The U.K. recently took the international and cybersecurity communities by surprise when it admitted to developing offensive cyberwar capabilities. The Ministry of Defence and Joint Forces Command announced that it was currently recruiting and training hundreds of experts as reservists who will serve alongside traditional military personnel in the country’s army, navy and air force.
Details of the U.K.’s offensive cyberwar projects
Writing for The Daily Mail, Simon Walters explained that the British government will spend more than $800 million to create the Joint Cyber Reserve Unit, which Defence Secretary Philip Hammond referred to as a “laptop army” of expert hackers. This official regiment will be tasked with defending the U.K. from malicious cyberattacks and executing surgical strikes against enemy infrastructure as appropriate.
The U.K. government website stated that recruitment began in October 2013 and it is targeted at civilians as well as current and former military. To increase reach, normal physical fitness requirements have been waved, indicating a level of urgency typically associated only with personnel shortages and emergencies.
Under ideal circumstances, Britain’s new initiative would permit it to disable suspicious nuclear facilities, interfere with threatening aircraft and land vehicles and the communications infrastructure supporting rogue actors and states. Along the way, the demonstrable efficacy of its efforts would discourage, rather than contribute to, reckless behavior on the international stage, while possibly reducing casualties, since wars would become the province of isolated computer technicians rather than soldiers armed with weapons.
“You deter people by having an offensive capability,” Hammond told The Daily Mail. “We will build in Britain a cyberstrike capability so we can strike back in cyberspace against enemies who attack us, putting cyber alongside land, sea, air and space as a mainstream military activity. Our commanders can use cyber weapons alongside conventional weapons in future conflicts.”
Britain’s declaration in the context of state-sponsored cyberattacks
Hammond’s justification of offensive cyberwar, as a necessary deterrence mechanism that strictly defensive measures cannot provide, is troubling, both because of its content and because of how it was announced. Britain’s unilateral declaration is anathema to the technical conversations and cross-sector collaboration essential to resolving cybersecurity issues on the global stage.
Nations have been understandably coy in regard to cyberwar capabilities, not just for purposes of secrecy but also for the sake of stable international relations. Any issue broad enough to involve both the cybersecurity community and world governments deserves mulitlateral mediation, with security professionals taking the initiative to inform politicians and the public of the technical dangers that preemptive cyberstrikes pose to the world.
Britain’s declaration makes it the first nation to officially cross the bridge from defensive to offensive cyberwar. To be sure, several recent high-profile incidents, including the state-sponsored Stuxnet worm that besieged Iranian nuclear facilities in 2010, technically qualify as strike-first attacks.
However, as Financial Times editor James Blitz points out, the alleged culprits in the Israeli and U.S. governments took pains to deny responsibility, perhaps fearing that the implication of a link between national institutions and the initiation of cyberwarfare could trigger an arms race in cyberspace. The vast resources that governments could channel into malware prevention and cybersafety education may ultimately be wasted in a frenzied build-up of cyberwar competencies.
Offensive cyberwar rationalized as response to serious threat environment
According to Hammond, Britain’s new cyberwar unit enters the stage against the backdrop of an untenable threat environment, justifying the high monetary and reputational costs to the government.
“In response to the growing cyberthreat, we are developing a full-spectrum military cyber capability, including a strike capability” Hammond explained. “Increasingly, our defence budget is being invested in high-end capabilities such as cyber and intelligence and surveillance assets to ensure we can keep the country safe.”
Britain’s current military budget, which the BBC estimated at $39 billion, is one of the world’s largest and a possible asset in keeping millions of people safe from cybercrime. However, the move toward offensive capability puts that potential at risk, while also exposing millions of citizens to problems that could have been resolved by governments working closely with cybersecurity experts.
Recent incidents like the NSA surveillance controversy in the U.S. provide a cautionary tale in this context. Even seemingly well-intentioned cyberspace initiatives, designed to enhance national security, can land governments in hot water if the public or targeted parties perceive that measures have overstepped boundaries of privacy and sovereignty. If anything, tangibly damaging cyberwar carries an even greater possibility than mere surveillance of causing such violations.
U.K. declaration could make all nations less safe in cyberspace
The ultimate impact of Britain’s declaration of cyberwar capabilities could be minimal, if other nations restrain the urge to imitate it. On the other hand, the country’s new stance could bring secretive de facto cyberwar efforts – such as Stuxnet and surveillance programs conducted by totalitarian regimes – back into the public conversation and reveal how far apart the world’s major powers are in regard to cybersecurity.
However, this change could be damaging in its own way. Rather than publicly declare capabilities or even war upon each other, nations may instead go on building up capabilities in secret, developing deadly strike strategies that could be revealed for the first time when used in a live operation. From this angle, Britain’s declaration could be viewed as an attempt at transparency, albeit one that is likely to be misinterpreted.
“Why make plans for a cyberstrike force public now?” said Thomas Rid at King’s College London, according to The Financial Times. “Such aggressive statements can be counterproductive. Other actors will want to react in kind, making everybody less secure.”
Is the Ministry of Defence bluffing?
Despite the aggressiveness of the Ministry of Defence’s language, it is possible that this offensive cyberwar controversy is in reality a political stunt. Quartz’s Leo Mirani noted that Hammond delivered his key remarks at the annual conference of Britain’s ruling Conservative party, and that his hawkish proposals may be a plea that the country’s ongoing budget cuts not damage the military.
Whether substantive or mere political theater, Hammond’s words should rekindle the debate about the viability of cyberwar. There is plenty at stake for governments and cybersecurity professionals, and they should take this opportunity to think about the impact that offensive cyberstrikes could have upon everyone.