This week, I was part of a new report – “The National Cyber Force that Britain Needs” – that was published detailing how the UK intends to consolidate its offensive cyber operations and capabilities broadly under a new National Cyber Force (the NCF).
This report, co-authored with Joe Devanny, Amy Ertan, and Tim Stevens and published by KCL’s Policy Institute is the first systemic attempt to situate the NCF (that I at least know of, please let me know if not!). This project emerged due to my role in the creation and co-leading of the UK Offensive Cyber Working Group as well as my growing interest in how offensive cyber is being practiced in the UK and beyond. This is especially so over issues relating to transforming notions of warfare, including that of the as yet-unsettled US concepts of Persistent Engagement and Defending Forward, and how widely the NCF is intended to tackle ‘hostile’ states, terrorist activities, and serious and organised crime. Indeed, there has been somewhat of stunted appreciation of the role of offensive cyber as part of the UK’s ‘cyber power’ intentions and the increasingly changing role of military operations that this organisation affords.
As part of this report, I co-wrote a summary piece with Joe Devanny, What does Britain’s new Cyber Force mean for the future of cyber security? It was an interesting piece to write for someone who studies cybersecurity from what may be nominally understood as a ‘critical’ approach – in order to offer reflections that help inform and construct, but which may be wary of the militarisation of cyberspace and also its ethicopolitical implications (see report pp. 15, 22). I think the report strikes an important balance of understanding that the UK has already developed an offensive cyber capability and how this should be today attentive to its contextual role as well as its oversight and international objectives and, ultimately, pursuit of ‘peaceful’ relations (one could go on about what this may mean in international and sub-national conflict today, but that’s for another time).
There’s been much discussion about US Cyber Command and albeit much less work on thinking about ‘cyber warriors‘, especially outside of the United States. However, there is much work to be done, not only on the role of the ‘cyber warrior’ (if that’s even a term we wish to use!), but also on the transforming dynamics this has on operational practice and its integration into other conventional forces. I find the current lack of ‘critical’ analysis of the NCF and other forms of cyber conflict concerning and worrying. There is much work on understanding cyber conflict from International Relations, most predominantly, but little from other disciplines or perspectives. This urgently needs to change. I am unsure why this is the case thus far – but perhaps there are several components, some which may include the relative ‘newness’ of these forces (though there is an extensive history in information and electronic warfare), the technical knowledge required to understand some of the developments, as well as the distinction from other conventional forces that ‘critical’ studies typically follow (often, and for good reason, due to their more explicit violent character).
The hybridisation of the NCF is also something to note with further caution – both for those who are determining the force’s future functions but also for those who wish to critically study the military. In being a force emerging from both (civilian) GCHQ and the military (the MoD) as well as its various targets that cross over from policing to military operations; what does it do to the borders of who controls, when the military begins and ends? In some ways, it is a pragmatic choice for the NCF to do this – there are a very limited number of people with the skills that an offensive force requires. However, in another register, this considerably confuses oversight and also what it means to be ‘critical’ of the NCF and of offensive force more generally. I (and assume many others) would like to see criminal activity that severely affects everyday life of some (such as ransomware) to be tackled, as well as for the purposes of child sexual exploitation, which appears to be at least part of the mission focus of the NCF. Yet, I would be exceptionally wary of the targeting of critical national infrastructure of what the UK at some point in the future determines as a hostile state, with the severe implications for its civilians.
Therefore, a question, which has been lingering for me as a scholar, is how to balance these critiques in a way that does not disavow some of the operational remit of the NCF; but is critical of others. It is not simply enough to call for the NCF to be disbanded in its entirety (there are not enough people – at least now – who could do this in another organisation, along with the knowledge necessary). So, I need to get my thinking cap on. I may write this up into something more formal at a later date – but there are lots of things to be researched and studied.