The Ethics of Offensive Cyber: Reflections on the role of the National Cyber Force

Over the last decade, the UK government has talked more openly about its cyber capabilities. The latest step was the prime minister’s recent avowal of the National Cyber Force (NCF), which has been operational since April. Uncertainty remains, however, about the role of OCOs in wider UK strategy and how our political leaders are navigating the complex choices involved in deciding when to use cyber operations to secure national objectives and project British values overseas. For example, should OCOs only target an adversary’s defence and security infrastructure, or should the UK follow the contemporary trend in targeting civilian infrastructure, as implied in the Moscow scenario briefed to the press?

There is a burgeoning academic literature on covert action as an instrument of state policy. There is also an extensive and growing literature on the legal and strategic issues raised by state and non-state cyber operations. Cyber operations during an armed conflict are covered by the existing law of armed conflict, and should abide by the principles of necessity, distinction, proportionality and unnecessary suffering.

Much cyber activity, however, takes place beneath this threshold. Domestic legislation – the Intelligence Services Act (1994) and the Investigatory Powers Act (2016) – provides the process for senior ministers to authorise operations such as equipment interference where these are deemed to be necessary, proportionate and have a sound legal basis in the interests of national security, economic well-being, and the detection or prevention of serious crime.

The joint nature of the NCF, combining personnel from GCHQ, the Ministry of Defence and other agencies, is an efficient use of limited expertise in this field: it houses under one roof, so to speak, the capability to operate under these different operational authorisations. Whilst the UK has committed to abiding by international law in its conduct of cyber operations, there is legal uncertainty about when precisely OCOs should be regarded as reaching the level of a use of force. Must they cause injury or physical damage, or could, for example, serious economic damage or the degradation of military infrastructure be sufficient to be interpreted as a use of force?

Whilst there is an international debate about the legal status of OCOs as a use of force or as an otherwise prohibited intervention in the sovereign affairs of another state, less attention has focused on the specifically ethical dimensions of political decisions to approve OCOs. This piece aims to stimulate further ethical debate about OCOs as the NCF emerges as an instrument of the UK’s wider national security strategy.

Whilst there is not yet a substantial literature applying moral philosophy to this issue, there is no shortage of theories and traditions to draw on. One obvious step would be to apply the principles of ‘just war’ theory directly to cyber operations, another to frame discussion around acceptance or rejection of a realist approach to cyber dilemmas facing political leaders, according to which the UK should develop formidable offensive cyber capabilities and be prepared to use them to enhance national power and security.

As a shortcut, I employ Max Weber’s distinction between the ethics of conviction and the ethics of responsibility, and the importance of the latter in exploring the challenges of political leadership. Put simply, as voters we do not expect our elected leaders to make decisions solely on the basis of their personal beliefs. They should be mindful of a duty to act in accordance with the best interests of the nation – and perhaps with some broader conception of the common good, including global public goods. Defining the national interest is, of course, a contested, inherently political act. Nonetheless, political leaders are morally responsible for the consequences of their actions and omissions in pursuit of their conception of the national interest, however imperfectly articulated or socially divisive it might be.

Political leaders are not the only moral agents involved in this OCO process. Officials and military officers have responsibilities for: shaping the processes that determine strategic priorities for intelligence collection, effects operations and the development of capabilities; producing submissions and plans for specific OCOs; and shepherding the equities process to determine whether vulnerabilities uncovered by UK cyber operators are retained for offensive or surveillance purposes, or are disclosed to enable patching, enhancing the global public good of systemic cyber security.

A typology of offensive cyber and its ethical dilemmas

At this point, it is perhaps useful to explore a typology of activities that are pursued under the umbrella term OCO. In a recent speech, former National Cyber Security Centre chief executive Ciaran Martin proposed an escalating ‘five tier structure of cyber warfare’, conveniently forming a mnemonic acronym, HACKS. Martin’s lowest level is hacking in support of national security objectives, gaining access to adversaries’ electronic devices, possibly degrading or deleting content. The second tier is ‘adversarial infrastructure destruction’ in which digital infrastructure, such as a terrorist organisation’s online propaganda network, is destroyed. The third tier is ‘counter-influence’ operations, essentially the use of OCOs to achieve deterrence. The fourth tier is ‘kinetic’ attack, a cyber operation that causes significant damage to specific infrastructure, for example disrupting the electricity supply to a city (the Moscow example above) or taking a television network off the air. Finally, the fifth and highest tier is system-wide, all-out cyber attacks on military and civilian targets during an armed conflict that sees cyber used as part of integrated operations.

The HACKS model is useful because it highlights the spectrum of severity on which any OCO can be placed. It also demonstrates the variety of ethical dilemmas posed by different OCOs, where some proposed operations are likely to command more universal agreement that they are morally justified. Few would argue against (appropriately authorised) cyber operations that disrupted the digital command-and-control infrastructure used to direct a terrorist attack or to mastermind a global ransomware campaign. Far more would question whether it could ever be ethical, or indeed lawful, for the UK to attack an adversary’s national power grid or civilian air traffic control system.

Another way of thinking about this is to simplify Martin’s structure – losing the HACKS mnemonic in the process, alas – so that the typology of OCOs is reduced to three tiers: skirmishing; strategic ‘cyber solo’ operations; and cyber operations integrated with non-cyber operations during an armed conflict. At the basic level of skirmishing, states and other actors are competing for advantage in cyberspace. When a hostile state actor, terrorist or organised crime group uses digital infrastructure directly or indirectly to harm the UK – whether that harm is electoral interference, disinformation, preparation for an armed attack, or running a ransomware campaign – then the government should have a relatively easy time justifying the necessity and proportionality of a counter-cyber operation to degrade, disrupt or destroy the digital infrastructure used by these hostile actors. Skirmishing could aim to pre-empt an attack, prevent a ransomware campaign, or punish a hostile state actor or its proxy, increasing the ‘tactical friction’ and ‘strategic cost’ faced by the UK’s cyber adversaries.

This tier includes operations to take down disinformation websites, as has been recently reported in efforts to counter anti-vaccine ‘fake news’. The dilemma is harder if an adversary’s digital infrastructure is hosted in a state unaware of the malign activity. Ordinarily, we would expect the UK government to work with the government of that state to resolve the issue, but, in extremis, there would be a clear ethical case that it would be proportionate and necessary to conduct a specific and limited OCO to eliminate an imminent threat, even though that constituted a covert, specific and limited breach of the other state’s sovereignty.

The second tier, strategic ‘cyber solo’ operations can be split into two: a lower tier that tries to deter adversaries by signalling that the UK has the capability to use cyber operations against adversaries’ infrastructure, perhaps restricted to defence- and security-related infrastructure, but perhaps not; and a higher tier that actually involves using such capabilities, for example to enforce a red line when the lower tier of deterrence had failed. The interesting thing about this tier is that it inhabits the challenging grey zone of cyber operations that hover below the threshold of armed conflict. Even where the intention is only signalling and not to conduct an attack, the decision must be very carefully considered – not least for the potential that a pre-positioned implant is misinterpreted by the adversary as an indicator of an imminent attack, precipitating a crisis.

Depending on the choice of infrastructure targets, this tier also raises broader ethical questions about the sort of internet that the UK should be trying to promote. Does it really want to be in the business of targeting civilian infrastructure, even if only for deterrent effect? Bearing in mind that, for deterrence to be credible, the adversary needs to believe that you will be willing to carry out the attack. This tier of the typology also poses ethical questions about the second-order consequences, or system effects, of targeting infrastructure: does it undermine the rules-based approach to the Internet that the UK upholds elsewhere? Is there value, in other words, to acting in a more Kantian fashion, refusing to pursue civilian infrastructure targeting that, if universalised as the practice of all cyber-capable states, would exacerbate threats to critical infrastructure around the world?

The third tier of OCOs, cyber operations as part of an armed conflict, represent the highest level of possible damage but, paradoxically, pose the fewest new ethical dilemmas. This is because, as the UK has repeatedly emphasised, it considers cyber operations to be subject to the same body of law as other operations during an armed conflict. All such operations can, therefore, be assessed by traditional ethical principles of military necessity, proportionality, discrimination between military and civilian targets, and the requirement to avoid unnecessary suffering. This is the tier in which the UK can rely most confidently on the ethical principles that have evolved over decades of warfare.

This simplified typology encompasses a broad range of tactical, operational and strategic decisions about whether or not to use OCOs. It isn’t clear yet what the proposed balance of missions is for the NCF: will it be primarily a cyber skirmishing force, a deterrent against hostile state actors, or a developer of OCOs to support integrated operations during armed conflict? As outlined above, whatever the priorities of the NCF, each of these decisions is implicitly ethical. An effective ethic of cyber responsibility requires deliberation, technical and strategic understanding that depend on agency (the role and character of individuals) and structure (the impact of routines and processes). These issues may or may not be addressed in the integrated review of security, defence, development and foreign policy. Whether or not they are, the National Security Council (NSC) and Prime Minister should have been using the review’s process to reflect carefully on Britain’s use of OCOs, which would require the application of moral reasoning.

Optimising the ethic of cyber responsibility

One of the biggest challenges facing government is how to structure its underlying processes to provide sufficient support for political leaders to take informed ethical decisions about OCOs in support of national security, economic well-being or countering serious crime. There are already strategic processes that produce requirements and priorities for intelligence coverage, effects operations and capability development, and these will naturally shape the NCF’s priorities. Even with the reported increase in the defence budget, difficult decisions still must be made about the balance of investment between the three tiers of possible missions outlined above. Another issue is raised by the limited pool of top cyber talent: with finite expertise to allocate to different missions, government must decide how to structure its wider cyber workforce, across not only OCOs but also digital espionage and the cyber security work of the NCSC.

A democratic state should configure its structures and processes of decision to guarantee that the relevant moral issues surface sharply in pre-decision debates in the presence of the appropriate (and appropriately-informed and actively-participating) accountable elected figures. Similarly, there is an argument that enhanced legislative oversight might help improve the quality of executive deliberation about OCOs, notwithstanding the need for operational secrecy.

This issue was highlighted in contrasting approaches to US OCOs under the Obama and Trump administrations. The Trump administration reportedly relaxed the tightly-controlled authorisation process exercised by the Obama White House. Trump’s process afforded greater latitude for both US Cyber Command and the Central Intelligence Agency’s clandestine cyber operations. The contrast between administrations highlights the existence of a spectrum on which we can place any executive, according to the relative depth and rigour of its OCO processes.

Notwithstanding criticism of Obama’s process as inflexible, it is clear that he took seriously the ethics of cyber responsibility. Under Trump’s more devolved process, the importance of the responsible leadership exercised by unelected individuals arguably increased, for example head of US cyber command General Paul Nakasone. Whilst the incoming Biden administration might not reset the authorisation process back to the strictures of the Obama era, it may nonetheless reassert a more prominent and hands-on role for the White House in active management of OCOs. This would be equally desirable in the British case, especially where questions exist about the current Prime Minister’s attention to detail and priorities.

A well-formed OCO process should clarify the important ethical dimensions, so that political leaders better understand the decisions they are being asked to take. Insofar as operational urgency permits, these decisions should be taken in the collegial environment of a committee, chaired by the Prime Minister and including the Attorney General and the relevant authorising ministers (the foreign secretary and defence secretary). Something like this process may already exist and even be used prudently by the Prime Minister. It is not imperative that the process be publicly avowed. Operational secrecy is manifestly necessary. But better communication might improve public confidence in the ethics of UK OCOs and that government is striking the right balance between OCOs and the public good of cyber security. Ciaran Martin’s recent speech helped to advance such a public debate about the need to consider the cyber security implications of Britain’s emerging offensive cyber strategy.

Former cabinet secretary Lord Sedwill recently claimed that OCOs were part of a ‘series of discreet measures’ taken by the UK against Russian leaders and their interests after the 2018 Salisbury attack. A hypothetical decision to approve cyber operations against, say, financial infrastructure to target illicit wealth might have been justified, in principle, as a deterrent or retributive act, necessary to protect national interests. This decision – in the grey middle tier of our cyber typology – should, however, balance expected national gains against wider ethical considerations such as the integrity of the financial system – a global public good, from which everyone benefits, including UK citizens. Adverse reputational impact on the UK as a lawful actor, if such an operation was exposed, should also be assessed. This approach would be consistent with the principles that the government has previously stated would guide its cyber operations, but ambiguity – perhaps deliberate – remains about UK decision-making in practice.

Operational exposure or compromise of a capability can lead to more than reputational damage. What happens if capabilities developed to enable British cyber operations are leaked, leading to their use by hostile actors? This hypothetical has a disturbing basis in fact: the widely-reported loss and disclosure of US National Security Agency hacking tools that led to waves of cybercrime, most notably the WannaCry ransomware that ravaged networks across the globe, including the National Health Service. This is a striking example of the potential damage to the public good of cyber security when, rather than disclose vulnerabilities, states secretly buy or develop them for digital surveillance or OCOs.

In principle, there is nothing uniquely cyber-related about this dilemma: it would be dangerous if, for example, lax security at a military facility led to weapons and ammunition falling into hostile hands. The reason that the cyber debate is more urgent is that this has already happened, and the very nature of cyber operations is that adversaries can potentially detect and re-purpose cyber tools for their own ends. There are valid reasons of state for maintaining offensive cyber capabilities, just as there are reasons for retaining digital surveillance capabilities. There is, however, an equal need for rigorous, reflective processes to determine when to prioritise offensive or surveillance objectives over those of cyber security.

Decisions about the size and structure of national cyber forces are inherently political. They reflect an executive’s risk appetite, prioritisation of objectives, and understanding of the system effects of approved operations. In some ways, ethical dilemmas are identical to other domains, e.g. the choice between counterforce (military) and countervalue (civilian) targeting. But in others, particularly the middle tier of our typology, the precision and non-lethality of OCOs potentially obscures their second-order effects. For example, a targeted operation against one bank account, or the non-disclosure of a vulnerability to use it for a specific offensive cyber operation, can be seen to achieve a specific and limited national objective, but how should political leaders weigh the broader implications and risks, such as eroding a global public good – cyber security or the integrity of financial infrastructure? As one former senior GCHQ official noted after the NCF announcement, offensive cyber has its place in national strategy, but it should not distract from the imperative to improve cyber security.

Recommendations

An effective ethic of cyber responsibility requires active and informed political leadership. This entails clear and sustained commitment from political leaders, but also that the right processes are available to ensure that the underlying risks are understood. Technical knowledge is needed to make informed decisions, but these decisions are ultimately political and freighted with moral considerations. To this end, a ministerial cyber sub-committee of the NSC should be reconstituted and it should meet regularly to review the totality of cyber strategy, including updates on current OCO. It should act as a forum for deliberation and decision about the dynamic balance between the different aspects of national cyber strategy.

The ethical case for tier 1 (cyber skirmishing) and tier 3 (cyber operations during armed conflict, supporting integrated operations) missions is most compelling. There is a strategic imperative for both missions and it will be for ministers to decide how to balance these competing priorities for the NCF’s capability development and operational activities. Tier 2 operations, including deterrent signalling of capabilities to undermine critical infrastructure, are ethically and legally more complex, to say nothing about their strategic efficacy. More research is needed about how the NCF might best incorporate tier 2 missions within its remit, without prejudice to its other missions.

The current vulnerabilities equities process, which only escalates the hardest cases to secretary of state level, should in future be placed formally under the NSC cyber sub-committee, to provide regular ministerial review of the findings of the official equities process. This improvement in ministerial engagement with the equities process is arguably worthwhile given the possibility of more disagreement in future at official level, as the NCF becomes a more active player in generating and seeking to retain vulnerabilities for offensive purposes. As the equities process diverges from its origins as a predominantly espionage- or security-focused debate, GCHQ-driven system, there is the potential for sharper disagreements about releasing or retaining vulnerabilities – particularly between NCSC and NCF if the latter pursues tier 2 targeting of civilian infrastructure. Given the strategic significance of these questions, it is right that ministers should take a more active interest in this process.

At this broader strategic level, it would also be advantageous to streamline existing ministerial cyber responsibilities. Whilst the most sensitive cyber operations will continue to be authorised by the foreign or defence secretaries, in dialogue with and after input from the Prime Minister’s and Attorney General’s respective offices, there is a strong argument for improving the quality of more continuous ministerial engagement with overall cyber strategy by creating a network of joint ministers of state across several departments with cyber-relevant operational and policy remits, e.g. between the Cabinet Office, Ministry of Defence, Foreign, Commonwealth and Development Office (FCDO), the Home Office and Department for Digital, Culture, Media and Sport. Cyber issues are complex and interconnected: a network of ministers empowered to focus more intensely on these issues, understanding the cross-departmental overlaps and dilemmas, would improve the quality of ministerial involvement in and active management of this process.

Regarding wider oversight, it is welcome that the Intelligence and Security Committee of Parliament (ISC) will assume oversight of the NCF. This will, however, surely require uplift in the resources and independent expertise at its disposal, notwithstanding the Prime Minister’s stated belief that it is already ‘well equipped’ to perform this task. The ISC should also draw more of its secretariat from outside the operational community which it oversees. Whilst the mechanics of ISC oversight of the NCF are presumably still a work in progress, the Committee should also consider the benefits of conducting (and publishing some of the findings of) an annual review of the equities process, providing further oversight and improving public confidence in the accountability of that significant part of UK cyber strategy.

As with other areas of defence strategy, the UK does not have the resources to exercise cyber power in the same league as the US. It must carefully balance its investment and deployment of top talent across all cyber missions. There are limits to what the UK can realistically achieve. Its allocation of resources must be guided by an incisive strategic assessment of national priorities. Such a strategic audit of the offensive cyber workforce and its mission priorities should be conducted following the agreement of national strategic objectives in the integrated review, as part of the next iteration of national cyber strategy due in 2021. It should also be actively overseen by the proposed ministerial cyber sub-committee of the NSC. Furthermore, this review should be pursued explicitly within an alliance context. As with the FIVE EYES partnership in digital espionage, the UK should collaborate and, as far as possible, deconflict with the US and other close partners to ensure that the alliance derives optimum value from the UK investment in offensive cyber capability development and its conduct of OCOs.

Conclusion

In an ideal world, all cyber-capable state actors would agree not to target civilian critical infrastructure or to undermine the integrity of global public goods in cyberspace. Achievement of such agreement would be an incontestable victory for multilateral cyber diplomacy, delivering better norms of cyber competition between states – notwithstanding the severe difficulties that would await any formal verification process. In reality, however, unless adversaries – and perhaps also allies, in keeping with the interdependent nature of cyber competition – change their behaviour, it is possible that tier 2, primarily deterrent operations might well form an important part of the new NCF’s mission.

With this caveat, the UK is arguably better off prioritising its limited high-end cyber resources on tier 1 and tier 1 missions, concentrating on counter-cyber skirmishing and the development of counterforce capabilities to support integrated operations during armed conflict, rather than pursuing a countervalue approach to targeting civilian infrastructure. This is consistent with international law, as well as with British values and the liberal way of war, described by John Stone as being ‘concerned with breaking things as an alternative to killing people’.

In exercising the ethic of cyber responsibility, our political leaders should apply a principle of ‘minimum effective offensive cyber capability.’ The global public good of cyber security, from which everyone benefits, should be prioritised wherever possible. This is particularly the case in the equities process, only retaining the capabilities to conduct a carefully selected number of offensive operations and weighing seriously the potential risks that these capabilities would pose if the escaped into the wild. That these capabilities should be well protected is a given, but their very engineering should reflect on the damage caused by uncontrolled, self-propagating viruses. A responsible state cyber power should act in a more restrained and discriminating manner. The UK should be able to compete with and successfully deter less responsible or restrained cyber powers, such as Russia, without compromising our principles and pursuing a similar turn to countervalue targeting of civilian infrastructure.

This piece was original published in an edited collection of essays published by the Foreign Policy Centre. The collection, entitled Finding Britain’s role in a changing world: Projecting the UK’s values abroad, proposes a wide range of recommendations about how the UK can support and promote its values with its future foreign policy. 

Dr Joe Devanny is a lecturer in the Department of War Studies and deputy director of the Centre for Defence Studies. He writes here in a personal capacity.