When the story of 2018 is told, historians may be hard pressed to say which was weirdest: that a deadly nerve agent was deployed in a quiet cathedral town on the edge of Salisbury Plain, at the heart of our military establishment. Or that the Russian suspects were identified not by British intelligence but a group described last week as “armchair investigators”.

Because we now know not just the identities of the two men who travelled to Salisbury with a military-grade chemical weapon but also the arm of the Russian army that deployed them – thanks to Bellingcat, a citizen investigation site founded by Eliot Higgins, a former blogger who started it from a laptop on his sofa in breaks from caring for his daughter.

Taken separately these stories are gobsmacking but what’s been lost in the reporting is how they are two sides of the same story, imperfect reflections of what many believe to be the defining story of our age: disinformation, the central role of the technology platforms in disseminating it, and the inadequacy of governments to counter it.

Because the sleuthing of the identity of these men is a truly remarkable tale that shows how the power of the crowd and a suite of open-source techniques can achieve feats that remind us of how we thought the web used to be, the tech-utopian dreamspace that has taken such an existential battering in the last two years. Bellingcat’s pioneering achievements are an inspiring reminder of what is still possible.

But it’s also a window into the darkness that the web has become – a site of propaganda, distortion, subversion. Because last week Bellingcat identified the second suspect as Alexander Mishkin, an officer in Russia’s military intelligence service, the GRU. And that’s the clue. It’s the key that unlocks both the gravity and the audacity of what we are witnessing. It’s the GRU that is at the very heart of the attack on western democracies.

Facebook Twitter Pinterest Metropolitan police images of the Skripal suspects Alexander Petrov, left, and Ruslan Boshirov. Photograph: AP

It’s the GRU that has learned how to weaponise the tech platforms that we use every day and that underpin our news and information systems in ways we have singularly failed to protect. It’s the GRU that reports have claimed attacked Nato, the German parliament and the French presidential election. And it’s the GRU that was named in the special prosecutor Robert Mueller’s recent indictments into the attack on the US presidential election.

On Friday 13 July, the day hundreds of thousands took to London’s streets to protest against President Trump’s visit to his eager new ally, Mueller released the indictments of 12 GRU officers for hacking into the computers of the Clinton campaign and the Democratic national convention, an extraordinary piece of work that gives a blow-by-blow account of precisely how the GRU targeted more than 300 people and leaked tens of thousands of stolen documents that would go on to play a hugely consequential role in the presidential poll.

The same agency that we now know has targeted Britain.

Mueller understands what he is dealing with. James Comey, former FBI chief, understood it too. He was sacked after confirming, more than 18 months ago, a “counterintelligence mission” to investigate “the Russian government’s efforts to interfere in the 2016 election”.

But what has become plain is that the British government shows no sign of even acknowledging the scale or complexity of the national security threat we face, let alone how to deal with it, as Hillary Clinton – the target of the GRU’s operation – appeared to acknowledge when she spoke in Oxford last week.

She described how the foundation of western liberal democracy is under assault and made pointed remarks at both the nature of Russia’s attacks on Britain and Britain’s failure to investigate, name-checking both Damian Collins, head of the select committee for the Department of Culture, Media and Sport, for warning of “a crisis in British democracy” and Tom Watson, the deputy Labour leader, who have both called for a public inquiry with “Mueller-style” powers.

What Bellingcat exposes is how citizen investigations are not only surpassing traditional mainstream organisations, they also seem streets ahead of government agencies. Investigators who use publicly available sources have been quietly joining a citizen’s battle against this flood not just of disinformation, but of corporate secrets, dark money thinktanks, networks of political influence, Trump-Russia collusion, overspending in the referendum, up to and including mass murder.

This month, BBC Africa Eye published a stunning investigation using techniques Bellingcat has developed, identifying the location and identity of men who’d killed two women and two young children through forensic analysis of online sources.

Facebook Twitter Pinterest Cambridge Analytica’s former chief executive Alexander Nix arrives to give evidence to parliament’s digital, culture, media and sport committee in June. Photograph: Tolga Akmen/AFP/Getty Images

And, less hi-tech but also hugely valuable, the entire Cambridge Analytica investigation owes a huge debt to open source investigators. After Harry Davies published his first article in the Guardian about the firm in 2015, it was Paul-Olivier Dehaye, an ex-professor of maths in Geneva, who was profoundly troubled by the way personal data was being abused, who took it upon himself to produce an open-source document that he made freely available to journalists.

And when the firm threatened to sue the Guardian, it was the pioneering work of another open-source investigator, Wendy Siegelman, working with US journalist Ann Marlowe, who created a chart of its many complicated corporate structures that the Observer and Guardian’s lawyers drew upon in our response.

An ex-Met intelligence officer who resigned after blowing the whistle on the falsification of police crime reports, James Patrick (@j_amesp), has been crowdfunding the only extensive reporting on Russian interference that’s being published in Britain and whenever I have a question about the Brexit campaign’s figures, it’s @brexit_sham I turn to, a Liverpool-based duo who met ten years ago through football fan activism, researching offshore finance used by the Premier League.

For 18 months Mueller has investigated how Russia targeted the US via information space; an information space that we in Britain share. In February, he unsealed indictments of 13 Russians and three companies that revealed how in 2014, Moscow launched a sophisticated operation to target US citizens by subverting their own social media platforms against them.

It was a key moment in our understanding of this brave new world. A world that we see every day – on our screens, Facebook pages, Twitter feeds, YouTube suggestions, Google searches – but remains murky and complicated. It’s notable that the counter-offensive is taking place on these same platforms that enabled it. That dedicated Twitter sleuths, like @RVAwonk and @conspirator0 and @MikeH_PR), track the bots and trolls.

But then, in the absence of any government being able to hold Facebook to account – Zuckerberg has refused three requests from parliament to appear – it’s all there is. A citizen-fuelled effort that combines counter-disinformation, counter-intelligence and even counter-attacks.

The GRU answers to the chief of the general staff of Russia’s armed forces, General Valery Gerasimov, who has described how this new world works. How “the very ‘rules of war’ have changed”. How “military means of a concealed character” are not just supplemental means of war. They ARE war, he says, describing how through the use of propaganda, disinformation and subversion “a perfectly thriving state” can, in months “sink into a web of chaos, humanitarian catastrophe and war”.

This is what happened in Ukraine. Where we now know – again thanks to Bellingcat who tracked their travel logs – the two Salisbury suspects were previously deployed.

And it’s hard to pick the most extraordinary part of this. That the same Russian military operatives who subverted eastern Ukraine are freely roaming British streets. That the same military agency targeted our information space. Or that the investigation into the actions of this hostile foreign power is being spearheaded by a group of citizen investigators who rely on donations for funding.

But then, it was Bellingcat that in another triumph of open-source investigation, trumped western intelligence agencies in tracking down the Russian unit that launched the missile that brought down flight MH17 in eastern Ukraine, killing 298 people. And by identifying the suspects, Bellingcat has helped draw our attention to what the Skripal attack perhaps really was: an information operation.

This wasn’t simply a hit job on an old adversary. The measure of the attack’s success was not whether Skripal did or didn’t die. It made no difference. It’s the headlines across the world that were the real measure of its success. Success, only now dented by the efforts of Bellingcat.

Because if there’s one lesson to take from this it’s that we cannot count on the government to protect us. It won’t even acknowledge what has happened. It won’t back parliament’s demands to Facebook. Or even answer its questions. We are in the extraordinary position that our national security appears now to rest in our own hands.