According to headlines in at least two major national newspapers, the main policy emerging from Britain’s long-awaited Integrated Review of Security, Defence, Development and Foreign Policy is that the UK could respond to computer hacking with nuclear strikes. You will—I hope—be relieved to know that the Review says no such thing. “Mushroom cloud computing” would be as insane as it sounds. In fact, the 100-page document contains no new policies—or pounds—for cyber at all.
The review is worth analysing nonetheless. We certainly need an updated strategy: the current National Cyber Security Strategy, which I played a role in drafting and implementing, expires at the end of March. In the last few months alone, our allies in the US have revealed a hugely strategically damaging espionage hack from Russia. Closer to home, Scotland’s environmental protection agency has literally been held to digital ransom by criminals. So the time is right to assess the UK’s posture in cyberspace.
While a holding statement itself, the review promises a subsequent “whole of cyber” strategy. This innocuous bureaucratic phrase signals a potentially important shift, because it absorbs offensive cyber capabilities into a framework previously exclusively about cyber security: the protection of the digital homeland.
On the face of it, this is a curious development. Cyber security is about countering Russian and Chinese hacking, for sure. But it’s also about building resilience into critical infrastructure, giving good advice on password policy, making sure devices wired up to the “Internet of Things” (like babycams) are safer, countering online fraud and much else.
By contrast, offensive cyber—sometimes called “cyber power”—is about using cyber capabilities in active support of any relevant national security objective. It could be supporting military combat operations, destroying online terrorist propaganda capabilities or disrupting online child sex abuse. These are all important and laudable activities. But they generally have nothing to do with the sort of measures needed to protect, for example, vulnerable citizens from cyber scammers. There is no overarching reason to lump these activities together in a single strategy, other than that they involve people skilled with computers.
At least a single “cyber strategy” will force the government to confront—and allow the rest of us to judge—an uncomfortable ambiguity at the heart of its approach. Cyberspace is both what NATO calls a “domain of military operations” and a largely peaceful environment of commercial and social activity. But which is it primarily?
Cyber-rattling
A newcomer to UK policy, who had read just the Integrated Review and the briefing around it, could only conclude that on balance, the British government views the internet as a battlefield that needs to be dominated rather than a wondrous, transformative creation that promotes freedom and prosperity; one that needs to be nurtured and protected, and its flaws mended.
The language reflects what the American diplomat Chris Painter has dubbed “cyber-rattling.” There are countless references to projecting cyber “power” through “force.” It is this tone that makes the plainly ludicrous narrative about nukes in response to hacks seem plausible. And, by contrast, there is very little if anything in the document that recognises the harm ordinary citizens face from malevolent online activity on a daily basis.
So when the new “whole of cyber” strategy emerges, it should be judged against one question: is the UK committed to a safer internet, or does it prioritise taking advantage of internet insecurity in order to project British power?
Tilting towards “militarising” the internet would be a tragic strategic error. It would damage our hard power because open, free, democratic, rule-of-law societies like ours have more to lose from our own cyber insecurities than we have to gain by exploiting those weaknesses in others. It would damage our soft power because it would send a message to the very international partners the Review seeks to embrace that the UK is not interested in helping the world find ways of reaching a peaceful equilibrium in cyberspace.
Bland references in the Review to working with partners towards this sensible outcome will be drowned out abroad by the aggressive briefing and reporting of our enthusiasm to develop, store and use offensive capabilities to project cyber power. That every mention of cyber power is presaged by the word “responsible” doesn’t change that uncomfortable fact; other countries get to decide for themselves whether they see us as “responsible” or not.
The China problem
And this in turn could undermine the crowning achievement elsewhere in the Review: a clear, coherent and courageous strategic policy for British technology to play a leading role in helping the western model prosper in the face of the serious challenge from China. This is much needed. When I was grappling with the contentious issue of Huawei’s involvement in Britain’s 5G networks, I asked a senior adviser in Theresa May’s administration to what extent the government’s strategy had changed from David Cameron’s “Golden Era.” “We still have the same China policy,” came the reply. “We just don’t like it anymore.”
To its enormous credit, the government has filled this policy vacuum. It has grasped that the Chinese objective is not to subjugate the west through exports, but to attain global pre-eminence by being technologically stronger. The key, therefore, is to out-compete and out-innovate Chinese tech. That involves investing in our own research, and protecting it against technology transfer. The Review contains sufficient funding, policies and legal changes to achieve this. It is excellent public policy.
There are reasons to be sceptical that the government will be able to follow through with its policy on this front. If it does, it will be the ideal issue on which to find partners for Global Britain on a planet worried about China’s ambitions for tech dominance. But presenting ourselves as, in the words of Harvard professor Jack Goldsmith, the west’s archetypal “fearsome global cyber bully” is unlikely to help in that regard. Countering that impression—and re-affirming ourselves as the good guys of internet security—is the most important thing a new “cyber strategy” can now achieve.
