A cyber attack – possibly by China or Russia – hit the academic arm of the UK’s Ministry of Defence and had a “significant” impact, the officer in charge at the time has revealed.
Air Marshal Edward Stringer, who retired from the armed forces in August, said the “sophisticated” hack – discovered last March – prompted the Defence Academy to accelerate plans for its entire network to be rebuilt and made more resilient.
The targeting of an academic institution is a sign of how the frontline in modern warfare can be anywhere, the former director general of the academy told Sky News.
“The consequences for the operations were significant, but then manageable,” Air Marshal Stringer said, in his first television interview since leaving the military.
“But only manageable because your people work incredibly hard to keep things going and find back-up methodologies.”
IT staff had to “find back-up ways to use regular internet, etc, etc, to keep the courses going, which we managed to do – but not as slickly as previously, that would be fair”.
He said he did not know whether criminals or a hostile state were responsible, but a primary concern had been if the hackers had tried to use the Defence Academy as a “backdoor” to penetrate much more secret parts of the MOD’s IT systems.
Asked whether the cyber spies had been successful, Air Marshal Stringer said: “No, I was quite confident… that there hadn’t been any other breaches beyond the Defence Academy.”
It is the first time a senior – albeit now former – official has spoken on the record about the cyber attack and its impact on the academy, which is based in Shrivenham, Oxfordshire, and teaches thousands of British and overseas military officers every year.
“It doesn’t look like a violent attack, but there were costs,” said Air Marshal Stringer, who also held the title of director general of joint force development, leading the military’s thinking on the future of warfare and how the armed forces need to adapt.
“There were costs to… operational output. There were opportunity costs in what our staff could have been doing when they were having to repair this damage. And what could we be spending the money on that we’ve had to bring forward to rebuild the network? There are not bodies in the streets, but there’s still been some damage done.”
The digital branch of the MOD launched an investigation into the cyber attack but any results – such as who was behind it – have not been made public.
The National Cyber Security Centre, a branch of GCHQ, was also made aware of the hack.
Sky News understands that a hostile state such as China or Russia is suspected, though it could also have been the work of criminals.
Asked who he suspected, Air Marshal Stringer noted that states like China, Russia, Iran and North Korea have the capability to launch such a hack in what is seen as a grey zone of harm under the threshold of war.
“It could be any of those or it could just be someone trying to find a vulnerability for a ransomware attack that was just, you know, a genuine criminal organisation,” he said.
The Defence Academy, based on a sprawling campus, teaches about 28,000 military personnel, diplomats and civil servants a year.
Any British officer moving up through the ranks will spend at least a year on a course at the academy – returning if they plan to rise to the top echelons of the armed forces.
The academy’s IT infrastructure, including its website, is managed by Serco, an outsourcing company. Its contractors first spotted some “unusual activity” one weekend last March.
They soon realised there were “external agents on our network who looked like they were there for what looked pretty quickly like nefarious reasons”, Air Marshal Stringer said.
“Alarm bells rang, and at that point, we start to really dive in and see what’s going on.”
He said that the academy was immediately alert to the possibility that it might have been targeted by a hostile state in a grey zone-style cyber attack.
However, not all parts of the MOD seemed as quick to appreciate what might be going on, perhaps initially wondering instead whether it was just an IT problem.
“Moving from the analogue and the industrial age to the information age, there are three tipping points,” Air Marshal Stringer said.
“There is a tipping point in the thinking, tipping point in the talking and then the tipping point in the doing, including everybody’s instinctive reactions. I think generally we’re somewhere between those latter two.”
As well as concerns about whether the hack had breached the wider MOD network, there were also worries about the security of personal data.
However, no particularly sensitive information is thought to be stored on the academy’s network.
Teachers and students were impacted though as the IT infrastructure – the equivalent of the online domain for a university – had to be examined and then ultimately rebuilt, a task yet to be finished.
This was particularly disruptive as even more study material than normal had been moved online because of the pandemic.
A tag on the Defence Academy’s website still reads: “New website coming soon… please bear with us while we continue to update our site.”
The MOD did not respond to questions about who it thought was responsible for the hack.
A spokesperson said: “In March 2021 we were made aware of an incident impacting the Defence Academy IT infrastructure. We took swift action and there was no impact on the wider Ministry of Defence IT network. Teaching at the Defence Academy has continued.”