The UK National Cyber Strategy 2022 set an ambition for the country to be a leading “responsible and democratic cyber power,” contrasting its approach with that of adversaries implicated in causing indiscriminate harm in cyberspace. Therefore, the notion of responsible cyber power begins with clarifying what it is not: conducting or sponsoring incidents that caused widespread impacts, such as the SolarWinds, WannaCry and NotPetya attacks. This is an important starting point, but policymakers and practitioners need to understand the substance of what it means to exercise cyber power responsibly.
In this regard, the April 2023 publication of Responsible Cyber Power in Practice by the UK National Cyber Force (NCF) is an important step forward. The NCF is responsible for offensive cyber operations, and so its activities represent one of the most important tests of how national cyber power is exercised.
The Path to Responsible Cyber Power
The NCF begins by recognizing that greater transparency and public understanding are significant components of a responsible approach. The report offers unprecedented public insight into UK cyber operations, which have been conducted for many years but were previously considered too sensitive for public comment. Operations will continue to be covert, but the UK clearly believes that a responsible approach to cyber power involves greater engagement with the public – what the NCF report calls a “licence to operate.”
The report’s publication was accompanied by a detailed interview with the Commander of the NCF, who was publicly avowed for the first time. Cyber operations rely heavily on stealth and surprise, so this emergence into the public realm is a significant step that will require deft management to achieve greater public understanding while protecting operational effectiveness.
The report describes a doctrine of “cognitive effects” that underpins operations. The doctrine has important implications for the responsible use of cyber power since it describes what NCF operations aim to achieve and, importantly, describes the effects in terms of influencing the behavior of adversaries. Examples of cognitive effect include undermining confidence in data or systems or removing the target’s ability to communicate effectively. The important distinction is that the NCF does not determine its operational aims in the traditional cybersecurity terms of the confidentiality, integrity or availability of technology or data, but rather focuses on the effect of cyber operations on users.
The doctrine is applied according to three principles of accountability, precision and calibration, which significantly contribute to clarifying the distinction between responsible and irresponsible cyber operations. Accountability involves external scrutiny and oversight of NCF operations, providing important mechanisms for cyber operations to be an accessible and trusted instrument of government policy.
Precision and calibration are also crucial for cyber operations to be trusted by operational commanders and political decision-makers to achieve the effects intended and only those effects. Cyberspace is an interconnected, complex, dynamic environment in which an operation against one target might easily cause unintended consequences that spiral out of control. The goals of precision and calibration, therefore, create substantial requirements for planning, reconnaissance and capability development, and the NCF report sheds light on the operational demands of the requirement to act responsibly.
Collaboration for Global Consensus
Cyber power is an emerging concept, and the understanding of the effects of cyber operations is at a relatively early stage of development compared to other instruments of foreign and defense policy. It is significant, therefore, that both the National Cyber Strategy and the NCF report recognize the importance of collaboration across the public, private and academic sectors to harness the expertise and resources necessary to develop the concept of responsible cyber power into an operational and political reality. International partnerships, such as through cyber capacity-building programs, will also be vital to building the global consensus on what constitutes responsible use of national capabilities in cyberspace.
Much work remains to be done to embed the notion of responsible cyber power, but through its detailed strategy and public discussion of cyber operations, the UK is making important contributions to clarifying how high-level principles can translate to operational behaviors.
The challenge is to demonstrate that the extra demands of responsible cyber operations create greater benefits, and fewer risks, compared to the indiscriminate and uncontrolled use of cyber operations that have dominated the early years of cyber power.