and no physical damage to resources, it seems plausible to say that it was an attack, but that was not how NATO saw it. That issue needs to be addressed.

Denial-of-service attacks are not rare. Russia launched similar denial-of-service attacks against the Georgian Government in 2008 as part of the five-day war, although this time they were aimed solely at Government and military sites. In 2017, Russia launched the ransomware NotPetya against Ukrainian banks, energy companies and infrastructure. It combined that cyber-sabotage with kinetic troop movements on the eastern border, again to display power. Attribution is not overly complex: the UK’s National Cyber Security Centre has said that Russia was “almost certainly” responsible for the attack.

As many of us in the House remember from seeing North Korea’s WannaCry ransomware unintentionally lock an estimated 70,000 NHS machines in May 2017, the rules and norms that exist in kinetic war, such as not attacking a hospital, simply do not exist in cyber-space. That is something that we clearly need to address. While it is clear that Russia sees cyber-espionage as part of reasonable statecraft in the present day, as the 2020 SolarWinds hack indicates, and while it is clear that Russia was perfectly happy to conduct clear cyber-attacks against Estonia in 2007 and Georgia in 2008, the international jury is still out on what is acceptable in cyber-space.

We must avoid alarmist declarations of “cyber-attack” or “cyber-war” every time we detect cyber-espionage attributed to Russia. Let us use the tools already in our arsenal to react to such cyber-espionage as and when we detect it. Let us mobilise the culture and machinery of government to determine how we view Russian action in cyber-space, building on recent publications. Most importantly, let us lead the international community in clearly laying down rules and norms to which Russia will feel an international obligation, so that no school or hospital ever need fear an indiscriminate cyber-weapon wreaking havoc, as happened to much of the NHS at the sloppy hands of North Korea in 2017, and so that we are ready to act proportionately as and when a cyber-attack may occur. As my hon. Friend the Member for Wolverhampton South West (Stuart Anderson) said, we also need to avoid miscalculation.