Defining ‘responsible cyber power’ and putting it into practice
Defining ‘responsible cyber power’ and putting it into practice
Lead Cyber Consultant, BAE Systems Digital Intelligence
11 Oct 2022
Following her recently published article with online publication Teiss, and to mark techUK’s Cyber Campaign week, Miriam Howe looks at defining responsible cyber power.
Last year, the UK launched its Integrated Review of Security, Defence, Development and Foreign Policy, outlining the country’s approach to security and international policy. Throughout the document, ‘cyber power’ is referenced over 20 times, with the foreword describing the UK as a ‘responsible cyber power’. The UK’s 2021 National Cyber Strategy posits a definition as ‘the ability to protect and promote national interests in and through cyberspace.” But what does this mean in practice? And how can it be achieved?
With cyber capabilities increasingly being used as a strategic tool by countries across the globe, answering questions around the definition of cyber power and how to put it into practice is vitally important, and involves defining the terms ‘cyber power’ and ‘responsible cyber power’. Currently, the UK is one of the few nations discussing these concepts, and it should continue leaning into opportunities to lead the narrative.
Defining cyber power clearly enough to make it tangible and operational, however, relies on collaboration in every sense. It means government departments and agencies working with industry and academia, as well as with each other, to create strong cyber capabilities and advise other countries based on its experience. It also requires having diversity in our current and future domestic workforce, encompassing a wide range of skill sets, mindsets and cultures.
The importance of language
Cyber power first emerged as an academic topic in 2010 (with Joseph Nye often quoted as being one of the first to mention the concept), yet it didn’t enter strategic security and defence conversations until a few years ago. While we have made a start by elaborating the components that make up cyber power, the fact remains that power in any context is nebulous. It is therefore difficult to define or measure, particularly as cyber power itself is a newer concept.
As we try to find common ground on the meaning of cyber power, creating definitions and indices is a constructive process. Equally important, however, is recognising that currently – and possibly for a while into the future – not everyone will share the same ideas.
This perhaps is not so much of an issue while we see cyber power as a national organising concept for our cyber strategy in the UK. However, creating a shared definition will potentially become more of a necessity when countries begin collaborating to build partnerships and alliances.
Focusing on cyber defences
So, what do we need to consider when it comes to putting cyber power into practice?
Firstly, it’s important to remember that the term cyber power is multifaceted. As some aspects of cyber power have military connotations, there is a tendency to only focus on the offensive element. But this doesn’t capture even half of the picture. If we think about cyber power as describing the effective execution of all elements of cyber operations and having influence on an international stage, it is much wider. And it has to start and finish with solid and resilient cyber defences.
At a fundamental level, the resilience of the UK’s digital economy and its military capabilities, as well as the preservation of society’s core values of democracy and free speech, all depend on having strong cyber defences. Without these in place, our ability to grow our digital economy, build relationships and business with other countries, and pursue military or intelligence missions effectively and sustainably is significantly weakened, along with the ability to present a convincing narrative of cybersecurity to partner countries.
Crucially, when the UK does employ offensive cyber capabilities, it needs to do so responsibly, making sure it acts in accordance with the law and a consistent ethical framework. It ultimately needs to ensure it is a ‘responsible cyber power’.
As outlined in the UK’s National Cyber Strategy, this responsibility goes beyond traditional cybersecurity to encompass other aspects of influence and national security, including cyber diplomacy, cyber capacity, innovation and partnerships and alliances.
Colouring in the ‘grey-zone’: why do we need to define cyber power?
However, not everyone has the same view. Some countries have strong cyber capabilities, but a different idea of cyber power.
These competing narratives have created a potentially dangerous ‘grey-zone’, characterised by a gap in law and certainty over what is happening in cyberspace below the threshold of war (on an ongoing, persistent basis). When compared to the physical world, it is challenging to see and attribute activities in cyberspace, making it even more important to define what is acceptable. A grey-zone is not where we want to be – a lot of harm can be caused outside of conflict.
As a result, there is an urgent need for democratic nations to lead the conversation around responsible behaviours in cyberspace. Importantly, though, this needs to be done in a considered way, accounting for different opinions and ideas.
If we want to engage others on the topic, it is important to share a positive vision of the future of cyber power. Often, cyber capabilities are looked at from the perspective of reducing risk and, as a result, are perceived as a luxury and notoriously difficult to measure return on investment. But it is also important to remember that cyber adds huge value to economies. The UK’s cyber economy, for example, has generated an estimated £4 billion.
Importantly, nations with the capacity to defend themselves, who have resilience and depth in their cybersecurity professionals and industry, can innovate and export their cybersecurity expertise. This way, they can generate export revenue and attract foreign direct investment into their digital economies.
The power of collaboration
Nations can also use their knowledge through the softer side of cyber power, such as cyber capacity building and threat-intelligence sharing. This involves sharing expertise in cybersecurity, offering other countries advice and helping allies to build their digital infrastructure and cybersecurity capability.
By providing practical help and supporting other countries to develop their own cybersecurity foundations – their strategies, infrastructure, skills, policies and procedures – the UK will be able to build relationships and influence overseas. Not only that, it will also provide strong export possibilities, giving UK industry and government an ideal opportunity to work together for common advantage.
The government’s engagement with the concept of responsible cyber power, writing it into national strategy, is a step in the right direction. Yet, it cannot be achieved by the government alone; it requires the collaboration of industry, universities, schools and society. Industry and academia must align their own investments and strategy with this vision of responsible cyber power, and amplify the messages to foster a shared understanding.
Public and private sector partnerships are key to success, enabling the UK to provide relevant , high-quality advice overseas and help deliver the changes needed. This is not just about partnerships with large industry players, but also bringing in small, innovative cyber companies. Reaching the whole industry is essential for building resilience in a scalable and achievable manner.
Creating a diverse cyber workforce
Collaborating to create a collective, diverse cyber workforce is also vital. To be a leading responsible cyber power, we need the right skill sets in place. This does not just mean software engineers, coders and computer scientists, but everything from communications and marketing to geopolitics and human behavioural scientists.
We need to pull together a variety of mindsets across many cultures and social backgrounds to be able to solve complex, emerging cybersecurity challenges and, in turn, enhance defences and exports. Security governance should be set by working groups reflecting the diversity of the nation it governs, to spot and move away from systematic biases in the workplace and online experiences.
Diversity needs to be considered in how cybersecurity and cybercrimes are experienced in cyberspace. Inequality related to how cyberspace is experienced by marginalised groups justifies more diverse participation in how it’s governed.
Having the opportunity to shape responsible cyber power is significant. Working together across government, industry and academia is key for allowing us to lead the narrative, which depends on encouraging creativity and fostering debates. This is truly a team sport; to create a positive and democratic definition of cyber power we need the best possible team.