The UK government will conduct a series of cyber attacks against Russian military intelligence targets, according to anonymous comments by a serving UK official reported in The Times. These comments were the latest in a series of reports highlighting a surprising willingness from UK officials to brief the press about past and possible future uses of offensive cyber operations. These have ranged from hypothetical operations against Russia to confirmed operations against the Islamic State.
Underlying this is a significant increase in the UK’s offensive cyber capabilities. In recent years, the national offensive cyber programme – a partnership between the Ministry of Defence and GCHQ established in 2014 – has accelerated development of new capabilities to conduct cyber attacks, according to a December 2017 parliamentary oversight report.
There are two major questions at stake here. First, how should the UK respond to hostile acts perpetrated by the Russian state; and second, what role – if any – should the UK’s cyber capabilities play in that response?
The cyber attacks described to The Times were mooted as a further component in the wider UK response to the chemical weapons attack on the former Russian intelligence officer (and UK spy) Sergei Skripal and his daughter Yulia in Salisbury in March. Theresa May, the British prime minister, has now attributed the attack – which also led to the death of a British woman, Dawn Sturgess – to Russia’s military intelligence service and named two Russian nationals as suspects in the attack. The two men have since claimed in an interview with RT that they were “merely tourists” visiting Salisbury cathedral.
The UK had already expelled 23 suspected Russian intelligence officers in March as a direct response to the Salisbury attacks, as well as co-ordinating a reciprocal expulsion of more than 100 other Russian intelligence officers from the territory of UK allies.
This post-Skripal period of decision making is a critical juncture in the UK’s policy towards Russia, raising deeper questions about the UK’s wider policy approach to Russia over 20 years or more.
Putting Russia ‘on notice’
The various options for a cyber response mentioned in The Times article were at the restrained and proportionate end of the offensive cyber operations spectrum. One suggestion was to attack computer networks to degrade the operational capacity of Russian military intelligence – rather than, for example, attacking computer networks to threaten essential public services in Russia and risk casualties.
By adding cyber attacks to its wider package of measures in response to the Skripal attack, the UK is trying to achieve an overall response that does its best to change Russian state behaviour without miscalculating and provoking a worse response in future.
The Skripal attack was brutal and reckless, but it doesn’t change the deeper truth that neither UK nor Russian interests are served by unlimited, escalating conflict. Both sides need to think carefully about the total size and shape of their respective activities, including cyber operations – but they also need to think about their communication strategies.
The decision made by the anonymous Whitehall sources quoted in The Times is an apparent public avowal of the UK’s intention to commit covert activities. It puts Russian intelligence “on notice” that the UK intends to unleash a range of irritant attacks to reduce Russia’s capability.
This could have unintended consequences. Now we think we know that the UK might conduct some cyber attacks against Russian targets, this could potentially increase the temptation for the Kremlin to shift blame if and when something happens in Russia (a major infrastructure accident perhaps?) that could semi-plausibly be blamed on the UK.
This isn’t merely a question of creating pretext for Russian blame-shifting. It adds to an atmosphere of suspicion in which the general public might become more susceptible to Russian claims: “The UK said it would do this, so why not that?”
Rethink the communication strategy
Although the UK has begun to communicate publicly about its cyber capabilities, there is still much we don’t know about them. In this knowledge vacuum there is a risk of misunderstanding. Questions also remain over what kinds of cyber operations would be considered legitimate and how these capabilities should be subject to independent oversight.
Ministers should ensure that there has been appropriate discussion within government, most likely within the National Security Council system, about whether public statements (and anonymous leaks) actually serve UK interests. Or whether, instead, statements of intent about cyber operations undermine the UK’s security by making Russian retaliation more likely – because the public nature of the UK threat compels a strong and public Russian response. This could either prolong tensions or, worse, create a spiral of escalation.
The existing evidence regarding the Skripal attack indicates that the Russian state’s judgement about what constitutes a permissible use of force is significantly out of alignment with the UK’s. Given this – and the notionally shared interest in preventing tensions from escalating further – it doesn’t appear wise for the UK government to press forward with its increasingly public references to what cyber capabilities the UK is likely to use against Russian targets. Tough talking might go down well with a British newspaper readership, but those same comments might be interpreted differently by the Russian government.
There are risks involved in publicly signalling the imminence of cyber and other attacks, especially against capable adversaries with a demonstrable appetite for taking risks and a cavalier attitude about collateral damage. The UK needs to think more carefully about how it integrates cyber operations, and communication about them, into its wider approach – not only towards Russia but across the whole spectrum of national security operations.