Why it’s unwise for the U.K. to boast about its cyberattack capability
The recent trend to talk more openly about cyber capabilities and the government’s investment in them raises several questions – not least the relative importance of recruiting lots more staff as compared with focus on recruiting and retaining the best cyber talent. Two other major questions stand out. First, with much of the recent news framed as a response to Russian state activities, how should the U.K. respond to hostile acts perpetrated by the Russian state? And second, what role – if any – should the U.K.’s cyber capabilities play in that response – and how much should the U.K. be talking publicly about them?
The cyberattacks described to the Times were mooted as a further component in the wider U.K. response to the chemical weapons attack on the former Russian intelligence officer (and U.K. spy) Sergei Skripal and his daughter Yulia in Salisbury in March. Theresa May, the British prime minister, has now attributed the attack – which also led to the death of a British woman, Dawn Sturgess – to Russia’s military intelligence service and named two Russian nationals as suspects in the attack. The two men have since claimed in an interview with RT that they were “merely tourists” visiting Salisbury cathedral.
The U.K. had already expelled 23 suspected Russian intelligence officers in March as a direct response to the Salisbury attacks, as well as co-ordinating a reciprocal expulsion of more than 100 other Russian intelligence officers from the territory of U.K. allies.
This post-Skripal period of decision making is a critical juncture in the U.K.’s policy towards Russia, raising deeper questions about the U.K.’s wider policy approach to Russia over 20 years or more.
Putting Russia ‘on notice’
The various options for a cyber response mentioned in the Times article were at the restrained and proportionate end of the offensive cyber operations spectrum. One suggestion was to attack computer networks to degrade the operational capacity of Russian military intelligence – rather than, for example, attacking computer networks to threaten essential public services in Russia and risk casualties.
By adding cyberattacks to its wider package of measures in response to the Skripal attack, the U.K. is trying to achieve an overall response that does its best to change Russian state behavior without miscalculating and provoking a worse response in future.
The Skripal attack was brutal and reckless, but it doesn’t change the deeper truth that neither U.K. nor Russian interests are served by unlimited, escalating conflict. Both sides need to think carefully about the total size and shape of their respective activities, including cyber operations – but they also need to think about their communication strategies.
The decision made by the anonymous Whitehall sources quoted in the Times is an apparent public avowal of the U.K.’s intention to commit covert activities. It puts Russian intelligence “on notice” that the U.K. intends to unleash a range of irritant attacks to reduce Russia’s capability.
This could have unintended consequences. Now we think we know that the U.K. might conduct some cyber attacks against Russian targets, this could potentially increase the temptation for the Kremlin to shift blame if and when something happens in Russia (a major infrastructure accident perhaps?) that could semi-plausibly be blamed on the U.K.
This isn’t merely a question of creating pretext for Russian blame-shifting. It adds to an atmosphere of suspicion in which the general public might become more susceptible to Russian claims: “The U.K. said it would do this, so why not that?”
Rethink the communication strategy
Although the U.K. has begun to communicate publicly about its cyber capabilities, there is still much we don’t know about them. In this knowledge vacuum there is a risk of misunderstanding. Questions also remain over what kinds of cyber operations would be considered legitimate and how these capabilities should be subject to independent oversight.
Ministers should ensure that there has been appropriate discussion within government, most likely within the National Security Council system, about whether public statements (and anonymous leaks) actually serve U.K. interests. Or whether, instead, statements of intent about cyber operations undermine the U.K.’s security by making Russian retaliation more likely – because the public nature of the U.K. threat compels a strong and public Russian response. This could either prolong tensions or, worse, create a spiral of escalation.
The existing evidence regarding the Skripal attack indicates that the Russian state’s judgement about what constitutes a permissible use of force is significantly out of alignment with the U.K.’s. Given this – and the notionally shared interest in preventing tensions from escalating further – it doesn’t appear wise for the U.K. government to press forward with its increasingly public references to what cyber capabilities the U.K. is likely to use against Russian targets. Tough talking might go down well with a British newspaper readership, but those same comments might be interpreted differently by the Russian government.
There are risks involved in publicly signaling the imminence of cyber and other attacks, especially against capable adversaries with a demonstrable appetite for taking risks and a cavalier attitude about collateral damage. The U.K. needs to think more carefully about how it integrates cyber operations, and communication about them, into its wider approach – not only towards Russia but across the whole spectrum of national security operations.
Joe Devanny is Lecturer in National Security Studies and Deputy Director of the Centre for Defense Studies, King’s College London. This article is published courtesy of The Conversation.