The UK has become the first country to publicly commit to the aggressive use of cyber attacks to protect national security.
Over the weekend, the Ministry of Defence announced that it is developing a “full-spectrum military cyber capability, including a strike capability, to enhance the UK’s range of military capabilities”.
“For years, we have been building a defensive capability to protect ourselves against … cyber attacks,” defence secretary Philip Hammond said in an interview with the Daily Mail. “That is no longer enough.”
“We will build in Britain a cyber strike capability so we can strike back in cyber space against enemies who attack us, putting cyber alongside land, sea, air and space as a mainstream military activity,” he said. “Our commanders can use cyber weapons alongside conventional weapons in future conflicts.”
The strike capability could be used to “disable enemy communications, nuclear and chemical weapons, planes, ships and other hardware,” Hammond said.
Information Age asked the Ministry of Defence what the legal grounds for launching a cyber attack would be.
“In a military context, any such operations are strictly governed under the well-established Law of Armed Conflict (LOAC) and more broadly by domestic and international law,” an MoD spokesperson said. “Well understood concepts such as proportionality of action apply to cyberspace as much as they do to actions in the air, land or maritime domains.
“More broadly, the targeted use of disruption techniques and lawful interception are crucial for national security, law enforcement and public protection.
“The government’s duty is to protect the public, but the safety we currently take for granted is being undermined by fast moving technology, especially the Internet.”
Last year, a report by the House of Commons’ Joint Intelligence and Security recommended that the UK develop an offensive cyber capability. “While attacks in cyberspace represent a significant threat to the UK… there are also significant opportunities for our intelligence and security agencies and military which should be exploited in the interests of national security,” it said.
The report identified five ways in which information technology could be used aggressively in the interests of national security. They are:
- Active defence: Interfering with the systems of those trying to hack into UK networks.
- Exploitation: Accessing the data or networks of targets to obtain intelligence or to cause an effect without being detected.
- Disruption: Accessing the networks or systems of others to hamper their activities or capabilities without detection (or at least without attribution).
- Information operations: Using cyber techniques and capabilities in order to deliver information operations.
- Military effects: The destruction of data, networks or systems in support of armed conflict.
However, a subsequent investigation by the Defence Select Committee heard that develop “cyber weapons” – i.e. aggressive cyber security tools – may prove to be extremely expensive, due to the complexity of the technology and the pace of innovation.
“If you really want to knock out the enemy’s air defence system [for example], you are going to have to design something very specifically for that purpose,” Professor Sir David Omand, a former civil servant and now security academic, told the committee.
“It is as if a government operational analyst has been sent to observe the effects in battle of the flintlock musket, only to discover upon arrival that the Maxim gun has been invented,” added Professor Paul Cornish.
Earlier this year, the New York Times reported that a “secret legal review” by the US government found that it would be operating within international law to launch an aggressive cyber attack if it found evidence of an imminent threat to its national security. The US has yet to confirm that it would do so, although it is known to have launched cyber attacks in the past.
The MoD also announced further details of its Joint Cyber Reserve force, first revealed by Francis Maude ealier this year.
The ministry will begin to recruit reservist, including former Army personnel with IT experience and civilian information security specialists, to help protect “critical computer networks” and data from cyber espionage and cyber attacks.
“Increasingly, our defence budget is being invested in high-end capabilities such as cyber and intelligence and surveillance assets to ensure we can keep the country safe,” Hammond said in a statement. “This is an exciting opportunity for internet experts in industry to put their skills to good use for the nation, protecting our vital computer systems and capabilities.”
The “full spectrum cyber capability” is expected to cost £500 million over the next four years.