WIREDGOV

The creation of a new National Cyber Force is an important development but should not divert attention from the wider issues around cyber security.

Prime Minister Boris Johnson’s announcement of a four-year funding deal for defence highlighted a number of technology-focused initiatives. Prominent among them was the establishment of the National Cyber Force (NCF), a new organisational construct bringing together skills, capabilities and resources from across government (predominantly, but not exclusively, GCHQ and the Ministry of Defence) to focus on offensive cyber – the use of hacking and other cyber techniques to have a direct effect on the UK’s adversaries. What does this mean in practice?

The Culmination of a Process

The first thing to say is that this is simply the next step in the UK’s long-standing work in this area. As far back as 2013, Philip Hammond, then defence secretary, announced that the UK was ‘developing a full spectrum military cyber capability, including a strike capability’.

The 2016 UK National Cyber Security Strategy acknowledged the existence of the government’s National Offensive Cyber Programme. In 2018, GCHQ director Jeremy Fleming said that GCHQ had been pioneering the development and use of offensive cyber techniques ‘for well over a decade’, and referred to the conflict in Afghanistan, and operations against the Islamic State.

So this is not a new field of activity for the UK. And in some respects it can be seen as the logical continuum of operational techniques that go back many decades. For example, there has always been a requirement to jam enemy communications on the battlefield. The difference is that today those communications may be digital and internet-enabled, as opposed to high-frequency radios.

The Definitional Challenge

Cyber is one of those terms that can be defined many different ways, and the same goes for offensive cyber. To get a flavour of what might be involved it is worth looking at the kind of things states have actually been doing.

Probably the most extreme examples to date are attacks designed to have indiscriminate mass effects on large numbers of people by disrupting some piece of critical infrastructure on which they depend for their well-being. Examples include Russian hackers’ cyber disruption of the Ukrainian power supply in 2015, and an alleged Iranian attack aimed at affecting the functioning of Israeli water treatment plants earlier this year.

Then there are attacks designed to create significant economic disruption, targeting specific companies or whole sectors. The Iranian attacks that disabled 30,000 computers belonging to Saudi Aramco in 2012, and their attack on multiple US financial institutions are examples.

Offensive cyber can also be used for the purposes of political disruption, and undermining confidence in, or simply discrediting, institutions or processes. For example, Russian interference in the French and US democratic processes by hacking into political parties to steal and leak sensitive material. Or the North Korean targeting of Sony by hacking and leaking embarrassing emails in retaliation for the movie ‘The Interview’.

On a much larger scale, there was the particularly reckless Russian NotPetya attack of 2017, which some estimate cost victims $10 billion globally. Russia infected Ukrainian tax software to disable the systems of anyone using it, either because they were Ukrainian or did business in Ukraine. The Russian attempt to disrupt the opening ceremony of the 2018 Winter Olympics, perhaps in response to the banning of Russian athletes, might be another example. And Israel may have been behind an attack earlier this year that disrupted the operations of an Iranian port facility, perhaps in retaliation for the attack on their water treatment plants.

Cyber operations can also be used in a targeted attempt to disrupt specific threats. These may be attempts to disrupt adversary weapons or technology programmes, like Stuxnet, the alleged US and Israeli cyber attack targeting Iranian nuclear centrifuges. Or an operation to prevent a specific attack, for example, by disrupting terrorist communications.

These capabilities can also be used to disrupt hostile or criminal online activity. There might be operations against botnets used by cyber criminals, or to counter disinformation, or extremist propaganda. There have been reports of US cyber operations to disrupt Russia’s notorious Internet Research Agency, UK take-downs of extremist online propaganda, and disruption of misinformation about a coronavirus vaccine.

And then there is cyber in support of military operations. Press coverage of the NCF has referred to capabilities to disrupt an enemy’s air defence network. It has been claimed that a US offensive cyber operation disrupted Iranian missile systems’ command and control, and that Israel successfully disrupted Syrian radars in support of an air strike.

Constraints on The UK

So what does this mean for the UK approach? It is worth reflecting on some of the constraints. On the basis that the UK continues to adhere to its existing framework of domestic and international legal commitments, it is not easy to imagine circumstances where indiscriminate cyber attacks on civilian critical infrastructure, or attacks that self-propagate in an uncontrolled way, would pass legal tests, including of necessity and proportionality (let alone ethical ones).

The exception might be all-out armed conflict, but, even then, the key principles of international humanitarian law will apply to UK operations, cyber or otherwise. Needless to say, these considerations are evidently less of a constraint to countries like Russia and Iran.

Then there is the fact that cyber operations, particularly at the upper end of the spectrum, can be extremely complex to design and execute. They can take months or years to design. Complex target networks are unique and an attacker may need to learn more about them than even their own operators know, to reduce the chances of things going wrong. Indeed, several of the hostile operations mentioned above failed, or had limited impact. And even when successful, complex attacks may only have an effect for a matter of hours, before back-up systems kick in and something like normal service is resumed.

This means that the scarce resources required to develop offensive cyber operations need to be used very carefully. So as the UK develops its capabilities it needs to focus on those that are actually likely to be usable in practice, bearing in mind legal, ethical, technical and operational considerations.

In practice, these are most likely to be about targeted disruption of an adversary’s ability to communicate or operate online. And that adversary is often likely to be a criminal, terrorist or hostile state actor conducting misinformation or cyber operations. They live on the web, and it makes sense that we should have the ability to inhibit their operations there, just as we seek to in the physical world.

It also means that cyber operations, particularly on the battlefield, need to be closely integrated with other effects to achieve a real impact. And it will be important not to be seduced by the glamour of ‘cyber war’, and lose sight of the fact that in an actual military operation it may be a lot easier to take out a target through traditional kinetic means than by some exquisitely complex, highly sophisticated, cyber operation.

On The Offensive?

Quite legitimately, a lot of questions are being asked about offensive cyber capability and the avowal of the NCF is likely to intensify that debate. The government cannot take for granted that everyone will agree it has a licence to operate in this area.

Issues include squaring offensive cyber with a commitment to a free, open and secure internet, how to measure the effectiveness and value for money of this investment, how to manage the risk of our capabilities falling into the wrong hands, and how to achieve a balance between keeping knowledge of cyber vulnerabilities secret for future exploitation, and disclosing them to the manufacturers to be fixed. And there is the overarching question of defining UK offensive cyber doctrine. The government needs to embrace the debate, however uncomfortable that may feel, and there has already been some commendable openness.

Offensive cyber offers the UK a specific set of capabilities that can be used in certain particular circumstances. We already have experience in developing and using these capabilities, and the NCF should build on that. For the UK this is most likely to be about focused and targeted disruption of specific threat actors, rather than indiscriminate attacks having mass effect.  

There are plenty of issues to debate and explore. But there is an important risk to manage – offensive cyber may play a part in defeating some cyber attacks on the UK, but it will be essential that an understandable interest in ‘cyber weapons’ and ‘cyber war’ does not divert attention and effort away from the much broader and more complex set of issues around how to achieve the level of cyber security the UK needs.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.