The post was first published on ISS.org https://www.iiss.org/blogs/analysis/2020/11/uk-national-cyber-force
The UK has this week announced the establishment of a National Cyber Force. Marcus Willett explains the rationale for this next step in the evolution of UK cyber.
From criminal gangs using ransomware to extort money, to states stealing vital intellectual property and trying to interfere in democratic processes, the threats to the UK in cyberspace have been well-publicised for good reason. The UK’s vital ‘goal-line’ protection against such threats has also been well covered, especially since the creation of the UK’s innovative National Cyber Security Centre (NCSC).
Less well-publicised have been the UK’s other cyber capabilities, designed to counter such threats upstream, including at source. A lack of transparency about such capabilities is perhaps understandable, given their nature, but it leads to misunderstandings and sometimes polarisation – either glorifying offensive cyber capabilities as silver bullets or implying that all such capabilities are inherently as irresponsible as the Russian use of NotPetya or North Korea’s use of Wannacry. Neither depiction is accurate.
The UK’s Government Communications Headquarters (GCHQ) had pioneered the use of cyber operations to counter terrorist, criminal and state-level malign activity over a decade before the public confirmation of their use against the Islamic State in 2016. The creation in 2014 of a joint investment programme run by GCHQ and the Ministry of Defence (MOD) was an important milestone towards achieving greater scale. To take the next step on scale and effectiveness, the UK has now replaced the programme with the National Cyber Force (NCF).
The NCF brings together the relevant cyber elements of GCHQ, the MOD, the Secret Intelligence Service and the Defence Science and Technology Laboratory into a single organisation under unified command, to cover the full range of the UK’s national security priorities – from tackling serious criminality to preparing for war. As such, it has no equivalent anywhere else in the world.
Rationale for the creation of the NCF
Greater efficiency is one reason the UK has chosen to do this, having fewer people and less money to devote to cyber than, for example, the US or China. It gives the UK greater operational agility, allowing it to veer and haul capabilities across requirements, concentrating skills and technical capabilities where they are needed most, under the appropriate political and legal authorisation. If, for example, a military operator has the best skills and capability to prevent the internet from being used as a global platform for the sexual abuse of children or fraud, then that is how they can – and should – be assigned and authorised.
An added advantage is that military operators can learn to ‘skirmish’ on real cyber operations, rather than just training on a test range while waiting to deliver a military cyber effect when required. Conversely, whenever there is an overriding need for a military effect – to support forces on a battlefield, for example – all the relevant NCF capabilities can easily be brought to bear. This point is worth emphasising – while predominantly focused in peacetime on tackling non-military targets, the NCF also prepares the UK for the use of cyber capabilities in armed conflict.
Some commentators are rightly quick to remind us of the risks posed by such capabilities to an environment that is fundamental to our daily lives – the global internet – and to warn against its potential ‘militarisation’. But cyberspace is no different in this regard from land, sea and air – each are central to our day-to-day peaceful existence, each requiring their fundamental freedoms, but in each we hope to deter others from fighting while preparing to fight ourselves, if we have to.
It may feel uncomfortable, but military forces today must be able to think, defend and manoeuvre in cyberspace as much as in (and across) any other environment. (While cyber capabilities might in future lead to a more efficient use of tanks, ships and planes, they are unlikely to replace the need to have them). And we can surely learn from how the military adapted to having to fight in and from the air: in the margins of its widespread and safe civilian use; and avoiding the misguided notion that air power could by itself win wars. This encapsulates a key reason for creating the NCF – the UK military has no choice but to develop cyber doctrine and the relevant capabilities for war, and it is better to do this in lock-step with its key civilian partners rather than in parallel.
Building on well-established strengths
Close integration between defence and offence will remain essential – a state cannot develop a cyber capability against which it cannot defend. The close relationship between the NCSC and NCF should guarantee this – the NCSC being part of GCHQ, which is a fundamental partner in the NCF.
Under the auspices of the NCF, the UK will continue to act responsibly in cyber space, with the appropriate political and legal authorisations, and an ethical framework underpinned by the principle of proportionality. (This means, for example, developing precision capabilities rather than ‘fire-and-forget’ self-propagating disruptive computer viruses, to minimise any risk to the cyber global commons). And unlike its major adversaries, the UK has a proven ability to act in international cyber alliances with like-minded states, as it did against the Islamic State.
There is too much written about cyber Armageddons, too much analogy with nuclear-informed deterrence theory and little sense of what real cyber operations entail. It is to be hoped that the NCF can follow the lead set by the NCSC and be sufficiently open about its activities to engender a better international debate on ‘offensive’ cyber. It is needed.
Marcus Willett, Senior Advisor for Cyber
RELIANCE ACSN ADVISORY BOARD MEMBER
During a 33-year career, Marcus rose to become Deputy Head of GCHQ, and its first Director of Cyber.
He has established and led major UK Cyber programmes, and has also held posts across the wider UK intelligence and security community.
Marcus is currently the Senior Adviser for Cyber at the International Institute for Strategic Studies, a world-leading authority on global security political risk and military conflict.