In the Second World War, there was a period between 1939 and early 1940 when Britain had declared war but not a lot really happened. The bombs had not started falling yet.
WWII was the fake news of the day. From our perspective 85+ years later, we can see that period in context, but those at the time had a name for it: the “phoney war”.
That is where we, in the West, are now – a phoney war. The drones are hitting Kyiv, Lebanon and Dubai. But in London and New York, we are not yet facing a counterattack. The question is not whether it comes, but when.
But when it does, it will not look like 20th century warfare. It will be guerrilla. It will be sabotage. It will be low budget. And a huge amount of it will be cyber.
The Jaguar Land Rover Playbook
Last year gave us a strong clue as to what to expect. The cyber attacks on JLR (Jaguar Land Rover) and Marks and Spencer in the UK were not direct hits on those companies. They were attacks on key suppliers. The same thing happened with the Germany FMCG company, KP Snacks when its HR system was taken offline – people simply could not get into the factories – but the impact up the supply chain was massive: loss of revenue to supermarkets, leading to loss of profit. Suddenly pension funds got nervous and we all felt the pain.
When a mid-level IT supplier to a second-tier supermarket gets breached, it’s disruptive to that supplier’s business. But it’s catastrophic for the customer – 2025 will always be remembered as the year those brands got taken down, not the suppliers who were actually hit.
And when the government had to step in to support JLR’s supply chain, that should have been the wake-up call.
Utilities Are the Soft Target
Not every part of our critical infrastructure is equally exposed. Some sectors, like transport, have already upped their game. There has been commercial pressure to do so.
But one sector stands out as particularly vulnerable: utilities. There has been no equivalent market driver yet for greater cyber resilience. The sector is far behind and an easy target.
It is not just the technology attack surface. It is the physical one. Reservoirs, water treatment plants, pumping stations – these are often at remote locations, have last-generation CCTV and minimal physical protection. I have heard of places in Scotland where storms routinely knock out connectivity to physical assets. No-one sends a team to investigate why the sensors are not reporting when the wind is blowing strongly. Because that’s just normal.
And maybe it is already too late. A zero-day attack installed via a USB stick during a moment of physical access could sit dormant for months. The attack may already be in place.
The challenge for utilities is that the organizations in this sector are already under pressure to upgrade Victorian physical infrastructure. Let alone their 20th Century IT estate.
21st Century Total War
In the 20th century, total war meant the entire economy pivoted. Car manufacturers built tanks, ironmongers made bullets, and shadow factories sprang up across the country. Everyone here in the UK felt like a target too, especially if you lived near the docks or the factories.
21st century warfare has the same characteristics, but in reverse. This is a defensive total war.
If you’re a company that makes components and sells them into a critical supply chain, you are a target. Not because of where you are physically, but because of where you sit in the chain.
In fact, your remoteness might actually make you more of a target, not less. And in my opinion, not just Tier-1/ Tier-2 suppliers to critical national infrastructure but every British company is now a potential target.
So, What’s the Solution?
If this is the real threat, what does a proportionate response actually look like?
There is a Cyber Security and Resilience Bill before Parliament right now. It’s a start, but I am not sure it goes far enough.
There are other steps we can all take.
There are standards for cyber security, but the vast majority of companies comply begrudingly – only if a customer insists on it.
At the lowest level is a UK standard called “Cyber Essentials”. It’s not exactly lightweight, but it’s a self-assessed standard – with no independent audit. More stringent is “Cyber Essentials Plus”, essentially the same – but audited.
At a bare minimum, Cyber Essentials Plus should be mandatory for every registered company UK. It’s a basic, independently verified qualification. Compared to ISO27001 or SOC2, it’s not particularly rigorous. But it would be a basic hygiene factor.
Beyond that, every company should have to be pen tested. Perhaps with the spectre of Mythos looking, pen testing ought be continuous? Regardless, it would be easy to set up a system where that’s verified by filing a certificate at Companies House.
We should make it as routine as filing your annual accounts.
Every citizen should be getting phishing awareness training too. This is the 21st century equivalent of Dad’s Army: everyone needs to know how to defend themselves. It’s not quite drills on the village lawn on how to use a bayonet – but basic cyber defence training should be mandatory for everyone who uses a computer.
During COVID, we mandated vaccines and face masks. We taught people how to wash their hands properly.
We should be mandating basic cyber defense for every citizen and every company.
The cost of not doing so is not theoretical anymore.
