Is the National Cyber Force for Good?

The Integrated Review exhibits limited development of what the role and integration of ‘cyber’ will be in the future UK defence and security landscape as much as it seems to sidestep the crucial role of cyber security for the prosperity of the country

Cyber power runs throughout the Government’s recent Integrated Review and was one of the few stories that figured heavily in preannouncements in the lead up to its release. Much detailed policy on cyber has been delayed, arguably wisely, until it is incorporated into a cohesive — and due — strategy. Yet, a note of concern is warranted. This next strategy is purported to be on the broader basis of ‘cyber’ rather than cyber security. This resituating of cyber in the UK away from providing security to the projection of power goes against the UK’s established lead and reputation, principally through its National Cyber Security Centre (NCSC). The Integrated Review (IR) leaves many unanswered questions for cyber which prioritises power projection (and a greater formalised assertive role of offensive operations) for how the UK can develop a sufficient response to dynamic and evolving adversaries ranging from terrorism, serious organised crime as well as hostile state activity. In this piece, I reflect on some of the developments and shortcomings of current thinking about cyber, partially developing on a recent co-authored report on the new UK National Cyber Force.[1]

[1] Joe Devanny et al., ‘The National Cyber Force That Britain Needs?’ (London: King’s College London, 21 April 2021), https://www.kcl.ac.uk/policy-institute/assets/the-national-cyber-force-that-britain-needs.pdf.

Dr Andrew Dwyer is an academic specialising in cyber and has carried out research at Durham, Bristol and Oxford universities. He is a co-Lead of the academic Offensive Cyber Working Group.

The missing pieces of a ‘Whole-of-Cyber’ approach

Across the Integrated Review, there is a call for a ‘whole-of-nation’ approach to defence and security, and this is further emphasised with a call for a ‘whole-of-cyber’ approach, “that considers the full range of our capabilities and gives greater weigh to building advantage in critical cyber technologies, as well as to international action to influence the future of cyberspace” (p. 40). These are, of course, lofty goals for the UK to pursue.

Ambitions for this ‘whole-of-cyber’ approach in the IR are however left hazy and lack definition. First, the UK has a relatively tight scope to compete alone in developing ‘critical cyber technologies’ as exemplified by 5G technologies. Second, influencing the future of cyberspace is an unclear goal. What does the UK want? In terms of the development of norms, the UK has been relatively successful, being the first to avow offensive cyber operations which has spurred a succession of states to outline their position. Yet, again, the UK cannot hope to influence norms of engagement alone unless as part of an alliance posture, either through NATO or through the Five Eyes intelligence alliance.

The UK Government is clearly repositioning cyber as part of a broader geopolitical race, away from its prior domestic-orientated focus on security. There is little doubt that geopolitical positioning is increasingly important, but the IR would leave one believing that the UK wishes to pursue its goals almost exclusively through offensive operations and diplomacy. The IR — as a military document — is of course likely to position cyber is certain ways, but the forthcoming strategy — cyber or cyber security — must address how security is addressed collectively through improved defence.

The new National Cyber Force is core to the fine balancing act of the projection of offensive cyber power alongside diplomacy and development of sovereign capabilities. However, as the former CEO of the NCSC has warned, a new focus on cyber must not lose a singular point of expertise on cyber security and go back to a distributed approach.[2] The whole-of-cyber — even societal and collective — approach is welcome, but it is woefully underdeveloped and papers over dangers that a growth in funding and attention for offensive cyber operations. This has a danger of directing attention to ineffective priorities as well as using a resource which is ill-suited to the task at hand. Cyber operations and capabilities will never win a war or conflict, and its primary purpose should be for disrupting established actors which are causing significant harm which cannot be first addressed through improved defensive measures.

[2] Martin, C. (2021, April 28). Ciaran Martin: Six security tests for the new cyber strategy. Civil Service World. https://www.civilserviceworld.com/in-depth/article/ciaran-martin-six-security-tests-for-the-new-cyber-strategy

How to become a “democratic, and responsible, cyber power”

With the explicit desire by the Government to be a “democratic, and responsible, cyber power”, many things need to be put in motion for this to become reality. In particular, how does the Government square a focus on offensive cyber with improved overall cyber security? How was this democratically decided? What is needed is a review of the operational remit for offensive cyber as well as improved oversight, especially through an assessment of how Parliamentary scrutiny works for the NCF as it crosses both domestic and foreign remits, including military, policing, and online harms. Beyond the IR, the Government has previously made clear statements that as a responsible power, it would not conduct indiscriminate attacks, such as by computer worms, during peacetime. However, in preparation for conflict, there should be prepositioning on adversary networks, including critical national infrastructure. This is a significant movement which must be more clearly assessed as it pertains to improving security and establishment of norms.

To be more democratic also means to be more open about the types of operations the UK is willing to conduct. Although there have been many speeches by Ministers, this needs to be explicitly outlined as a cohesive document, as other likeminded European states such as France and Germany have done. However, by moving to a more assertive and offensive posture, this could prompt an over-classification of discussion around cyber, which a focus on cyber security has slowly dismantled over recent years. It also means having clearer articulations of strategy and responsibility. The IR notes that a ministerial small group has been formed to pursue a more unified approach to cyber which will help in assessing this remit. This is to be welcomed after some unclear positioning in Government. However, there is still a lack of cohesive focus by a qualified individual — and could be boosted by a dedicated figure, such as a new deputy National Security Adviser alongside a new dual or triple-hatted minister who straddles domestic security policy, likely across DCMS and BEIS, who would be able to interface with the national security apparatus. This is urgently needed to ensure a variety of diverse perspectives sits at the heart of the Government’s cyber power ambitions.

Should Britain be “Persistently Engaging” with Offensive Cyber?

Offensive cyber sits at the heart of cyber power, with the National Cyber Force being a major selling point of the modernisation of security and defence. The force is formed from two primary consistent organisations, GCHQ and MoD, as well as integration with SIS and Dtsl.

As central as the NCF is to the UK’s ambitions to project cyber power, there is relatively little information what a target of 3000 personnel by 2030 will do. This is at least down to its newness as a force where some of its growth and mission focus will evolve. However, the range of the force is complicated by a wide mission remit covering serious organised crime, terrorism, as well as hostile state activity. Clearly, the force cannot do all these things at the same time and prioritisation will be required. The NCF will have to balance competing visions for its existence, especially among senior Conservative politicians — who may want to be more hawkish against China and Russia. This must be resisted and the NCF’s remit and operational efficacy should be continually assessed over how it is contributing to the security of the entire country rather than pursuing speculative goals where cyber is seen a silver bullet. Indeed, the ethics and politics behind the NCF should not be left to the Government, but actively worked through with elected representatives and specialists from across industry, academia, and policy.

Moves in the United States and elsewhere to persistent engagement are also reflected in the IR — especially with those that are below the threshold of war and ‘grey zone’ warfare. However, this is conspicuously absent for cyber. This is despite arguably our closest ally in cyber — the United States — explicitly avowing a ‘Persistent Engagement’ strategy of contesting with adversaries in cyberspace beyond sovereign networks. This omission is likely due to the NCF’s current size and thus limiting the capacity of the UK to ‘persistently engage’. Yet, it makes little sense for the UK to persistently engage alone, and it is still undetermined whether persistent engagement is the right method in the long run. However, the NCF should prioritise smaller engagements which focus on those which cannot be resolved by defence rather than trying to spread itself too thinly. For Labour, a position that acknowledges some of the risks and advantages of moving to persistent engagement in cyberspace is sorely required — and is needed in a greater democratic debate about the role of conflict for the UK in the 21st century.

Empty Job Openings

As with other areas of defence, there is a requirement for the UK to develop sovereign capabilities, to retain for situations where it decides it wishes to pursue its own objectives. However, technological capability and resource is limited primarily by the availability of specialist cyber skills. Although the IR notes its ambitions to create a strong cyber ‘ecosystem’ with further investment in R&D and developing the industrial base, this has been an issue that has pervaded cyber security for some time. Skills remain a key limiting resource to the pursuit of cyber security and the Government should not focus on procurement of offensive capabilities whilst neglecting the impact on the security of all of us online. In the build up to 3000 personnel, a core question is whether this will take skills away from elsewhere, and a keen eye must be kept on keeping a balanced workforce. If this is unsuccessful, this could weaken the UK overall as much as it may have better offensive capacities.

Likewise, the Government needs firm action on what form improving adoption of new technologies will take — and needs to specify and simplify processes for engagement with industry, especially for cyber. Unlike other forms of procurement, cyber needs are typically fast evolving and redundant far speedier than other conventional technologies and resources. It may be that the NCF is given special permission to relax certain procurement for these high-speed needs. Likewise, many of the core technology start ups are quickly absorbed into large corporations or bought by foreign businesses. A strategic assessment of what is coming out of universities as well as start-ups will be crucial to ensure there is a supply chain of technologies; especially as those technologies could be exported and used in ways which don’t attend to the Government’s mantra of being a ‘democratic, and responsible, cyber power.’

The Domestic Political Agenda

Finally, on the domestic agenda for the Conservatives, cyber is seen as a growth area for defence amidst other difficult cuts. It is one of the few areas that is experiencing significant growth in both technology and personnel. Hence, the cyber force is seen as a ‘good news’ story for the Government. This is especially so with the NCF’s proposed headquarters to be based in the North-West of England as part of a new ‘cyber corridor’, likely tied to the Conservative ‘levelling up’ agenda. However, significant questions remain about this move. Most skills that make up the NCF will currently exist in the South-West at GCHQ and MoD sites. Therefore, there is a potential that the headquarters could be merely symbolic and not represent a genuine move of resources and personnel to the region as well as the costs of relocation of such personnel. Although it is ambitious to develop new skills (which are sorely required across the industry), this will take time and will not be immediately available for the NCF. Thus, with such money being spent on offensive cyber, which is easy to sell as positive headlines, questions must be asked of the use of cyber and whether such a move is in the best interests of the security of the United Kingdom.