Evaluating the National Cyber Force’s ‘Responsible Cyber Power in Practice’

On 4 April, the UK government released a new document on the National Cyber Force (NCF). ‘Responsible Cyber Power in Practice’ sets out for the first time the operating principles and thought process behind UK cyber operations.

Created in 2020 from elements of Government Communications Headquarters (GCHQ) – the UK’s signals intelligence and security agency – the Ministry of Defence and the Secret Intelligence Service, the NCF is ‘responsible for operating in and through cyberspace to counter threats, disrupting and contesting those who would do harm to the UK and its allies, to keep the country safe and to protect and promote the UK’s interests at home and abroad’.

The document is a significant step forward in advancing transparency and engagement on national approaches to cyber operations. ‘Responsible Cyber Power in Practice’ outlines the principles that guide the UK’s approach to ‘responsible’ cyber operations, the NCF’s emphasis on shaping adversaries’ behaviour through ‘cognitive effects’, and the legal and ethical frameworks that guide its activities.

To explore the document further, RUSI Cyber Research brought together six experts to offer their perspectives on key themes related to the UK’s approach to cyber operations.

The Shift Away from Deterrence

Tim Stevens

The National Cyber Strategy 2022 was frank about the UK’s ability to deter cyber attacks, stating that its existing cyber deterrence approach ‘does not yet seem to have fundamentally altered the risk calculus for attackers’. ‘Responsible Cyber Power in Practice’, too, recognises that there is sparse evidence for the efficacy of offensive cyber operations in strategic deterrence. Most observers agree that cyber deterrence-by-punishment is rarely successful: cyber operations are poor at coercion and cyberspace rewards impunity. Although the NCF rejects cyber deterrence-by-punishment – based on tired nuclear and conventional analogies – deterrence-by-denial is implicit in its posture. The same is true in the US, which has jettisoned coercive deterrence as a failed paradigm for strategic cyberspace behaviour. Proactive competition with adversaries in cyberspace is, at some level, an attempt to deny them operational freedom and therefore their capacity to act, via both ‘persistent engagement’ (US) and an ambition to ‘counter and contest’ (UK). Allied to effective cyber defence and a renewed national focus on cyber resilience and risk management, the NCF’s nuanced approach to denial and the shaping of adversarial decision-making supports integrated cross-domain deterrence. The threat of punishment through cyber means is relegated from strategic deterrence: it doesn’t work and NCF energies are better directed elsewhere.

The Historical Roots of the ‘Doctrine of Cognitive Effects’

Rory Cormac

The ‘doctrine of cognitive effect’ sounds modern, dynamic and transformative, but it feels familiar to historians as the latest manifestation of the UK’s long-standing approach to covert operations. The NCF report tells us that the UK disrupts carefully selected targets; covertly exposes information to audiences so as to discredit and undermine; and seeks to induce ambiguity in adversaries’ thinking and weaken their ability to plan and conduct hostile operations. At the start of the Cold War, Prime Minister Clement Attlee talked of targeting adversaries with carefully selected ‘pinprick’ operations. Harold Macmillan recommended covertly disrupting targets at source. An entire programme in the 1960s was devoted to covertly exposing information to disrupt audiences, sow confusion, exploit schisms and induce paranoia. Clearly, cyberspace transforms platforms of delivery, as well as the potential scope and scale of operations; however, many of the fundamental principles seem remarkably similar to what has come before. The lessons of history should not be forgotten. To its credit, the document does seem to heed wider understandings of covert operations, not least in being realistic about what the NCF can – and cannot – achieve and difficulties in measuring impact.

Similarities and Differences Between the UK and US Approaches to Cyber Operations

Erica D Lonergan

‘Responsible Cyber Power in Practice’ shares important similarities with US cyber strategy. For instance, both countries articulate a role for offensive cyber operations in national defence, deterrence and warfighting – while at the same time noting that cyber capabilities are often most effective when they are integrated within a broader suite of tools, both military and non-military. Both envision applying cyber capabilities to more proactively frustrate and disrupt adversaries’ attempts to leverage cyberspace to achieve their national objectives.

However, the NCF document goes a step further than current US strategy documents in more clearly articulating a value proposition for cyber operations, while also being cognisant of some of the real limitations of offensive cyber power. For example, the document enumerates the ‘particular advantages’ that cyber operations can offer – such as delivering precise, calibrated effects against specific targets without causing physical destruction. Nevertheless, it also acknowledges the trade-offs and challenges of offensive cyber operations, such as the time required to ‘develop bespoke capabilities from scratch’, or the difficulties of ‘measur[ing] the actual impact of [a cyber operation] on the adversary’s ability to achieve its objectives’. This nuanced discussion punctures the persistent myth that cyber capabilities represent a revolutionary and decisive form of warfare. Moreover, in referring to both escalation and de-escalation, the NCF opens the door to evaluating how non-kinetic capabilities can be tools of escalation management and potentially even de-escalation, rather than construing them as dangerous, escalatory capabilities.

At the same time, an important implication of the challenges of offensive cyber operations is that the NCF’s new ‘doctrine of cognitive effects’ rests on untested and underspecified assumptions about a link between ambiguous, fragile cyber capabilities and the ability to effectively shape adversary perception and behaviour in a desired direction. Moreover, the document does not address other important trade-offs that pertain to a ‘doctrine of cognitive effects’, such as maintaining deniability versus the ability to effectively signal to adversaries to influence their perception. Further engaging with these issues will be imperative for effective operationalisation of the concepts set out in the document as the NCF continues to mature.

The Challenges of Domestic Accountability and Legitimacy for the NCF

Dan Lomas

Even with the publication of this document, an ongoing challenge for the NCF is demonstrating accountability and legitimacy around its ‘licence to operate’, and how far officials can go in telling us what it does. One issue, as always, is how much the UK public knows or cares about ‘cyber power’ and the UK’s national security machinery. More engagement is a start, yet there are limits. The elephant in the room is the oversight and authorisation of NCF activity as it operates against foreign state and non-state threats. Parliament’s Intelligence and Security Committee provides oversight, but the committee has been quiet on the issue, and it’s another thing on the to-do list for committee members. Another aspect is how ministerial – or executive – oversight works. The NCF is a joint endeavour, combining elements from the Ministry of Defence and the UK intelligence community. Joint accountability falls to the foreign secretary and the defence secretary, yet what happens – if history is a guide – when the defence portfolio clashes with the foreign secretary’s day job?

The International Legal Framework of the NCF’s Cyber Operations

Pia Hüsch

The NCF commits itself to ‘strict adherence to robust legal and ethical frameworks’, including relevant international law. What exactly constitutes such a ‘robust framework’ of international law applicable to cyberspace is, however, far from clear. In the past, the UK has advanced a controversial interpretation of how sovereignty applies to cyberspace which leaves more room for the UK to conduct cyber operations that – in its interpretation – do not violate other states’ sovereignty and, as a result, do not violate international law either. Many other states, however, do not agree with this interpretation and argue that more cyber operations violate international law than is the case under the UK approach. While the NCF document does not go into any further detail on how exactly the relevant operations relate to previous UK statements on international law in cyberspace, the new insights on NCF practice certainly hint at how these legal debates can play out in practice. If the document provokes similar statements from other states, as previous UK statements have, a comparison with states advancing stricter definitions of international law in cyberspace would put the UK’s approach to offensive cyber operations into context. The NCF’s commitment to international law is thus important but requires more context and detail from the UK government to understand how far international law actually provides a ‘robust framework’ for the NCF’s cyber operations.

What the NCF Could Do Next to Advance Transparency About Cyber Operations

Joe Devanny

The NCF has set a good example for other states to follow in transparency about cyber operations. Its recent document is accessible and nuanced and advances the public conversation about the principles underpinning a responsible approach to cyber operations. But what happens next? Transparency isn’t a one-off but an ongoing process, even if we’re unlikely to see regular updates from the NCF. To some extent, the next steps for cyber transparency will depend on the document’s reception both domestically and overseas. Over time, the process of transparency might require a recalibration of the balance between avoiding saying too much (because of the necessary constraints of operational security) and saying too little (which risks a failure to achieve successful communication outcomes). One possible area for more specificity in the future might be to provide further details about how the NCF’s principles are put into practice. Another would be to follow the National Crime Agency (NCA)’s recent example and celebrate some specific operational successes, like the NCA’s operations against cybercrime websites. Using more specific examples would help to further illustrate the effectiveness of the NCF’s principled approach to responsible cyber power.

The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.