Operational exposure or compromise of a capability can lead to more than reputational damage. What happens if capabilities developed to enable British cyber operations are leaked, leading to their use by hostile actors? This hypothetical has a disturbing basis in fact: the widely-reported loss and disclosure of US National Security Agency hacking tools that led to waves of cybercrime, most notably the WannaCry ransomware that ravaged networks across the globe, including the National Health Service. This is a striking example of the potential damage to the public good of cyber security when, rather than disclose vulnerabilities, states secretly buy or develop them for digital surveillance or OCOs.
In principle, there is nothing uniquely cyber-related about this dilemma: it would be dangerous if, for example, lax security at a military facility led to weapons and ammunition falling into hostile hands. The reason that the cyber debate is more urgent is that this has already happened, and the very nature of cyber operations is that adversaries can potentially detect and re-purpose cyber tools for their own ends. There are valid reasons of state for maintaining offensive cyber capabilities, just as there are reasons for retaining digital surveillance capabilities. There is, however, an equal need for rigorous, reflective processes to determine when to prioritise offensive or surveillance objectives over those of cyber security.
Decisions about the size and structure of national cyber forces are inherently political. They reflect an executive’s risk appetite, prioritisation of objectives, and understanding of the system effects of approved operations. In some ways, ethical dilemmas are identical to other domains, e.g. the choice between counterforce (military) and countervalue (civilian) targeting. But in others, particularly the middle tier of our typology, the precision and non-lethality of OCOs potentially obscures their second-order effects. For example, a targeted operation against one bank account, or the non-disclosure of a vulnerability to use it for a specific offensive cyber operation, can be seen to achieve a specific and limited national objective, but how should political leaders weigh the broader implications and risks, such as eroding a global public good – cyber security or the integrity of financial infrastructure? As one former senior GCHQ official noted after the NCF announcement, offensive cyber has its place in national strategy, but it should not distract from the imperative to improve cyber security.
Recommendations
An effective ethic of cyber responsibility requires active and informed political leadership. This entails clear and sustained commitment from political leaders, but also that the right processes are available to ensure that the underlying risks are understood. Technical knowledge is needed to make informed decisions, but these decisions are ultimately political and freighted with moral considerations. To this end, a ministerial cyber sub-committee of the NSC should be reconstituted and it should meet regularly to review the totality of cyber strategy, including updates on current OCO. It should act as a forum for deliberation and decision about the dynamic balance between the different aspects of national cyber strategy.
The ethical case for tier 1 (cyber skirmishing) and tier 3 (cyber operations during armed conflict, supporting integrated operations) missions is most compelling. There is a strategic imperative for both missions and it will be for ministers to decide how to balance these competing priorities for the NCF’s capability development and operational activities. Tier 2 operations, including deterrent signalling of capabilities to undermine critical infrastructure, are ethically and legally more complex, to say nothing about their strategic efficacy. More research is needed about how the NCF might best incorporate tier 2 missions within its remit, without prejudice to its other missions.
The current vulnerabilities equities process, which only escalates the hardest cases to secretary of state level, should in future be placed formally under the NSC cyber sub-committee, to provide regular ministerial review of the findings of the official equities process. This improvement in ministerial engagement with the equities process is arguably worthwhile given the possibility of more disagreement in future at official level, as the NCF becomes a more active player in generating and seeking to retain vulnerabilities for offensive purposes. As the equities process diverges from its origins as a predominantly espionage- or security-focused debate, GCHQ-driven system, there is the potential for sharper disagreements about releasing or retaining vulnerabilities – particularly between NCSC and NCF if the latter pursues tier 2 targeting of civilian infrastructure. Given the strategic significance of these questions, it is right that ministers should take a more active interest in this process.
At this broader strategic level, it would also be advantageous to streamline existing ministerial cyber responsibilities. Whilst the most sensitive cyber operations will continue to be authorised by the foreign or defence secretaries, in dialogue with and after input from the Prime Minister’s and Attorney General’s respective offices, there is a strong argument for improving the quality of more continuous ministerial engagement with overall cyber strategy by creating a network of joint ministers of state across several departments with cyber-relevant operational and policy remits, e.g. between the Cabinet Office, Ministry of Defence, Foreign, Commonwealth and Development Office (FCDO), the Home Office and Department for Digital, Culture, Media and Sport. Cyber issues are complex and interconnected: a network of ministers empowered to focus more intensely on these issues, understanding the cross-departmental overlaps and dilemmas, would improve the quality of ministerial involvement in and active management of this process.
Regarding wider oversight, it is welcome that the Intelligence and Security Committee of Parliament (ISC) will assume oversight of the NCF. This will, however, surely require uplift in the resources and independent expertise at its disposal, notwithstanding the Prime Minister’s stated belief that it is already ‘well equipped’ to perform this task. The ISC should also draw more of its secretariat from outside the operational community which it oversees. Whilst the mechanics of ISC oversight of the NCF are presumably still a work in progress, the Committee should also consider the benefits of conducting (and publishing some of the findings of) an annual review of the equities process, providing further oversight and improving public confidence in the accountability of that significant part of UK cyber strategy.
As with other areas of defence strategy, the UK does not have the resources to exercise cyber power in the same league as the US. It must carefully balance its investment and deployment of top talent across all cyber missions. There are limits to what the UK can realistically achieve. Its allocation of resources must be guided by an incisive strategic assessment of national priorities. Such a strategic audit of the offensive cyber workforce and its mission priorities should be conducted following the agreement of national strategic objectives in the integrated review, as part of the next iteration of national cyber strategy due in 2021. It should also be actively overseen by the proposed ministerial cyber sub-committee of the NSC. Furthermore, this review should be pursued explicitly within an alliance context. As with the FIVE EYES partnership in digital espionage, the UK should collaborate and, as far as possible, deconflict with the US and other close partners to ensure that the alliance derives optimum value from the UK investment in offensive cyber capability development and its conduct of OCOs.
Conclusion
In an ideal world, all cyber-capable state actors would agree not to target civilian critical infrastructure or to undermine the integrity of global public goods in cyberspace. Achievement of such agreement would be an incontestable victory for multilateral cyber diplomacy, delivering better norms of cyber competition between states – notwithstanding the severe difficulties that would await any formal verification process. In reality, however, unless adversaries – and perhaps also allies, in keeping with the interdependent nature of cyber competition – change their behaviour, it is possible that tier 2, primarily deterrent operations might well form an important part of the new NCF’s mission.
With this caveat, the UK is arguably better off prioritising its limited high-end cyber resources on tier 1 and tier 1 missions, concentrating on counter-cyber skirmishing and the development of counterforce capabilities to support integrated operations during armed conflict, rather than pursuing a countervalue approach to targeting civilian infrastructure. This is consistent with international law, as well as with British values and the liberal way of war, described by John Stone as being ‘concerned with breaking things as an alternative to killing people’.
In exercising the ethic of cyber responsibility, our political leaders should apply a principle of ‘minimum effective offensive cyber capability.’ The global public good of cyber security, from which everyone benefits, should be prioritised wherever possible. This is particularly the case in the equities process, only retaining the capabilities to conduct a carefully selected number of offensive operations and weighing seriously the potential risks that these capabilities would pose if the escaped into the wild. That these capabilities should be well protected is a given, but their very engineering should reflect on the damage caused by uncontrolled, self-propagating viruses. A responsible state cyber power should act in a more restrained and discriminating manner. The UK should be able to compete with and successfully deter less responsible or restrained cyber powers, such as Russia, without compromising our principles and pursuing a similar turn to countervalue targeting of civilian infrastructure.
This piece was original published in an edited collection of essays published by the Foreign Policy Centre. The collection, entitled Finding Britain’s role in a changing world: Projecting the UK’s values abroad, proposes a wide range of recommendations about how the UK can support and promote its values with its future foreign policy.
Dr Joe Devanny is a lecturer in the Department of War Studies and deputy director of the Centre for Defence Studies. He writes here in a personal capacity.