Is the National Cyber Force for Good?

The Integrated Review exhibits limited development of what the role and integration of ‘cyber’ will be in the future UK defence and security landscape as much as it seems to sidestep the crucial role of cyber security for the prosperity of the country

Cyber power runs throughout the Government’s recent Integrated Review and was one of the few stories that figured heavily in preannouncements in the lead up to its release. Much detailed policy on cyber has been delayed, arguably wisely, until it is incorporated into a cohesive — and due — strategy. Yet, a note of concern is warranted. This next strategy is purported to be on the broader basis of ‘cyber’ rather than cyber security. This resituating of cyber in the UK away from providing security to the projection of power goes against the UK’s established lead and reputation, principally through its National Cyber Security Centre (NCSC). The Integrated Review (IR) leaves many unanswered questions for cyber which prioritises power projection (and a greater formalised assertive role of offensive operations) for how the UK can develop a sufficient response to dynamic and evolving adversaries ranging from terrorism, serious organised crime as well as hostile state activity. In this piece, I reflect on some of the developments and shortcomings of current thinking about cyber, partially developing on a recent co-authored report on the new UK National Cyber Force.[1]

[1] Joe Devanny et al., ‘The National Cyber Force That Britain Needs?’ (London: King’s College London, 21 April 2021), https://www.kcl.ac.uk/policy-institute/assets/the-national-cyber-force-that-britain-needs.pdf.

Dr Andrew Dwyer is an academic specialising in cyber and has carried out research at Durham, Bristol and Oxford universities. He is a co-Lead of the academic Offensive Cyber Working Group.

The missing pieces of a ‘Whole-of-Cyber’ approach

Ambitions for this ‘whole-of-cyber’ approach in the IR are however left hazy and lack definition. First, the UK has a relatively tight scope to compete alone in developing ‘critical cyber technologies’ as exemplified by 5G technologies. Second, influencing the future of cyberspace is an unclear goal. What does the UK want? In terms of the development of norms, the UK has been relatively successful, being the first to avow offensive cyber operations which has spurred a succession of states to outline their position. Yet, again, the UK cannot hope to influence norms of engagement alone unless as part of an alliance posture, either through NATO or through the Five Eyes intelligence alliance.

The UK Government is clearly repositioning cyber as part of a broader geopolitical race, away from its prior domestic-orientated focus on security. There is little doubt that geopolitical positioning is increasingly important, but the IR would leave one believing that the UK wishes to pursue its goals almost exclusively through offensive operations and diplomacy. The IR — as a military document — is of course likely to position cyber is certain ways, but the forthcoming strategy — cyber or cyber security — must address how security is addressed collectively through improved defence.

The new National Cyber Force is core to the fine balancing act of the projection of offensive cyber power alongside diplomacy and development of sovereign capabilities. However, as the former CEO of the NCSC has warned, a new focus on cyber must not lose a singular point of expertise on cyber security and go back to a distributed approach.[2] The whole-of-cyber — even societal and collective — approach is welcome, but it is woefully underdeveloped and papers over dangers that a growth in funding and attention for offensive cyber operations. This has a danger of directing attention to ineffective priorities as well as using a resource which is ill-suited to the task at hand. Cyber operations and capabilities will never win a war or conflict, and its primary purpose should be for disrupting established actors which are causing significant harm which cannot be first addressed through improved defensive measures.

[2] Martin, C. (2021, April 28). Ciaran Martin: Six security tests for the new cyber strategy. Civil Service World. https://www.civilserviceworld.com/in-depth/article/ciaran-martin-six-security-tests-for-the-new-cyber-strategy

How to become a “democratic, and responsible, cyber power”

To be more democratic also means to be more open about the types of operations the UK is willing to conduct. Although there have been many speeches by Ministers, this needs to be explicitly outlined as a cohesive document, as other likeminded European states such as France and Germany have done. However, by moving to a more assertive and offensive posture, this could prompt an over-classification of discussion around cyber, which a focus on cyber security has slowly dismantled over recent years. It also means having clearer articulations of strategy and responsibility. The IR notes that a ministerial small group has been formed to pursue a more unified approach to cyber which will help in assessing this remit. This is to be welcomed after some unclear positioning in Government. However, there is still a lack of cohesive focus by a qualified individual — and could be boosted by a dedicated figure, such as a new deputy National Security Adviser alongside a new dual or triple-hatted minister who straddles domestic security policy, likely across DCMS and BEIS, who would be able to interface with the national security apparatus. This is urgently needed to ensure a variety of diverse perspectives sits at the heart of the Government’s cyber power ambitions.

Should Britain be “Persistently Engaging” with Offensive Cyber?

As central as the NCF is to the UK’s ambitions to project cyber power, there is relatively little information what a target of 3000 personnel by 2030 will do. This is at least down to its newness as a force where some of its growth and mission focus will evolve. However, the range of the force is complicated by a wide mission remit covering serious organised crime, terrorism, as well as hostile state activity. Clearly, the force cannot do all these things at the same time and prioritisation will be required. The NCF will have to balance competing visions for its existence, especially among senior Conservative politicians — who may want to be more hawkish against China and Russia. This must be resisted and the NCF’s remit and operational efficacy should be continually assessed over how it is contributing to the security of the entire country rather than pursuing speculative goals where cyber is seen a silver bullet. Indeed, the ethics and politics behind the NCF should not be left to the Government, but actively worked through with elected representatives and specialists from across industry, academia, and policy.

Moves in the United States and elsewhere to persistent engagement are also reflected in the IR — especially with those that are below the threshold of war and ‘grey zone’ warfare. However, this is conspicuously absent for cyber. This is despite arguably our closest ally in cyber — the United States — explicitly avowing a ‘Persistent Engagement’ strategy of contesting with adversaries in cyberspace beyond sovereign networks. This omission is likely due to the NCF’s current size and thus limiting the capacity of the UK to ‘persistently engage’. Yet, it makes little sense for the UK to persistently engage alone, and it is still undetermined whether persistent engagement is the right method in the long run. However, the NCF should prioritise smaller engagements which focus on those which cannot be resolved by defence rather than trying to spread itself too thinly. For Labour, a position that acknowledges some of the risks and advantages of moving to persistent engagement in cyberspace is sorely required — and is needed in a greater democratic debate about the role of conflict for the UK in the 21st century.

Empty Job Openings

Likewise, the Government needs firm action on what form improving adoption of new technologies will take — and needs to specify and simplify processes for engagement with industry, especially for cyber. Unlike other forms of procurement, cyber needs are typically fast evolving and redundant far speedier than other conventional technologies and resources. It may be that the NCF is given special permission to relax certain procurement for these high-speed needs. Likewise, many of the core technology start ups are quickly absorbed into large corporations or bought by foreign businesses. A strategic assessment of what is coming out of universities as well as start-ups will be crucial to ensure there is a supply chain of technologies; especially as those technologies could be exported and used in ways which don’t attend to the Government’s mantra of being a ‘democratic, and responsible, cyber power.’

The Domestic Political Agenda

Defence & Security arm of the Fabian Society, commenting on UK defence and national security policy.