There is, in fact, a tension inherent in the process of rank-ordering and balancing between the priorities of cyber security and the uses of cyber power (particularly through offensive operations) to achieve wider national objectives.
Underpinning Cyber Power: People, Structures and Processes
Given the delicate balance between these different facets of the United Kingdom’s cyber strategy – and the overlap between wider national security strategy and cyber-related decision making – it is imperative that the UK has the right people, structures and processes in place to produce informed decisions and effective implementation. This is particularly the case as the bureaucratic eco-system of cyber strategy has proliferated over the last decade, so there are more institutional interests competing to shape the overall direction of strategy. Whilst the UK is not a cyber power of the same magnitude as the United States, there are already several institutional actors in the UK cyber sphere. This includes the newest actor, the National Cyber Force, whose avowal by Prime Minister Boris Johnson formed one of the appetite-whetting preludes to the Integrated Review.
The ambition to grow the National Cyber Force over the next decade, from a few hundred to 3000 personnel, represents a significant investment in the offensive side of cyber strategy. This investment raises questions about the on-going balance and coherence of that wider strategy, particularly as the new Force gains momentum, as well as ethical questions about the various uses to which the UK’s offensive cyber capabilities might be put. Will the National Cyber Force primarily conduct skirmishing, ‘counter-cyber’ missions? How will it balance competing priorities to support integrated military operations, counter criminals and terrorists in cyberspace? Each is an important national priority, but even an offensive cyber force of 3000 personnel would not be able to accomplish each mission equally well. The publicity so far about the Force is like a restaurant menu with a very wide range of possible choices, but the Force’s success or failure will ultimately depend on the quality of the process that refines those choices into a more limited set menu, a focused set of missions.
Until recently, a public debate about the role of offensive cyber capabilities in UK strategy did not exist. In the last eighteen month this debate has been elevated, particularly by a small group of former UK cyber officials – such as the aforementioned Ciaran Martin and Marcus Willett. This is a positive development, as is the government’s increasing willingness to communicate about the role of offensive cyber operations in achieving national strategic objectives. These are important factors in building public confidence in the UK’s offensive cyber policies, as well as in improving the effectiveness of offensive cyber signalling to adversaries.
Much of the wider, global debate about offensive cyber operations has been dominated by US voices. This is understandable given the weight of US cyber power. The US-focused debate has produced some striking assessments of the nature of the cyber domain. And this has translated into some significant developments in contemporary US cyber strategy. As influential and important as this US debate is, other states need to carefully consider its relevance and potential application in their respective national strategies.
This is why the recent turn towards a more active UK-focused debate is so welcome. Like much else in UK strategy, the debate about offensive cyber operations cannot and should not take place without reference to the United States and the implications of its decisions for UK strategy. This is true more broadly: effective cyber strategy requires a good understanding of what allies and adversaries are doing themselves, and the imagination to adapt UK decisions accordingly. But similarly, it would be quite wrong to assume that the UK faces precisely the same decisions, or possesses the same means, as the United States. Good cyber strategy must proceed from accurate national self-perception and well-calibrated decisions.
The National Cyber Security Strategy, expected later this year, will be an opportunity to answer many of these questions about the balance between cyber security and cyber power. There are some big choices ahead if the government is to achieve its ambition to be a responsible, democratic cyber power. Part of the answer might be reforming some of the structures and processes that support cyber decision-making, clarifying and streamlining ‘ownership’ of cyber at both ministerial and official levels. The government chose not to revise these structures and processes during the Integrated Review or the subsequent internal review undertaken by the new National Security Adviser. This seems like a missed opportunity. But much of the solution is in longer term work, to improve: the domestic pipeline of cyber talent and innovation; recruitment and retention of cyber expertise in government; cyber security and resilience across the public and private sectors; and coordination with allies to address transnational cyber threats.
Most importantly, the United Kingdom must not lose its focus on the priority of improving cyber security and resilience, both domestically and globally. To ensure that the UK’s cyber espionage and offensive capabilities are an asset rather than a liability in this respect, the UK needs to make prudent choices about when and how to apply its cyber power.