The UK government continues to adjust its cyber response to the growing threat posed by nation-state adversaries, in line with its latest National Cyber Strategy (NCS), published in December 2022.
After introducing the National Protective Security Authority (NPSA), a new MI5-hosted agency tasked with tackling state-sponsored threats to UK businesses, as part of its March 2023 Integrated Review Refresh (IRR), the government now decided to open up on its offensive cyber capabilities.
The National Cyber Force (NCF), a partnership between GCHQ and the Ministry of Defence (MoD) which carries out cyber operations to protect against threats to the UK, shared the principles under which it conducts covert offensive cyber operations in a first-of-its-kind guide published on April 4.
Before outlining some principles ruling how the UK uses its offensive cyber capabilities to respond to cyber and physical threats, the NCF shared some caveats to its own importance.
First, it stated that the agency “would rarely if ever get involved” where other responses are better suited to deal with the challenge effectively.
Also, the NCF acknowledged that cyber operations are unlikely to be decisive on their own and should be integrated into a broader response strategy.
However, the agency also outlined why offensive cyber strikes can be a useful tool:
- It can sometimes provide the only practical means of disrupting an adversary’s ability to exploit the internet and digital technology.
- It can be precisely targeted with specific effect and avoid the challenges of using other, potentially physically destructive, interventions.
- It can create a range of cognitive effects – such as undermining an adversary’s confidence in the data they are receiving or in the ability of their information systems to function effectively – that may be harder to achieve with other approaches.
Although these advantages could sound obvious to some, recognizing this in a government document can be seen as a step forward in the states’ accountability in cyberspace.
In the core section of the guide, the NCF explained its cyber operations follow a set of three principles: they need to be accountable, precise and calibrated.
They are also ruled by the ‘doctrine of cognitive effect,’ which implies that the UK uses its cyber power to limit or affect the information available to an adversary and sap their confidence in their technology and the information it provides.
“Our work can include covert operations against the IT networks or technology used by adversaries and employing techniques to make that technology function less effectively or cease to function altogether,” the NCF noted, for example.
The document was also an opportunity for the UK to insist that the NCF operates in a responsible and ethical way and that its operations are conducted based on a legal framework, with their impact carefully assessed for both escalation and de-escalation.
"In outlining its current thinking, the NCF aims to promote constructive debate and contribute to demonstrating the UK's commitment to being a responsible cyber power. It may also potentially contribute to deterrence,” reads the document.
Sir Jeremy Fleming, GCHQ’s director, said that the guide could pave the way for further cooperation between states, or even a future cyber-coalition of countries. “With the threat growing and the stakes higher than ever before, we hope this document provides a benchmark for the UK’s approach and a basis for like-minded governments to come together internationally to establish a shared vision and values for the responsible use of cyber operations,” he said in a public statement.
Announced in 2018 and formally established as a GCHQ-MoD joint agency in 2020 based on the previous National Offensive Cyber Programme, the NCF now draws together personnel from GCHQ and the MOD, including Defence Science and Technology Laboratory (DSTL) and UK’s Secret Intelligence Service (SIS/MI6) under one unified command.
It’s the first time the UK government has disclosed any details about how the agency works.