;

The Review and Responsible, Democratic Cyber Power

The Integrated Review in Context: Defence and Security in Focus

Dr Joe Devanny

11 October 2021

International

This essay was first published in October 2021, in the second volume of the Centre for Defence Studies series on The Integrated Review in Context: Defence and Security in Focus.

The Integrated Review combined a conventional analysis of the United Kingdom’s position in the world with ambitious rhetoric about the need to take some policy areas more seriously than before (the Indo-Pacific, regulatory diplomacy) and to invest more significantly in science and technology. One of the Review’s most striking emphases was on the role of responsible, democratic cyber power in British strategy. This was the most recent statement of a framing concept that the United Kingdom has been invoking for several years: cyber power.

But what does ‘cyber power’ actually mean, particularly when it is exercised in a self-consciously ‘responsible, democratic’ fashion? And is there a specifically British view of cyber power? The Integrated Review’s answer focuses classically enough on the pursuit of national interests, defining cyber power broadly as: ‘the ability to protect and promote national interests in and through cyberspace: to realise the benefits that cyberspace offers to our citizens and economy, to work with partners towards a cyberspace that reflects our values, and to use cyber capabilities to influence events in the real world.’ This is a very broad definition that implicitly points to the competitive and contested nature of cyber power in international practice.

If cyber power is the pursuit of national interests in a global domain, then not every state will be a potential ‘partner’ in shaping cyberspace to align with British values, nor will every state agree (or even passively accept) the UK’s use of cyber capabilities to achieve real world effects.– Dr Joe Devanny

Defining Responsible, Democratic Cyber Power

Given this competitive, contested context, it’s perhaps easiest, although imprecise, to define the responsible, democratic exercise of cyber power by reference to its opposites. There is a lengthy and persistently growing list of activities in cyberspace that the United Kingdom has criticised when they have been carried out by other states, most notably by the Russian Federation, but also other states such as China and North Korea. Indeed, coordinated public attribution – notwithstanding the challenges of doing this effectively – is seen as an important diplomatic response to irresponsible state behaviour in cyberspace. Such behaviour includes the use of cyber operations to disrupt or destroy critical infrastructure, and directing or harbouring the cybercriminals responsible for the current global wave of ransomware attacks on public and private sector targets. It has been suggested that these states might even try to use ransomware attacks, not to accumulate bitcoin, but to achieve geopolitical objectives through coercion.

It would be tempting, therefore, to conclude that a responsible, democratic cyber power would simply practice the polar opposite of those activities so criticised by the United Kingdom and its allies. This is a relatively reliable guide. After all, no self-described responsible, democratic cyber power should harbour cybercriminals, engage in state-sanctioned cybercrime, or conduct degrading or destructive cyber operations against critical civilian infrastructure to coerce or punish an adversary government. But what about cyber espionage enabled by supply chain attacks (some lasting for decades) or ‘last resort’ offensive capabilities against infrastructure, in case ‘deterrence fails’?

There are some important nuances and grey areas where the behaviour of a responsible, democratic state in cyberspace is less easy to distinguish from the behaviour of less responsible, less democratic cyber powers, such as Russia, China, Iran and North Korea.– Dr Joe Devanny

For example, recent US debates about the right level of costs to impose on Russia following the SolarWinds breach, appeared to proceed somewhat absent-mindedly, forgetting the Snowden leaks and failing to recognise that cyber espionage is far from being a one-sided affair. These grey areas – of cyber espionage and offensive cyber operations – complicate the relationship between two important dimensions of UK cyber strategy: cyber security and cyber power.

The Integrated Review does not make the mistake of ignoring the utility of cyber espionage or offensive cyber operations as elements of wider national strategy. On the contrary,

in a rather gnomic way – by proposing a ‘whole-of-cyber’ approach to cyber strategy – the Review highlights the need for states to consider all their cyber instruments, whether devoted to security, espionage or offensive operations, as part of a wider, comprehensive national approach. – Dr Joe Devanny

As the Review rightly notes, such an approach must be about more than ensuring that the UK government works as a coherent whole (although this is an important and non-trivial challenge in itself), and must embrace the contributions that allies, the private sector, academia and civil society can make to the collective effort to improve cyber security. Thinking about the whole system, rather than focusing on a single part, is the only sensible approach. But as the former head of the National Cyber Security Centre, Ciaran Martin, has persuasively argued (here and here),

there is nothing inevitable about achieving virtuous synergy between the pursuit of cyber security and the use of cyber power.– Dr Joe Devanny

There is, in fact, a tension inherent in the process of rank-ordering and balancing between the priorities of cyber security and the uses of cyber power (particularly through offensive operations) to achieve wider national objectives.

Underpinning Cyber Power: People, Structures and Processes

Given the delicate balance between these different facets of the United Kingdom’s cyber strategy – and the overlap between wider national security strategy and cyber-related decision making – it is imperative that the UK has the right people, structures and processes in place to produce informed decisions and effective implementation. This is particularly the case as the bureaucratic eco-system of cyber strategy has proliferated over the last decade, so there are more institutional interests competing to shape the overall direction of strategy. Whilst the UK is not a cyber power of the same magnitude as the United States, there are already several institutional actors in the UK cyber sphere. This includes the newest actor, the National Cyber Force, whose avowal by Prime Minister Boris Johnson formed one of the appetite-whetting preludes to the Integrated Review.

The ambition to grow the National Cyber Force over the next decade, from a few hundred to 3000 personnel, represents a significant investment in the offensive side of cyber strategy. This investment raises questions about the on-going balance and coherence of that wider strategy, particularly as the new Force gains momentum, as well as ethical questions about the various uses to which the UK’s offensive cyber capabilities might be put. Will the National Cyber Force primarily conduct skirmishing, ‘counter-cyber’ missions? How will it balance competing priorities to support integrated military operations, counter criminals and terrorists in cyberspace? Each is an important national priority, but even an offensive cyber force of 3000 personnel would not be able to accomplish each mission equally well. The publicity so far about the Force is like a restaurant menu with a very wide range of possible choices, but the Force’s success or failure will ultimately depend on the quality of the process that refines those choices into a more limited set menu, a focused set of missions.

Until recently, a public debate about the role of offensive cyber capabilities in UK strategy did not exist. In the last eighteen month this debate has been elevated, particularly by a small group of former UK cyber officials – such as the aforementioned Ciaran Martin and Marcus Willett. This is a positive development, as is the government’s increasing willingness to communicate about the role of offensive cyber operations in achieving national strategic objectives. These are important factors in building public confidence in the UK’s offensive cyber policies, as well as in improving the effectiveness of offensive cyber signalling to adversaries.

Much of the wider, global debate about offensive cyber operations has been dominated by US voices. This is understandable given the weight of US cyber power. The US-focused debate has produced some striking assessments of the nature of the cyber domain. And this has translated into some significant developments in contemporary US cyber strategy. As influential and important as this US debate is, other states need to carefully consider its relevance and potential application in their respective national strategies.

This is why the recent turn towards a more active UK-focused debate is so welcome. Like much else in UK strategy, the debate about offensive cyber operations cannot and should not take place without reference to the United States and the implications of its decisions for UK strategy. This is true more broadly: effective cyber strategy requires a good understanding of what allies and adversaries are doing themselves, and the imagination to adapt UK decisions accordingly. But similarly, it would be quite wrong to assume that the UK faces precisely the same decisions, or possesses the same means, as the United States. Good cyber strategy must proceed from accurate national self-perception and well-calibrated decisions.

Conclusion

The National Cyber Security Strategy, expected later this year, will be an opportunity to answer many of these questions about the balance between cyber security and cyber power. There are some big choices ahead if the government is to achieve its ambition to be a responsible, democratic cyber power. Part of the answer might be reforming some of the structures and processes that support cyber decision-making, clarifying and streamlining ‘ownership’ of cyber at both ministerial and official levels. The government chose not to revise these structures and processes during the Integrated Review or the subsequent internal review undertaken by the new National Security Adviser. This seems like a missed opportunity. But much of the solution is in longer term work, to improve: the domestic pipeline of cyber talent and innovation; recruitment and retention of cyber expertise in government; cyber security and resilience across the public and private sectors; and coordination with allies to address transnational cyber threats.

Most importantly, the United Kingdom must not lose its focus on the priority of improving cyber security and resilience, both domestically and globally. To ensure that the UK’s cyber espionage and offensive capabilities are an asset rather than a liability in this respect, the UK needs to make prudent choices about when and how to apply its cyber power.

The Integrated Review suggests a potential shift in UK thinking about cyber strategy, elevating the role of cyber power vis-à-vis cyber security. – Dr Joe Devanny

The impact of such a shift will not be clear for some time, but it will be scrutinised more closely in public debates than in the past, which is arguably a fitting corollary to – and perhaps even an integral component of – responsible, democratic cyber power.

Dr Joe Devanny is Lecturer in National Security Studies in the Department of War Studies at King’s College London. He is deputy director of the Centre for Defence Studies, a member of the King’s Cyber Security Research Group and an affiliate of the King’s Brazil Institute. His research focuses on the role of cyber power in national strategy, particularly offensive cyber operations.

Read the full collection here.