When I heard that there was going to be a TV drama about cyber security, my initial reaction was that it was a brave thing to try. Trying to make what we do television is notoriously difficult. There is very little to see: just people playing keyboards and looking at screens, with most of the action inside their heads. So I was pleasantly surprised by Peter Kosminsky’s Channel 4 series The Undeclared War (the second episode of which airs tonight). I saw it all in one weekend.
The cyber attack on the UK in episode one was too believable. Initially I thought they were going to be vague and melodramatic: “The internet is down!” – but the script went on to explain how BT’s infrastructure, which runs a large part of the web traffic in the UK, went offline. They specified how 55% of web access had been lost and it was cleverly timed to be a disruptive attack, rather than a disastrous one with planes falling from the sky. You can cause a lot of chaos by removing any of these “level 1 networks”. We’ve seen it happen by accident: Last October, Facebook managed to delete itself by mistake, so it’s perfectly plausible that an attacker could do the same thing.
We have also seen it happen by design. In 2016, there was an attack on a company called Dyn, a domain name system provider (essentially, the phone book for the Internet). It brought down Amazon, Netflix, gaming platforms, social media and news organizations for half a day. In internet time, that’s eons. Two years ago, SolarWinds, the network management software used by all kinds of government departments, was hacked. Someone cleverly put in a back door, which went unnoticed for months. It appeared to be espionage, but instead of stealing data, it could have been used for something more disturbing.
Of course, the show is also timed by chance. An hour after it invaded Ukraine, Russia took offensive cyber action. A communications company called Viasat provides much of the Internet connectivity in Ukraine. Russia managed to freeze it so nothing would work. It stopped people from going online, which may not sound like much, but look at the younger generation who are glued to their smartphones. Turn up a screech if they lose wifi for 10 seconds. Imagine there is no internet for 12 hours. That’s a pretty major interrupt.
From the start, The Undeclared War visually depicted protagonist Saara Parvin (Hannah Khalique-Brown) completing a digital exercise of Capture the Flag. This portrayed her thought process beautifully. People who excel at cybersecurity tend to be good problem solvers. At Bletchley Park during the war, they would print cryptic puzzles in the newspapers and recruit the people who completed them the fastest.
You may be able to hack an airplane’s kitchen system or inflight entertainment, but not the autopilot.
Once I got to the nitty-gritty of technology, I loved seeing the characters using real tools. Analysts unpacked a piece of malware using an IDA (interactive disassembler). The code he saw on the screen was actual machine language, rather than gibberish. Saara found a second virus nested within another, a bit like Russian dolls, which is a well-known technique. My own original discipline was steganography, the art of hiding things in plain sight. It is mainly used for covert communications, but also increasingly in malware. Make people look in one direction and suddenly the payload shoots off somewhere unexpected.
We saw Saara exploit real vulnerabilities and go through a firewall, which was pretty authentic. He was also putting the virus in a “sandbox,” which is what you do to test malicious software: upload it to an isolated computer. It just so happened that this piece of malware came to light, but that too is becoming more and more common. The malware is now designed to recognize when it’s in a sandbox and find ways to escape. I can say that a lot more thought has gone into The Undeclared War than the average Bruce Willis “bombs and bullets” movie.
I enjoyed the juxtaposition at the Cobra meeting between what ministers demanded and what GCHQ advised. Politicians often suffer from “do-something-itis”: they want to be seen as taking decisive action. Nobody in our trade would think that hacking is a good idea, because it leads to escalation. GCHQ reps Danny Patrick (Simon Pegg) and David Neal (Alex Jennings) correctly pointed out that an eye for an eye can go terribly wrong. If you’re not careful, a conflict in cyberspace can turn into military retaliation. In fact, NATO’s Tallinn document says that if it comes under a cyberattack of sufficient magnitude, it reserves the right to respond “kinetically,” meaning missiles and bombs.
The drama also highlighted the big problem of retaliation. Cyber attacks allow for plausible deniability and attribution is incredibly difficult. People assume it was the Russians, but no one knows for sure. If someone launches a missile at you, you’re pretty sure where it came from. With cyber attacks, it’s hard to know who wrote the code and where it was. It’s also easy to plant false flags there: make it look North Korean, for example, or make the timestamp files correspond to Moscow time zones. It needs auxiliary intelligence because bits of electronic warfare data are not enough.
In the show, a rogue British hacker named Jolly Roger responds to the Russian attack by turning the lights in Putin’s office on and off. You get these vigilantes. There is a whole group on the Telegram chat app called the “Ukrainian IT Army”, which is trying to mount attacks on Russian targets. At another point in the show, GCHQ mentions taking control of Putin’s presidential plane. It’s an inside joke about cybersecurity consultant Chris Roberts, who told the FBI in 2015 that he had hacked planes and controlled a United Airlines flight. He doesn’t worry: he may be able to hack the galley system or the in-flight entertainment system, but not the engine management or autopilot.
It’s refreshing how the drama shows GCHQ in a positive light. These people help defend us on a daily basis.
GCHQ’s setup also feels very precise. The old site comprised many small individual offices with locked doors and a high degree of compartmentalization. Since “The Donut” was built in 2003, it looks more like a college campus. Once you’ve walked through the doors, there are open-plan offices and cafes. The baristas serving the coffee have the same security clearance as you. I approved of how Kosminsky shows people in uniform walking around, because GCHQ also supports military operations. Some staff members work in bulletproof vests or behind bulletproof glass – brave people doing important work. It’s refreshing how the drama shows GCHQ in a positive light. These people help us defend ourselves on a daily basis, with little or no credit.
There are critics, naturally. The cabinet office meeting rooms are too dark and not dilapidated enough. There is too much external connectivity from within the Donut. These dramas always come down to six people saving the world, when actually a thousand do the work. And having Saara, a student intern, crack the code was overkill. On the other hand, it’s amazing how often people find something in places no one else thought to look.
Some viewers have asked if Saara would get the clearance, considering her partner is a climate change activist, but things have changed a lot. In the 21st century, GCHQ welcomes one and all. The questions are not about “moral turpitude” as they were when I joined, but about whether you will remain loyal. What the process tries to establish is if you are hiding something. It doesn’t matter what your sex life is or if you’ve ever taken drugs, as long as you’re open and honest about it. If you’re holding something back that you could be blackmailed or coerced over, that’s where the problems arise.
The security services today have people who would not have entered 30 years ago. In the cold war era, we were looking primarily at the Soviet Union, so a lot of the recruits were white, male, Russian-speaking public schoolchildren. Now the threats are much more widespread. We are worried about places like China, Iran and North Korea. You need staff diversity to reflect the threats we face.
Related: Boris won’t go that easy! The undeclared war and the dangers of writing television of the near future
It can absolutely be said that Peter Kosminsky did three years of research. I bet he was pretty cooperative too, because so many scenarios, tools, and techniques matched my own experience. Kosminsky says that everything he described has happened or has been a “war game” by the security services, which I can believe. We have an organization called the Center for National Infrastructure Protection. Part of his job is to identify critical failure points: “What will be the impact if certain telecom towers go down?”, “What happens if someone cuts the transatlantic data cables off the Cornish coast?” – and rehearse what might happen.
We’re very cautious on cybersecurity, but other than a few elements added for dramatic effect, I feel very positive about the realism of the show. The security industry is like any other, in that people will look for holes in the technical details. Overall though, The Undeclared War is very impressive. I would love to see it renewed for a second run. That could portray another rogue state, perhaps North Korean ransomware, Chinese data collection, or something spreading from the Middle East. There’s definitely fodder for another series, so to speak.
As he told Michael Hogan
Alan Woodward it’s a informatician and visiting professor at the Surrey Center for Cybernetics Security. The has worked for the UK government in signals intelligence and information security, as well as in business and academia