The British government is being criticized for a speech at the NATO Cyber Defence Conference in London on Monday, when a senior minister claimed “with a cyberattack, Russia can turn off the lights for millions of people.”

The speech by Pat McFadden was described as “ridiculous” by Kevin Riehle, a lecturer at Brunel University London and former counterintelligence analyst in the U.S. government, and as “a step backwards” by James Sullivan, the director of the cyber research group at the think tank Royal United Services Institute (RUSI), alongside several other experts in the field.

McFadden told the conference dedicated to the alliance’s cyber defense efforts that while the “aggressive and reckless cyber threat” of Russia should not be underestimated, NATO “will not be intimidated by it, and we will never allow it to dictate our decisions or our policies.”

“The hyperbolic ‘lights out’ Hollywood scenario” described by the minister missed the true impact that cyberattacks are having on Britain, Sullivan said — concurring with a senior strategist at U.S. Cyber Command that attacks below the threshold of starting an armed conflict were having “strategically consequential effects.”

“Similar to disinformation, the impact from cyber incidents over the last decade has been much more gradual and insidious. We must build collective resilience against those threats and never normalise them as part of modern life,” Sullivan said.

Speeches on cyber by the Chancellor of the Duchy of Lancaster — effectively the United Kingdom’s second-most senior minister, after the prime minister —  have a history of imprecise comparisons.

Speaking at the CyberUK conference in Belfast last year, then-incumbent Oliver Dowden described the range of Russia-aligned threat actors as “Wagner-like cyber groups” despite obvious differences between mercenary forces and financially-motivated ransomware hackers.

The use of imprecise language risks muddying the already opaque understanding of the relationship between the Kremlin and the wide range of threat actors in Russia, from obviously financially-motivated ransomware groups through to “hacktivist” entities launching DDoS attacks against their targets.

In his speech on Monday, McFadden appeared to fail to distinguish between “mercenaries not directly under the Kremlin's control,” and criminal groups and hacktivists.

He described “both the Russian military and its unofficial army of cyber criminals and hacktivists” as having “stepped up” attacks within the last year, but also noted “the activity of these groups isn’t something new, or something that has just been happening in recent months.”

Jamie MacColl, a cyber research fellow at RUSI, said: “The suggestion that Russia ‘can turn the lights off for millions’ is not grounded in reality and likely reflects a misunderstanding of the kind of effects that offensive cyber operations can achieve.”

“This kind of language also does Russia’s job for it, given Russian intelligence wants to create panic and weaken societal resilience through cyber operations. Resisting Russian cyber attacks requires psychological as well as cyber resilience, and this rests on clear and calm rhetoric and guidance from the government,” MacColl said.

Louise Marie Hurel, also a cyber research fellow at RUSI, said the depiction of “a scenario where Russia could execute a one-click, nationwide shutdown is unhelpful.” 

“Such exaggerated rhetoric inadvertently bolsters Russia’s image and perceived capabilities while unnecessarily spreading fears of a doomsday scenario,” she said.

It comes on the heels of an election campaign in the United Kingdom during which two significant cyber incidents were largely ignored by the campaigning parties — something that experts said highlighted how little focus Westminster placed on the issue.

“The new Labour government is on a learning curve with cyber security after 14 years out of office,” said MacColl. “It needs to make sure it has political advisers and speechwriters that understand the reality of cyber operations and cyber security.”