WHAT WILL BRITAIN’S NEW CYBER FORCE ACTUALLY DO?
As Jane Austen never quite wrote, “It is a truth universally acknowledged, that a single nation in possession of a good fortune must be in want of a national offensive cyber capability.” Few authors evoke a certain kind of Englishness better than Austen. We nod in her direction to highlight a salient fact about the growing public debate about when and how governments should conduct offensive operations in cyberspace (against terrorists, criminals, and state threats): It is a debate with few British contributions, despite the fact that the United Kingdom recently announced a significant new investment in its offensive cyber capabilities, has admitted using these capabilities routinely against the so-called Islamic State group in Iraq and Syria, and recently implied their past use against Russia. Offensive cyber is an increasingly important part of the United Kingdom’s toolkit, as indicated by the recent founding of a new National Cyber Force. Without careful coordination and hard choices, though, the expanding role for offensive cyber and the National Cyber Force risks undermining the balance of British cyber strategy, diluting the priority of cyber security and resilience.
The truth is that the debate about offensive cyber has been dominated by U.S. voices and U.S. issues. To a large extent, this is understandable. It reflects the geopolitical significance of the United States and the immense weight of its cyber power. There is also a vibrant public debate in the United States, encompassing scholars and practitioners, about how cyber power should be developed and used. This American debate is rich and valuable, but its dominance of the global conversation risks distortion and the flawed assumption that decisions about cyber power look the same for all states.
The United Kingdom needs a similarly productive public debate, sensitive to the singular strategic context and challenges facing the United Kingdom, or it won’t be able to make good decisions about its cyber power — how to develop it, how to use it, and what accountability structures to wrap around it. Should these capabilities mostly be used against terrorists and criminals or should they focus on countering significant state threats, such as those posed by Russia and China? And whatever the targets, how will the United Kingdom resolve the tension at the heart of cyber operations, walking the line between recognizing cyberspace as a domain of conflict and competition and upholding the internet as the vibrant locus for so much of our everyday lives? To address this tension, the U.K. government has recently invoked the concept of a “responsible, democratic cyber power” to frame its cyber aspirations, but as yet this concept and how it will be executed are understood only in basic outline. One of the most controversial, and least understood, aspects of this agenda is the role of offensive cyber operations. There was widespread outrage at the recent compromise of widely used enterprise IT systems (SolarWinds), reportedly by Russian intelligence, and similar outrage at Russian cyber attacks against Ukraine’s critical infrastructure. Would a “responsible, democratic cyber power” forswear both kinds of operation or neither? What offensive cyber capabilities can and should the United Kingdom develop? And, conversely, what should it pledge not to do in order to uphold the integrity of the internet and the digital technologies on which we all rely?
Yes, it’s true, in our opening paragraph we equated Englishness with Britishness, without so much as a word about Scottishness, Welshness, or Northern Irishness. For that we apologize, and ask you to read former U.K. cyber security chief Ciaran Martin’s recent work on the constitutional tensions currently visible in the multi-nation United (not yet Untied) Kingdom. The question of how the United Kingdom addresses its competing nationalisms is not yet a topic for an article about U.K. cyber strategy — although the carve-up of defense and security assets in the wake of a potential move toward Scottish independence would make the issue more relevant than you might first think. Notwithstanding, the multi-nation constitution of the United Kingdom points to the peculiarly British practice of the “fudge”: a solution to a problem that just about manages to keep everyone happy but that is no one’s ideal first choice.
Commentators praised the virtues of fudge late last year when Prime Minister Boris Johnson avowed the existence of a new National Cyber Force. Although Johnson emphasized the new investment in cyber as part of his ambitions for Global Britain, experts such as former U.K. cyber chief Marcus Willett praised the force’s nimbleness and agility, making a virtue out of the reality that the United Kingdom lacks the resources to pursue cyber power of U.S. magnitude.
The new Cyber Force is the United Kingdom’s single actor for offensive cyber operations. You want to thwart terrorist operations online? The National Cyber Force will do that. Take down a ransomware crime group? The National Cyber Force has you covered. Strike back in cyberspace against state threats like Russia or China? You get the drift. Of course, its U.S. counterpart, Cyber Command, is no stranger to a broad mission set or a certain degree of institutional fudge. After all, in a “dual-hat” arrangement, its commander is also the head of the National Security Agency. But the United Kingdom’s new National Cyber Force is much fudgier than that.
Unlike Cyber Command, which is a unified command, or the National Security Agency, which is part of the sprawling bureaucratic empire of the U.S. Department of Defense, the U.K. National Cyber Force is a true hybrid of the country’s armed services, civilian defense officials, and national intelligence agencies. It combines major contributions from the U.K. Ministry of Defence and the United Kingdom’s signals and cyber intelligence agency, Government Communications Headquarters (better known as GCHQ), alongside smaller contributions from the Secret Intelligence Service (the United Kingdom’s foreign intelligence service, or MI6, home to fiction’s James Bond) and the Defence Science and Technology Laboratory.
What Cyber Force Does Britain Actually Need?
The benefit of this hybrid model is that the skills, capabilities, and legal authorizations of the constituent institutions are housed under one roof, all subject to unity of command within the National Cyber Force. This collaborative approach is good for synergy and it increases the operational flexibility of the force. But the new arrangement is not without its challenges.
First, despite the prominence of the new National Cyber Force in Johnson’s rhetoric, epitomizing the technology-driven agenda of his strategic review, the new force will be constrained by its budget and size. Even with an ambitious growth target, by 2030, the new force would still be less than half the current size of U.S. Cyber Command. Clearly, despite the broad remit of the new force — countering terrorism, cyber criminals, and state threats — it cannot perform all these missions equally well. Priorities will need to be established to help the National Cyber Force focus its efforts and achieve optimum impact. But how will those priorities be agreed?
This raises the second issue created by the hybrid nature of the new force. The first commander is a senior intelligence official — from GCHQ, the signals intelligence agency widely perceived to be the most capable cyber actor in the U.K. system — and his deputy comes from a defense background. The expectation is that a rota will operate and the next command duo will swap places, with a defense lead and an intelligence deputy.
So much for the internal leadership of the National Cyber Force, which faces a significant managerial challenge to create a new organization from a workforce essentially borrowed from its contributing organizations, including the creation of a new operational headquarters. But the force will not set its own strategic priorities. These will be determined elsewhere, by the centrally coordinated processes that determine the wider remits of its contributing organizations. These processes cover more than offensive cyber, including the setting of strategic priorities for the collection of intelligence, the development of technical capabilities, and the conduct of covert action. Offensive cyber operations are only one part of this wider priority-setting process, and they are also only one part of the much wider remit of each of the force’s contributing agencies. It’s a novel organizational concept: Pool resources, staff, and capabilities from largely autonomous agencies and hope they all work smoothly together. What happens if they don’t? How does the National Cyber Force ensure that it becomes more than the lowest common denominator of what each of its component agencies is willing to share?
The United Kingdom currently lacks a senior official at the center of government with the remit to coordinate across cyber issues. We recommend the creation of a deputy national security adviser for cyber, mirroring Anne Neuberger’s recent appointment in the United States. The whole of cyber — cyber security, cyber diplomacy and capacity building, espionage, and offensive cyber — is too big and important a national security portfolio not to have a dedicated senior official shepherding the wider national effort.
Such a senior official could help the new force achieve optimal impact in support of national objectives as well as monitor the impact of this significantly increased investment in offensive cyber on other aspects of government effort. There are two obvious issues for this official to oversee. First would be the implementation of a whole-of-government cyber workforce strategy. Second would be the effective functioning of the United Kingdom’s existing vulnerabilities equities process. This process helps the United Kingdom’s cyber espionage and cyber security authorities decide when to remain quiet about a vulnerability so that it can be exploited by British spies and when to publicize it so that it can be patched, thereby enhancing everyone’s cyber defenses.
As it seeks to define its aspiration to be a “responsible, democratic cyber power,” the United Kingdom needs to pay attention to how its investment in offensive cyber affects the balance between the different components of its wider cyber strategy. We don’t really know how this will play out, but the worst case would be that the bright, shiny new thing that is offensive cyber gets first pick of the best talent, meaning that “less exciting” areas like cyber security get a worse deal and consequently perform less effectively, to everyone’s detriment. Similarly, the vulnerabilities process currently consists of a debate between the cyber spies and cyber defenders over whether to withhold or release vulnerabilities. The addition of a third voice in the form of the new National Cyber Force — a growing, offense-focused party — to these discussions potentially tilts the balance of this dynamic further in favor of withholding vulnerabilities. This might be good for offensive operations in cyberspace, but the losers are everyone who might have been able to improve the defense of their networks had the United Kingdom disclosed the vulnerability so it could be patched.
Does ‘Persistent Engagement’ Have a British Flavor?
There is no British equivalent of the scholarly and practitioner debate about U.S. cyber strategy, such as the analysis and prescription of persistent engagement. But as Max Smeets has observed, the 2018 revision of U.S. cyber strategy had implications for other countries, both adversaries and allies of the United States. The way the new National Cyber Force operates — and communicates about its mission — will tell us much about how the United Kingdom views persistent engagement in theory and practice and whether it intends to adopt a similar approach to offensive cyber operations.
The commander of the National Cyber Force does not have the same public profile as Gen. Paul Nakasone’s at the NSA and Cyber Command. In fact, his profile is so low that his name is publicly withheld. This isn’t unusual in British national security culture, in which intelligence officials generally avoid publicity. Politicians like Johnson make the major decisions and own the democratic accountability, so they do most of the talking. Having said that, this traditional cultural reticence of British securocrats is changing: Today’s intelligence chiefs give public speeches and press interviews and even have a presence on Twitter. So the low profile of the National Cyber Force’s commander is a bit of a throwback and will make it harder for the force to communicate publicly.
Public communication about offensive cyber strategy is important, not only for domestic legitimacy but also as a form of signaling to other governments. The National Cyber Force might lack the scale of Cyber Command, but its remit includes countering state and other threats in cyberspace. Is it the United Kingdom’s policy to treat allies’ digital infrastructure as “grey space” in which to engage adversaries, degrading and destroying their cyber capabilities? How much operational effort will be devoted to taking down cyber crime infrastructure or preparing cyber capabilities to be used in joint operations? Presumably, the National Cyber Force’s commander is active behind the scenes, explaining the United Kingdom’s position on these matters to allies and partners. But who is going to make the public-facing side of this case? There’s no one agency or senior figure who “owns” this, which could undermine the clarity and effectiveness of communication. The United Kingdom took a very different approach when creating its National Cyber Security Centre, with a highly visible and articulate chief executive to spread the word about improving cyber security — one clear voice on cyber defense. Keeping the National Cyber Force’s commander in the shadows might come to seem like a missed opportunity to speak with one clear voice on cyber offense.
These are major strategic decisions that require prioritization, trade-offs between competing values, and an inevitable amount of bureaucratic competition behind that. But they are also decisions that require an analysis of the domain, a calibrated risk appetite for operations against major adversaries, and clarity about the division of effort between the United Kingdom and its allies in cyberspace.
The Five Eyes intelligence partnership is the oldest and closest between any states. Given the historical emergence of much offensive cyber capability from signals intelligence agencies, there is a clear logic to continued coordination and partnership between the United Kingdom and the United States in offensive cyber operations. It simply doesn’t make sense for the United Kingdom, with its smaller capabilities, to duplicate the effort of Cyber Command, except in areas where sovereign capabilities are deemed necessary for national security. The recent growth of international cooperation against cyber crime infrastructure is an example of where intelligence and other capabilities of multiple nations can be combined to good effect. Good examples are the multinational law enforcement operation to dismantle the major Emotet malware botnet and the takedown of the Trickbot malware botnet by Cyber Command, although some argue that the coordination of these operations could be improved.
Boris and the Through-the-Looking-Glass War
As Danny Steed noted recently in his overview of the United Kingdom’s wider cyber strategy, offensive cyber capabilities are only one component of its wider cyber strategy, itself a sub-branch of the national security strategy. If Johnson’s confident new investment in offensive cyber is to pay off for the country, it must be carefully managed and subject to review of its effectiveness. This means rigorous internal review at the very least, but ideally also incorporating appropriate legislative oversight and external challenge. The United Kingdom should also acknowledge the priority of improving cyber security and resilience as objectives of national strategy and ensure that resources and effort are aligned appropriately.
International forums and multilateral discussions about global cyber norms are important opportunities for the United Kingdom to clarify how its self-definition as a “responsible, democratic cyber power” affects its offensive cyber operations. A good option is prioritizing counterforce over countervalue targeting — focusing operations against adversaries’ operational infrastructure rather than, say, civilian targets like energy or transportation networks. Indeed, the United Kingdom should minimize development of cyber capabilities against critical civilian infrastructure and advocate that targets such as hospitals should be off limits entirely, not just for states but for the cyber criminals given safe harbor and a base of operations in their territory. Some form of infrastructure targeting may be deemed a strategic necessity, a last resort for “when deterrence fails.” But the norm should be focused operations against adversaries’ cyber infrastructure and the integration of the National Cyber Force with wider military operations to provide cyber tools to enable joint operations.
From countering ransomware criminals to coordinating public attribution of malevolent state actor cyber operations, the future of the United Kingdom’s cyber strategy should be international by design. That means coordinating as closely as possible with allies like the United States, helping to build the cyber capacity of other states, and keeping a watchful eye on the cyber campaigns pursued by adversaries. The new National Cyber Force has a role to play in all of that, but it is only one player in the United Kingdom’s wider cyber ecosystem. A sovereign offensive cyber capability is an integral part of a contemporary state’s national security apparatus, but the United Kingdom’s big new investment in it needs to be carefully managed and balanced against its other cyber priorities. Cyber security and resilience should come first, and offensive capabilities need to be developed and used in a way that is consistent with this wider agenda. Cyber entered the mainstream of British defense and security policy more than a decade ago. As such, a better-informed public debate in the United Kingdom about the implications of offensive cyber is long overdue.