A 2021 cyber breach at the UK Foreign Office, which has recently come to light, exposed an endemic culture of ignorance and apathy regarding cybersecurity not uncommon in Western government departments.
A breach of the Foreign Office by Chinese and Russian hackers two years ago is understood to have potentially compromised allies such as the US. The scope of the attack, only recently revealed, shows that the hackers would have been able to access correspondence not marked as classified from ambassadors or diplomats positioned abroad. This represents very high-level social engineering since such correspondence can be mined for personal details and references to email specially tailored and carefully worded fraudulent spear-phishing attacks to key civil servants and politicians.
Sources close to the situation suggest that this is likely to have been how Chinese and Russian hackers broke into the UK Foreign Office in the first place. An unnamed staff member is believed to have opened a weaponized attack email from an unknown source. This is a tragically frequent occurrence in most sectors and one of the hardest to guard against.
But the Foreign Office’s culture of secrecy is combined with what the cybersecurity industry has long suspected to be a culture of ignorance and apathy. Its belated response to the incident two years later has done little to increase confidence on the part of the public. The Foreign Office has as yet given no clear details of any security steps taken since the breach to reduce the likelihood of it happening again or, indeed, any reassurance that its security has been strengthened in the intervening two years. Its admission that the Chinese and Russian breaches are likely to have occurred independently of one other gives little comfort, as it suggests that the Foreign Office’s cybersecurity defenses are leaky as a sieve.
Nor is there any apparent reason to suppose that similar incidents could not happen again in the future, as the Chinese and Russians appear to have had access to precisely the kind of personal communications needed to craft a personalized phishing email with a weaponized link. Such spear-phishing attacks have also been made simpler and more effective with the addition of criminal artificial intelligence (AI)-driven services such as FraudGPT, named after legitimate AI service, Microsoft-backed Chat GPT.
There now seems little doubt that without a thorough overhaul of cybersecurity practices at the Foreign Office, the UK, and its allies will be at risk from cyber espionage on the part of foreign powers. Perhaps the Foreign Office could follow the example of the UK’s spy agency GCHQ and that of the KGB, who, about ten years ago, were reported to have ordered hundreds of old-school manual typewriters to ensure that their most sensitive documents were unhackable.
