THE HEAD of America’s Cyber Command, Paul Nakasone, is a four-star general whose chest is plastered in medals. The commander of Britain’s National Cyber Force (NCF) is a bespectacled, middle-aged man in a beige blazer—a 20-year veteran of GCHQ, Britain’s signals-intelligence service, whose name the government has asked to keep secret. Unassuming as he may be, his agency, responsible for offensive cyber operations, now stands at the centre of a sweeping overhaul of British defence capabilities.
On November 19th Boris Johnson, Britain’s prime minister, announced the biggest programme of investment in defence since the Thatcher era. The cash, an extra £6.5 billion ($8.7bn) during this Parliament over previous manifesto plans, reverses a decade of military cuts—“the era of retreat”, as Mr Johnson put it—and cements Britain’s position as the second-largest military spender in NATO, behind America, and the largest in Europe, with a budget of £46.5bn ($61.8bn) this year. It includes a tilt to the seas and skies, with more spending on ships, a commitment to send an aircraft-carrier to Asia next year and a Space Command that will watch for threats to satellites.
The central theme, though, is technology. Britain will establish a new agency for artificial intelligence (AI). It will invest more in drones and lasers. And it will beef up cyber capabilities. That explains Mr Johnson’s decision to avow the existence of the NCF, which has been quietly hacking away since the spring. The force brings under unified command for the first time personnel from GCHQ in Cheltenham, the Ministry of Defence and MI6, Britain’s foreign intelligence agency, both in London, and the Defence Science and Technology Laboratory (DSTL) in Porton Down. The force is thought to number in the hundreds, with the aim of growing to 3,000 staff over the next decade.
The purpose of the NCF is not to collect intelligence—GCHQ has done that since its inception—but to make things happen. That could include shutting down the communications of a terrorist group or disabling enemy air defences, but also something as prosaic as sending a message to dissuade someone from acting. America’s own Cyber Command, for instance, sent pop-up, email and text messages to warn Russian operatives against interfering in the 2018 midterm elections. The NCF employs behavioural scientists and draws on MI6’s own expertise in human psychology to hone such messaging.
Such cyber-operations have tended to be discreet affairs. America is increasingly gung-ho about its own activity, embracing a doctrine of “Defend Forward” (ie, inside adversaries’ networks). In contrast, Russia and China flatly—and implausibly—deny involvement in this sort of thing. Most countries say nothing at all. Britain broke its own silence in 2013, when Philip Hammond, the defence secretary at the time, said that Britain was building a cyber “strike” capability. In 2017 Michael Fallon, his successor, said that British forces were “routinely” using offensive cyber against the Islamic State terrorist group, with “a major effect”. Jeremy Fleming, the head of GCHQ, noted that such attacks had been under way since the war in Afghanistan.
Acknowledging these offensive cyber campaigns was a cheap way of demonstrating counter-terrorism prowess during a wave of jihadist attacks in Europe. Yet these campaigns served a secondary purpose, too. They were low-key shows of force obliquely directed at rivals, like Russia, who were using cyber means to destabilise Western democracies, most notoriously during America’s election in 2016. British officials are wary of discussing operations against Russia and other states. They prefer to keep adversaries guessing. But in October, Sir Mark Sedwill, freshly retired as cabinet secretary and national security adviser, said that Britain had taken “discreet” and “covert” measures in response to Russia’s attempted assassination of Sergei Skripal, a former Russian spy, in England.
“The fact you don’t see that we use it doesn’t mean we don’t,” noted Sir Mark, cryptically. Therein lies some of the appeal. “Policymakers love offensive cyber, for the same reason that they love special forces and intelligence operations,” says a former senior British official, who worked closely with two prime ministers. “They are largely covert, can be deployed flexibly and don’t have to be disclosed to or debated in Parliament or the press.”
Cyber operations are particularly attractive in cases where sending in troops or dropping bombs would either carry the risk of serious escalation, such as when America and Israel subverted Iran’s nuclear programme in 2010, or would be wildly inappropriate, such as disrupting online child sexual exploitation or fraud—both areas where the NCF is active. That a mixture of soldiers and civilians should handle everything from criminality to warfare is unusual. The NCF “has no equivalent anywhere else in the world”, notes Marcus Willett, GCHQ’s former deputy head, approvingly.
Most of its missions are likely to be at the lower end of the spectrum. Conrad Prince, formerly head of operations at GCHQ, warns against dramatising these. “In practice it’s mostly about disrupting our adversaries’ ability to communicate and operate on-line”, he says. “It’s as much about countering terrorists and serious criminals as it is military operations.” Even so, cyber power is useful for carving out a specialised niche among allies. GCHQ says that Britain was the first country to offer its cyber capabilities to NATO and that the NCF is an “increasingly important contribution to that alliance”. Allowing military operators to cut their teeth on low-end threats has another advantage, says Mr Willett: they can “learn to ‘skirmish’ on real cyber operations, rather than just training on a test range”.
Yet if the NCF has laid its foundation stones, its intellectual scaffolding is a work in progress. Though the language of “cyber-war” is in vogue, offensive cyber operations tend to fuse disparate elements of espionage, subversion, law-enforcement and warfare into something that is neither spying nor war. Easy analogies with other domains, such as nuclear warfare, fall short. “Do you need to turn out the lights in Ekaterinburg [with a cyber-attack] to show that you can, as happened in Hiroshima and Nagasaki?” asks the former British official. “Is deterrence limited to preventing Russian offensive cyber […] or can it be used to deter other, non-cyber threats, too?”
In a speech on November 10th, Ciaran Martin, who retired in August as head of the National Cyber Security Centre, GCHQ’s defensive arm, warned that “in all my operational experience, I saw absolutely nothing to suggest that the existence of Western cyber capabilities, or our willingness to use them, deters attackers.” A former British spy chief agrees. “The reality is that non-military uses of offensive cyber are massively over-played.” Outside wartime, he says, such operations “will always be niche and ephemeral, though occasionally useful for sending messages”.
Mr Martin expresses another concern: that Western cyber armouries might be raided, with baleful consequences for civilian digital infrastructure. “No one is likely going to be able to steal a nuclear weapon. No one will accidentally lose or leak a ballistic missile…None of these statements hold true for cyber capabilities.” One example of that came in 2017, when a North Korean ransomware attack re-used a hacking tool that had leaked from America’s National Security Agency. “Once the weapon is out there it can be studied, reverse-engineered, and used again,” says Mr Martin.
GCHQ says that its operations are “responsible, targeted and proportionate, unlike those of some of our adversaries”. Mr Johnson has confirmed that the NCF will be scrutinised by parliament’s Intelligence and Security Committee, which is chaired by an independent-minded MP rather than a loyalist whom he had hoped to install. Even so, Mr Martin urges caution. “We weaponise the internet at our peril. We militarise the internet at our peril,” he says. “In the cyber domain, the best form of defence is defence.”