Cyber operationsWhy it’s unwise for the U.K. to boast about its cyberattack capability

By Joe Devanny

Published 24 September 2018

The U.K. government is very publicly investing more money in its ability to conduct cyberattacks and, at the same time, it is becoming increasingly open in talking about the attacks it has conducted in the past – and those it might conduct in future. There are risks involved in publicly signaling the imminence of cyber and other attacks, especially against capable adversaries with a demonstrable appetite for taking risks and a cavalier attitude about collateral damage. The U.K. needs to think more carefully about how it integrates cyber operations, and communication about them, into its wider approach – not only towards Russia but across the whole spectrum of national security operations.

The U.K. government is very publicly investing more money in its ability to conduct cyberattacks and, at the same time, it is becoming increasingly open in talking about the attacks it has conducted in the past – and those it might conduct in future.

This approach of increasingly public, assertive references to cyber capabilities is mirrored in the U.S., where national security adviser John Bolton recently announced a shift towards a more assertive approach to conducting cyberattacks.

Sky News reported further details in late September about past U.K. cyberattacks, as well as “new” investment of £250 million in the U.K.’s offensive cyber program, involving a four-fold increase in the number of U.K. cyber operators.

This story followed another recent report in the Times that cited an anonymous official as claiming that the U.K. government will conduct a series of cyberattacks against Russian military intelligence targets. These reports highlight a surprising willingness from U.K. officials to brief the press about past and possible future uses of offensive cyber operations, ranging from hypothetical operations against Russia to confirmed operations against the Islamic State.

Underlying this is a significant increase in the U.K.’s offensive cyber capabilities. Years before the recent announcement of a new cyber force, in 2014 the U.K. announced the creation of its national offensive cyber program – a partnership between the Ministry of Defense and GCHQ. In recent years, this program has accelerated its development of new capabilities to conduct cyberattacks, according to a December 2017 parliamentary oversight report.