Posted by 
Conrad Prince is a Distinguished Fellow and senior cyber adviser at RUSI. He is the former director general for operations and deputy head of the U.K. government’s signals intelligence and cyber security agency, GCHQ.
The last decade has seen a notable increase in openness and engagement from the United Kingdom’s intelligence and security agencies — especially in contrast to the days, not all that long ago, when the government didn’t even officially admit to their existence. But today, we have speeches and media appearances from agency heads, extensive websites and even a presence on social media.
Now, that process has taken a significant step further with a publication by one of the newest additions to this secret world — the National Cyber Force (NCF). The NCF has released a document setting out the operating principles behind the U.K.’s use of what is sometimes called “offensive cyber.” That is, operations in cyberspace to disrupt an adversary’s ability to use the Internet and digital technology to further their ends.
The guide is the first of its kind, giving us unprecedented insight into the U.K.’s thinking on cyber operations.
The NCF was created in 2020 from elements of the Government Communications Headquarters — its cyber intelligence and security agency — the Ministry of Defence and the Secret Intelligence Service. And although its creation represents a significant increase in focus on this area, the U.K. isn’t new to the world of offensive cyber operations — by the government’s own account, it’s been carrying them out for over 20 years. But up until now, very little has been said in public about the U.K.’s approach to this capability.
Public understanding of cyber operations is sometimes hampered by some of the overblown language used to describe it. Terms like “cyber 9/11” or “cyber-Pearl Harbor” reinforce the seriously misleading notion that a cyberattack is something analogous to a nuclear one, and is mainly about widespread and catastrophic destruction to swathes of critical infrastructure.
But nuclear is about the worst possible analogy for cyber. Cyber operations are much closer to covert action, to clandestine operations below the threshold of a shooting war, designed to achieve a particular effect in a targeted way.
The NCF’s new guide acknowledges that cyber operations are unlikely to be strategically decisive on their own. They can, however, achieve a valuable targeted effect — such as preventing a terrorist group communicating at a critical moment, or disrupting an adversary’s access to situational awareness information — which can be particularly effective when combined with other actions in the physical world.
As our adversaries — whether terrorists, criminals or hostile states — increasingly depend on digital technology to achieve their ends, having an ability to disrupt this dependency is important. And, according to the guide, the NCF is carrying out such operations on a daily basis.
Among the details revealed, perhaps most striking are those into the thought process behind the U.K.’s cyber operations, in particular, what is termed “the doctrine of cognitive effect.” This approach focuses on how cyber operations that limit or affect the information available to an adversary, and undermine their confidence in their technology and the information it provides, can weaken their ability to plan and conduct activities with confidence. It shows an intent to use cyber operations for a more subtle and pervasive effect, beyond simple tactical short-term disruption of technology.
This reveals some innovative thinking — but evidencing the impact of these operations remains difficult. The NCF is clear we shouldn’t expect to see details of specific operations, and there are clearly difficult security issues involved in being more open — maintaining ambiguity about operations is also a core part of the U.K. approach. But in the spirit of transparency, it would be good if the NCF could find some ways to give the public a sense of its effectiveness.
There’s also a question as to whether publishing this statement will contribute to deterrence. Much has been written on cyber deterrence, and much of it suffers from false analogies to the nuclear environment. But in practice, there’s little evidence that knowledge of a country’s cyber capabilities plays a material part in deterring action, whether in the virtual or physical world.
A critical part of the guide is about making the case that it is possible to carry out cyber operations in a responsible and ethical way.
The U.K. government has committed itself to the principle of a free, open, peaceful and secure Internet, and has repeatedly emphasized the need for states to act responsibly in cyberspace. But how does that sit with the government at the same time investing apparently significant resources in an organization dedicated to launching cyberattacks?
The starting point is that our adversaries are using the Internet and digital technology to do us harm, and it seems perverse to deny ourselves the possibility of making that harder for them. So, the key questions are how to do so in a legal, ethical and properly managed way. And the guide sets out a strong case for the U.K. position.
The NCF has set out three principles for its operations — that they be accountable, precise and calibrated. It states that the U.K. operates under a robust legal framework of domestic and international law with independent oversight, including from judges and parliament, via its Intelligence and Security Committee. And the guide describes how the NCF’s operations are carefully designed to be targeted with precision, using capabilities that are controllable, predictable and subject to extensive clearance procedures.
Some of this must inevitably be taken on trust, of course, and not everyone may be satisfied. But as an approach, it’s in stark contrast to the behavior exhibited by countries like Russia and Iran, which generally lack legitimacy and are disproportionate and indiscriminate, frequently impacting those who weren’t the intended target.
As such, this guide is a valuable step toward starting to put some much-needed flesh on the bones of what goes into making responsible cyber operations.
Not so long ago, it would have been unthinkable for the U.K. to have published a document of this sort. That they have done so is to be greatly welcomed — as is the NCF explicitly recognizing it needs a license to operate from the public, and that achieving this requires more openness and engagement.
The NCF’s guide is a significant step in providing more transparency about U.K. cyber operations. It does, however, need to be the start of a process, not the conclusion of one. There is much to be gained from shining more light on this complex and often misunderstood field.
