Speaking as part of a virtual conference to discuss an International Institute for Strategic Studies [IISS] report on cyber capabilities and national power, Willett explained that nightmare scenarios where “red buttons can just be pressed by leaders” to use a doomsday cyber weapon to destroy an adversary are “a long way off.”
Explaining further, he said even if a state would “go all out to destroy the critical national infrastructure of an opponent – this is much more easier said than done.”
Willett also warned that the “potential unintended consequences would need to be well thought through” in terms of whether the overall foreign policy goal would be reached or if that would fail and there would be uncontrollable escalation between the sides.
Rather, the former GCHQ cyber chief said “cyber is a part of your list of capabilities” both in prosecuting a war or pursuing other strategies and the real question is “how do you integrate it with other capabilities?”
Despite claims that the Biden administration to date has been ineffective in deterring cyberattacks from Russia and China, Willett said, “if you are attacked... it does not mean you have to respond or that it is a good idea to respond in cyberspace. There are plenty of other actions which have been taken by allied states.”
“Collective calling out and attribution of a cyberattack can sound ineffective... I would contend that the [aggressor] state knows it has been detected and attributed, and that an alliance of states have agreed that it has violated their cyber norms and have shared lots of information about that state among themselves” may be more effective than these tactics have been given credit for to date.
Deconstructing some of the latest conventional wisdom that China is repeatedly winning the cyber race with the US, he described why he had put Beijing in a second tier ranking with America occupying the first tier alone.
He said China’s “own reports show they have all sorts of weaknesses. They might be able to learn from liberal democracies. A cyber private-sector industrial base has been incentivized,” suggesting that its over-centralization of government control causes many cyberdefense problems.
Although centralized control may create some advantages in eliminating certain cyberdefense holes, he suggested it would severely limit how much Chinese companies can globalize if they are viewed as entirely beholden to the government.
Further, he said that there are defenses and solutions which come with diversity and that the West’s private sector diversity and cross-border alliances in sharing intelligence is something that cyber powerhouses like China and Russia have never come close to attempting.
Both China and Russia routinely deny allegations of their hacking the West and accuse the US of hypocrisy, though they usually do not offer the same level of depth of proof which Washington produces.
Willett is senior adviser for cyber at the IISS, having spent 33 years at GCHQ dating back to 1985.
As GCHQ’s first director of cyber from 2008 to 2011, he helped design the UK’s first national cybersecurity strategy.