He was speaking to the Mail on Sunday (reported in the Mail Online) ahead of an announcement at the annual Tory party conference in Manchester; but what makes this statement different to earlier cyber announcements is the claim of an offensive cyber capability.
It is generally believed that most advanced nations have or are developing such a cyber strike force; but Hammond's statement is the first public affirmation by a national government. For example, while the Olympic Games project – including Stuxnet – is widely believed to be a US offensive cyber operation, the US government has never officially admitted it.
But now Hammond has declared that the UK will recruit a cyber army of hundreds of computer geeks as military cyber reservists, at an expected cost of up to £500 million over the next few years. "People think of military as land, sea and air," he told the Mail. "We long ago recognized a fourth domain – space. Now there’s a fifth – cyber. This is the new frontier of defense. For years, we have been building a defensive capability to protect ourselves against these cyber attacks. That is no longer enough."
A Ministry of Defence statement, also published yesterday, explains, "In response to the growing cyber threat, we are developing a full-spectrum military cyber capability, including a strike capability, to enhance the UK’s range of military capabilities. Increasingly, our defence budget is being invested in high-end capabilities such as cyber and intelligence and surveillance assets to ensure we can keep the country safe."
This new policy is not without its critics. Ross Brewer, vice president and managing director for international markets at LogRhythm, thinks that an offensive capability, which he describes as 'pre-emptive strikes on other countries' is no surprise. "However, it is curious that Hammond has decided to be so brazen with this announcement."
According to the Financial Times, Shashank Joshi of the Royal United Services Institute think tank called the announcement a “highly unusual step” and that “the UK may risk losing the moral high ground."
An unnamed analyst added that it gives "China a chance to defend itself against arguments that Beijing is conducting massive cyber espionage against the west. It doesn't really make sense for the British [Ministry of Defence] to come out and make a statement like this and give the Chinese yet more ammunition."
The problem with such a policy lies in the difficulty of definitively knowing the source of an attack. On Saturday the Wall Street Journal reported that "U.S. officials said Iran hacked unclassified Navy computers in recent weeks in an escalation of Iranian cyberintrusions targeting the U.S. military." It added, "The U.S. officials said the attacks were carried out by hackers working for Iran's government or by a group acting with the approval of Iranian leaders." It is clear from this that the officials cannot prove that it was specifically government-sponsored – or they would have said so. The question then is whether a cyber offensive response can be launched on the basis of a suspicion.
The reality is, however, that deterrence only works on the back of a credible threat of retaliation, equal or stronger than the original aggression. What the UK government is saying very clearly is that if any foreign nation launches an attack against British interests – whether physical or cyber – Britain will have the capability to strike back in cyber space. "Hammond needs to convince the UK’s enemies that if its interests are threatened or the country is attacked in the cyber domain that it has the capability and capacity to do something about it," explains Dr. Jarno Limnell, director of cyber security for Stonesoft. "Offensive capabilities form a key part of this objective."
Meanwhile, and perhaps not entirely co-incidentally, James Stavridis, a retired Navy admiral and former Supreme Allied Commander at NATO, has voiced a very similar opinion in the Boston Globe: "It is time we considered the creation of a US Cyber Force for many of the same reasons we needed a US Air Force," he wrote yesterday. "A focused and dedicated service, reporting to civilian leadership, would create true singularity of strategic purpose in respect to military operations — defense, intelligence, surveillance, and potentially offense — in the cyber world."