David has 18 years of military leadership experience. He has worked in Single Service and Joint appointments, specialising in Communication Information Systems and Cyber.
It is unfortunate that, for many staff officers, the practicalities of ‘cyber operations’ consist of a brief and contrived power cut on the annual CPX for the sake of objective box-ticking. There are others who dare to imagine something more potent but who have become disillusioned because of the constant mantra from the non-kinetic effects community that real life isn’t like the movies; ‘there is no magic cyber button’. The truth is, cyber operations became a faddish obsession of senior leadership long before we were ready to deliver on the promise and the inevitable result was a deep-rooted and perfectly understandable cynicism.
There is a gathering body of evidence that the situation is changing and is doing so at pace. The potency of a ‘cyber-attack’ is abundantly apparent in the media. It is easy to forget that, even five years ago, such stories were relatively rare and were far removed from the reality of daily life. Contrast the situation today when there is invariably an open source daily dose of reported cyber incidents that have a clear and understandable impact. Invariably the majority concern bulk personal data loss, often perpetrated by criminals. In such cases the effect is often negligible save for the reputational damage of the victim. Increasingly, however, cyber operations are becoming more sophisticated in their ambition and intent. Perpetrators are using cyber operations to have a focussed effect on individuals, groups of individuals and even nation states. Sometimes this is simply through the manipulation of information, as was the case with Russian interference in the US 2016 election, but it can also be through the delivery of physical effects through cyberspace. Whether it is Ukrainian power outages or electronic destruction of Saudi government computer hardware it is not difficult to find examples where (usually) state actors have had a calculated effect on their adversary – be that as a standalone effort or blended with other instruments of soft and hard effects.
There is evidence too that Western nations are embracing this new tool of influence. At the 2016 RUSI conference, the Secretary of State for Defence acknowledged that the UK is already integrating offensive cyber into its full range of military effects. Across the Atlantic, the US is so energised about the possibilities that cyber will bring that they are elevating US Cyber Command to Combatant Command status. Canada has, for the first time, acknowledged that they too are aggressively investing in offensive cyber. Amongst our close allies, cyber is transitioning from the theoretical to the practical.
So offensive cyber is a proven potent weapon and its possibilities are being enthusiastically embraced by Western Powers. The resultant challenge faced now is how to best leverage at scale what has hitherto been a niche and largely insignificant capability? This question is exercising minds across government; integrating a new domain of tools into the national arsenal is an exceedingly complex business. Although evidently not a complete solution, the following 3 points are critical to success:
Technical Credibility. It is critical that credible and relevant offensive cyber options continue to be delivered in short order. This will not only ensure that meaningful effects are achievable, but it will also serve to build operational evidence to challenge the cynics. For this to work, cyber effects must be developed to support existing national contingency plans and their employment must be woven into to operational planning from the outset. Capabilities must not be delivered simply because they are technically interesting; there is no room in the modern world of professional cyber for the enthusiastic hobbyist.
Effects Focus. Those involved in cyber operations tend to be drawn overwhelmingly from the intelligence and communications fields. This is entirely understandable – offensive cyber has evolved largely from signals intelligence because of shared access techniques, and communicators, especially in the military, are likely to have the baseline skill level required to build cyber expertise. These are not, however, those who typically have operations and targeting experience. This needs to change; those that once saw themselves pigeon holed in an exclusively combat support role are on point to deliver effects. This equally applies in defensive cyber operations, which have for too long been solely about protection rather than proactively setting the conditions for operational success. Mindsets and skills will need to change accordingly.
Partnerships. Despite considerable recent investment across Defence, cyber is not exclusively a military effort. Indeed the real UK expertise and capability is invested in those with many years of relevant experience across government departments. Developing an autonomous military cyber capability would be hopelessly inefficient and would create an artificial and unhelpful divide between cyber used in pursuit of military and wider national objectives. The answer is a full and true partnership to create one single focus for UK cyber operations.
There is no question that cyber is here to stay. Getting it right now is inevitably going to be difficult and expensive, but the price is worth paying to ensure we are postured to stand up to our adversaries and lead the way amongst our allies.