The UK government is very publicly investing more money in its ability to conduct cyber attacks and, at the same time, it is becoming increasingly open in talking about the attacks it has conducted in the past – and those it might conduct in future.
This approach of increasingly public, assertive references to cyber capabilities is mirrored in the US, where national security adviser John Bolton recently announced a shift towards a more assertive approach to conducting cyber attacks.
Sky News reported further details in late September about past UK cyber attacks, as well as “new” investment of £250m in the UK’s offensive cyber programme, involving a four-fold increase in the number of UK cyber operators.
This story followed another recent report in The Times that cited an anonymous official as claiming that the UK government will conduct a series of cyber attacks against Russian military intelligence targets. These reports highlight a surprising willingness from UK officials to brief the press about past and possible future uses of offensive cyber operations, ranging from hypothetical operations against Russia to confirmed operations against the Islamic State.
Underlying this is a significant increase in the UK’s offensive cyber capabilities. Years before the recent announcement of a new cyber force, in 2014 the UK announced the creation of its national offensive cyber programme – a partnership between the Ministry of Defence and GCHQ. In recent years, this programme has accelerated its development of new capabilities to conduct cyber attacks, according to a December 2017 parliamentary oversight report.
The recent trend to talk more openly about cyber capabilities and the government’s investment in them raises several questions – not least the relative importance of recruiting lots more staff as compared with focus on recruiting and retaining the best cyber talent. Two other major questions stand out. First, with much of the recent news framed as a response to Russian state activities, how should the UK respond to hostile acts perpetrated by the Russian state? And second, what role – if any – should the UK’s cyber capabilities play in that response – and how much should the UK be talking publicly about them?
The cyber attacks described to The Times were mooted as a further component in the wider UK response to the chemical weapons attack on the former Russian intelligence officer (and UK spy) Sergei Skripal and his daughter Yulia in Salisbury in March. Theresa May, the British prime minister, has now attributed the attack – which also led to the death of a British woman, Dawn Sturgess – to Russia’s military intelligence service and named two Russian nationals as suspects in the attack. The two men have since claimed in an interview with RT that they were “merely tourists” visiting Salisbury cathedral.
The UK had already expelled 23 suspected Russian intelligence officers in March as a direct response to the Salisbury attacks, as well as co-ordinating a reciprocal expulsion of more than 100 other Russian intelligence officers from the territory of UK allies.
This post-Skripal period of decision making is a critical juncture in the UK’s policy towards Russia, raising deeper questions about the UK’s wider policy approach to Russia over 20 years or more.
Putting Russia ‘on notice’
The various options for a cyber response mentioned in The Times article were at the restrained and proportionate end of the offensive cyber operations spectrum. One suggestion was to attack computer networks to degrade the operational capacity of Russian military intelligence – rather than, for example, attacking computer networks to threaten essential public services in Russia and risk casualties.
By adding cyber attacks to its wider package of measures in response to the Skripal attack, the UK is trying to achieve an overall response that does its best to change Russian state behaviour without miscalculating and provoking a worse response in future.
The Skripal attack was brutal and reckless, but it doesn’t change the deeper truth that neither UK nor Russian interests are served by unlimited, escalating conflict. Both sides need to think carefully about the total size and shape of their respective activities, including cyber operations – but they also need to think about their communication strategies.
The decision made by the anonymous Whitehall sources quoted in The Times is an apparent public avowal of the UK’s intention to commit covert activities. It puts Russian intelligence “on notice” that the UK intends to unleash a range of irritant attacks to reduce Russia’s capability.
This could have unintended consequences. Now we think we know that the UK might conduct some cyber attacks against Russian targets, this could potentially increase the temptation for the Kremlin to shift blame if and when something happens in Russia (a major infrastructure accident perhaps?) that could semi-plausibly be blamed on the UK.
This isn’t merely a question of creating pretext for Russian blame-shifting. It adds to an atmosphere of suspicion in which the general public might become more susceptible to Russian claims: “The UK said it would do this, so why not that?”
Rethink the communication strategy
Although the UK has begun to communicate publicly about its cyber capabilities, there is still much we don’t know about them. In this knowledge vacuum there is a risk of misunderstanding. Questions also remain over what kinds of cyber operations would be considered legitimate and how these capabilities should be subject to independent oversight.
Ministers should ensure that there has been appropriate discussion within government, most likely within the National Security Council system, about whether public statements (and anonymous leaks) actually serve UK interests. Or whether, instead, statements of intent about cyber operations undermine the UK’s security by making Russian retaliation more likely – because the public nature of the UK threat compels a strong and public Russian response. This could either prolong tensions or, worse, create a spiral of escalation.
The existing evidence regarding the Skripal attack indicates that the Russian state’s judgement about what constitutes a permissible use of force is significantly out of alignment with the UK’s. Given this – and the notionally shared interest in preventing tensions from escalating further – it doesn’t appear wise for the UK government to press forward with its increasingly public references to what cyber capabilities the UK is likely to use against Russian targets. Tough talking might go down well with a British newspaper readership, but those same comments might be interpreted differently by the Russian government.
There are risks involved in publicly signalling the imminence of cyber and other attacks, especially against capable adversaries with a demonstrable appetite for taking risks and a cavalier attitude about collateral damage. The UK needs to think more carefully about how it integrates cyber operations, and communication about them, into its wider approach – not only towards Russia but across the whole spectrum of national security operations.