UK developing cyber weapons: Do we have a doctrine?

Last week, armed forces minister Nick Harvey published an article suggesting the UK is developing offensive cyber war capabilities.

Commenting on the Ministry of Defence’s new Defence Cyber Operations Group, Harvey wrote:

“Cyber will be part of a continuum of tools with which to achieve military effect, both defensive and otherwise, and will be an integral part of our armoury.”

This mirrored a speech at Chatham House last November, where he announced increased government spending on cyber defence (£650 million over four years) and advocated the integration of cyber capability with the UK’s conventional forces.

Whilst acknowledging the asymmetrical benefits of this new domain for non-state actors, he argued:

“…cyber is also a powerful tool in the hands of those traditionally able to engage in conflict – states themselves… The integration of cyber and physical attack would seem to be the most likely use of cyber in the military sphere.

“We must therefore win the battle in cyber space, as well as the battle on the ground.”

The UK is taking the lead from states like Russia, China the US, who already have well-funded cyber warfare units. The Stuxnet attacks on Iran’s nuclear programme, DDoS bombardments of Georgian networks during the 2008 war and the theft of terabytes of information relating to the design of the F-35 fighter jet show cyber attacks are happening and impact on kinetic or ‘real’ war.

The Wall Street Journal has reported that Chinese and Russian spies have left logic bombs (i.e. code that will set off a malicious function- often to delete data- when specified conditions are met) in software used by the US power grid. If true, this can help us think about how devastating a large-scale cyber conflict could be - although it is unlikely a foreign power could crash the US power grid (which is actually many different grids, connected).

However, the destruction or alteration of financial data using similar techniques could fundamentally undermine global banking, which necessitates reliable data storage. Similarly, an attack on the Domain Name System (which ‘translates’ IP addresses into user-friendly website addresses), could significantly hamper economic activity and commercial distribution.

Despite the peculiar destructiveness of cyber attacks, Nick Harvey believes that current international humanitarian law (IHL) is sophisticated enough to manage this kind of state-on-state conflict.

He wrote:

“…cyber space should be considered within a rules based system just like the physical world. Existing international frameworks can be applied to cyber space too - we don’t necessarily need to invent new laws.

“Top of the list of the UK principles on activity in cyber space is the need for governments to act proportionately and in accordance with national and international law.”

He went on to note that work is being done multilaterally to develop norms of behaviour for states.

This is sensible, as day-to-day online espionage could be mistaken for hostile preparation of the battlefield. An informal taboo on attacking bank data appears to be in place already: US officials claim that successive administrations have chosen not to hack banks and steal funds from terrorists and dictators, including Saddam Hussein.

However, the UK government are not explicit about what is acceptable in cyber space and, as of yet, have no declaratory posture.

A declaratory posture (i.e. a document explaining when we would use offensive cyber capabilities and when we would respond to cyber attacks with conventional force) would make plain the diplomatic seriousness of damaging civilian and military computer networks. An attempt by government to map out protected sites, as the EastWest Institute have done, would be a useful first step.

Wider strategic and doctrinal questions remain unanswered. Difficulty attributing cyber attacks makes this form of conflict unlike conventional and nuclear war: traditional ideas of deterrence may not apply. Furthermore, uncertainty about the enemy’s capabilities creates instability during a crisis.

The internet is still fundamentally vulnerable; its creators were not security-minded. This is why some writers on cyber war, including former US National Security Council advisor Richard A. Clarke, advocate a defensive rather than offensive strategy.

Nonetheless, the UK government are taking concrete steps to stop the daily incursions into government networks. Whilst Harvey is doctrinally vague, he is right to start the debate.