NCF report: A watershed moment for UK cyber operations and responsible cyber power in action

The UK has been conducting cyber operations for many years, and with this report it breaks new ground in setting out how cyber operations can be used in measured ways to support a wide range of policy objectives. In doing so, it aims to demonstrate how the UK will employ a powerful capability in ways that live up to its vision to be a “responsible cyber power”. 
 
This report is described as a first step in greater transparency that aims to underpin the legitimacy of NCF operations and sustain a “licence to operate” founded on public trust. To that end, the NCF builds on previous statements on its legal foundations and oversight arrangements to set out how it will apply responsibility in practice through the “core principles” of accountability, precision and calibration. 
 

• Accountability: the NCF reflects that its operations are carried out in a legal and ethical manner, in line with domestic and international law and the UK’s national values. This emphasis adds an important dimension to cyber operations, which is made possible by a highly developed framework that includes Ministerial approvals, judicial oversight and Parliamentary scrutiny. 

• Precision: cyberspace is a deeply interconnected, complex environment, and so cyber operations carry a meaningful risk of unintended consequences. To mitigate this the NCF operates to achieve specific outcomes and conducts extensive planning, reconnaissance and risk analysis – with operations carefully timed and targeted to achieve precisely the effect intended. This is a significant commitment, since it adds complexity to the design of tools and requires a range of expertise to conduct a thorough evaluation.

• Calibration: the NCF describes an approach founded on campaigns that combine several operations and other measures (such as law enforcement, military or diplomatic activity) to achieve cumulative effects. It describes how operations are conducted at high tempo – on a daily basis – but also suggests that they are calibrated to be proportionate and avoid escalating a confrontation or incentivising adversaries to develop additional defences. This presents a complex challenge of integration and analysis, but it offers the prospect that cyber operations can be used in nuanced and sophisticated ways that make them valuable to a broad range of policy objectives.  

 
Alongside these principles, the report sets out in more detail than ever before the factors that enable it to operate in a responsible way. This provides a valuable blueprint and a notable contribution to the debate around what factors go into making cyber operations responsible and ethical.
 
Beyond this focus on responsible cyber behaviour, the report provides some valuable insights into the thinking behind UK cyber operations. Amongst the different elements it sets out is what NCF calls the doctrine of “cognitive effect”. This suggests that cyber operations can have an impact beyond simply the tactical effect of disrupting a piece of adversary technology.
 
NCF suggests that operations can change adversary behaviour by disrupting their ability to acquire, analyse and make use of the information they need to achieve their ends. This, perhaps coupled with affecting their ability to communicate and co-ordinate with others, can affect an adversary’s perception of their operating environment and make it harder for them plan and conduct their activities. This is a thought-provoking and distinctive addition to the discourse on the application of cyber operations.
 
The NCF acknowledges that measuring cognitive effects is a hard problem. To that end, its stated intention to engage a broad range of stakeholders and disciplines spanning the private sector, academia, think tanks and wider civil society is an important commitment.
 
Academia has made a significant contribution to this emerging public debate, and the engagement of academia, industry and press is a major step in embedding the understanding and value attached to the work of the NCF through transparency. The engagement of broad expertise and perspectives is not necessarily a natural path for an agency tasked with covert operations, and it reflects both the novel challenges raised by the application of cyber power and the importance attached to legitimacy and trust.
 
The conduct of cyber operations is only one facet of the UK’s conception of cyber power, which extends much more broadly to encompass themes including national cyber resilience, science and technology, skills and education and international engagement. This holistic approach will rely on a foundation of defensive resilience at national scale. This in turn depends on a diverse ecosystem of industry partners, and the UK is making a concerted effort to define a coherent vision that can harness those capabilities to best effect. 
 
* The UK Government uses this term to denote operations designed to influence individuals and groups, disrupt online and communications systems and degrade the operations of physical systems. These activities are often referred to as “offensive cyber operations”.