The unfolding Ukraine crisis has focused attention on the role of cyber operations in defensive and offensive military-intelligence strategy. Russia’s cyber aggression against Ukrainian government and civilian targets was expected and is consistent with its long-standing information war strategy and conduct across its “near abroad.” What is less certain is how Western powers should respond with their own cyber capabilities, including the role of middle powers in crisis management and joint military endeavours.
President Joe Biden is alleged to have been presented with options for “massive cyber attacks” to disrupt and degrade Russian military capacity, a claim denied by the White House. The United States entering the fray in this fashion would doubtless be seen as escalatory, even as their intended efficacy is far from certain. Where the United States goes, even at a lower level of intensity and effect, its cyber-capable allies will likely follow, through a combination of political choice and, in the case of NATO, institutional design. What does this mean for a country like the UK?
The UK’s wide-ranging March 2021 Integrated Review of Security, Defence, Development and Foreign Policy articulated its intention to be a “responsible, democratic cyber power.” As is common with high-level policy pronouncements, the precise sense of this phrase is open to discussion and attempts to backfill it with meaning. Consistent with international law and norms, however, the UK asserts its right to use offensive cyber capabilities for deterrence and in military operations, as may be required in defence of Ukraine.
The principal vehicle for such operations is the National Cyber Force (NCF), which emerged in 2018 from a reorganisation of the existing National Offensive Cyber Programme. The December 2021 National Cyber Strategy set out the NCF’s mission set, from countering crime and terrorism and bolstering national cybersecurity, to supporting UK defence and foreign policy.
Like most offensive cyber actors, the UK will not comment on ongoing operations, to protect its sources and methods. Some retrospective avowal is permitted, though, including a 2018 overview of “a major offensive cyber campaign against Daesh” in Iraq and Syria.
With reference to the NCF, Defence Secretary Ben Wallace indicated the UK’s willingness to defend its interests should Russia turn its cyber units on British assets. The National Cyber Security Centre, part of GCHQ, has warned UK public and private sectors to be on their guard against Russian intrusions. Of particular concern is critical national infrastructures that might be targeted should Russia escalate by drawing in countries like the UK.
The UK’s technical ability to conduct offensive cyber operations is not in question. Proxy indicators suggest the UK is one of the most capable “cyber powers” around, as shown in recent studies by Harvard University’s Belfer Center and the International Institute for Strategic Studies. The issue for a middle power like the UK is less one of capability than of politics and strategy.
The two immediate possibilities for UK deployment of offensive cyber are, one, as part of an informal coalition of countries supporting Ukraine and, two, under NATO auspices as a combatant state.
In the first register, the UK is already supporting Ukraine to defend against Russian cyber-attacks. It also plays an important role in public attribution of Russian cyber operations, spelling out to global audiences the aggressions against Ukrainian infrastructure and population. The National Cyber Strategy also suggests that UK offensive cyber capabilities could serve humanitarian objectives, possibly by degrading military forces threatening civilians.
Current British involvement is not offensive cyber and should not be read as such: it is the support one offers a security partner under severe stress. However, if the United States decides to enter the digital battlespace in offensive fashion, the UK will certainly do so too, with or without an international legal mandate.
The second scenario is more speculative and would occur against the backdrop of dangerous escalation. If Russia were to launch disruptive—or worse—cyber operations against NATO countries, this would force NATO to consider its treaty obligations to collective security.
Cyber attacks could be launched against allies like Poland that border Ukraine and upon which Putin has strategic designs, or against others like the UK, with which Russia has decidedly tetchy relations. The problem for NATO is whether and how to respond, a difficult calculation as NATO’s risk appetite is significantly lower than that of its adversary. NATO allies, notably Germany, also differ in their constitutional ability to engage in offensive cyber operations.
The UK and NATO allies have thus far resisted direct involvement in digital conflict with Russia. Precisely what a middle power like the UK would do and how effective its future contribution might be are up for debate. Offensive cyber operations against Russia would almost certainly attract a robust response. How prepared are British citizens to endure Russian reprisals, particularly if they perceive the UK following the United States into another messy war?
Ukraine may fall before then, which would render some considerations moot, but how might the West follow up with cyber operations against Russia should that situation arise? A protracted cyber conflict could beckon, although this would almost certainly be but just part of a wider suite of international responses.
Tim Stevens is Senior Lecturer in Global Security at the Department of War Studies, King’s College London, and director of the KCL Cyber Security Research Group.