Contrary to its normal positioning in terms of defence policy, the United Kingdom has come across as notably aggressive when it comes to advertising its offensive cyber warfare capabilities. Indeed, ‘Britain’ as one Russian source accusingly – and accurately – puts it, was ‘the first country in the world to publicly acknowledge that it is developing the potential to conduct offensive operations in cyber space against other countries.’ Likewise, the admission from the UK’s ‘defence chiefs’ that their cyber assets had the ability to ‘turn out the lights in the Kremlin’ was also picked up to propaganda advantage in Russia. It became a headline there of ‘British threats to “turn off the lights in the Kremlin”’. It seems that the UK’s cyber sabre-rattling is providing no little grist to Moscow’s information warfare mill. Indeed, Moscow’s message is that the UK, with its stated position on the offensive use of cyber, is not conforming to international law, while Russia, which denies employing such a tool, is.
International law, of course, has yet to catch up with cyber warfare as a concept. The main issue with state actors employing cyber attacks is their justification given cyber’s perceived lack of targetability. That is, cyber attacks, being difficult to precisely control, are seen to transgress the jus in bello principles – i.e. the need to provide proportionality and discrimination (in, theoretically, the use of force). For instance, and (in)famously, the Russian NotPetya cyber attack on Ukraine in 2014 became so widespread that, among other knock-on effects, it almost collapsed the Danish Maersk shipping company and even ‘blew back’ in a ‘friendly fire’ manner to damage major Russian companies.
There are thus questions over the ethics if not, indeed, the legality of deploying cyber attacks against state adversaries. Can they remain sufficiently targetable? Can UK cyber ‘turn off the lights in the Kremlin’ without also turning off, say, the heating in Moscow in the middle of a Russian winter? This could result in the collateral damage of many civilian deaths. Given such dangers, what is the logic behind the UK’s notably truculent cyber stance?
The need is, of course, to generate deterrence. The UK’s cyber posture is a signalling mechanism designed to ward off Russia’s own and fairly constant unacknowledged cyber attacks against the UK, its allies and partners. The UK is practicing deterrence-by-punishment; spreading the message that Russian cyber attacks may be met with UK counter attacks in the cyber realm. This position is, though, one not without controversy. The issues raised by this UK deterrence stance are explored in detail by the authors here in an article in the Journal of Cyber Policy: ‘Deterring Russian cyber warfare: the practical, legal and ethical constraints faced by the United Kingdom’.
Russia, of course, does carry out cyber attacks against other states. They fit in with Moscow’s current defence and security policy as first set out in the Russian National Security Strategy (NSS) of 2009. This basically stated that Russia will engage in ‘active defence’ measures against what it sees as its Western state adversaries by using ‘indirect measures’. These are non-kinetic and applied mostly in the information realm. Their aim is to constantly apply disruptive pressure on such adversaries so as to undermine their ability (from Moscow’s perspective) to conduct any future offensive operations against Russia or Russian interests. This is all laid out officially in the Russian notion of ‘strategic deterrence’. According to the NSS, this consists of ‘a complex system of interrelated political, military, economic, informational and other measures aiming to pre-empt or reduce the threat of destructive actions from an attacking state (or coalition of states)’. Cyber ‘measures’ are central to this ‘system’.
This is confirmed in articles in Russian military journals. In one, for instance, four senior officers pointed out that ‘cyber warfare’ will be used by Russia ‘against intractable enemies, opposition groups, criminal groups and [with pre-emption in mind] potential adversaries.’ Another Russian general writes, ‘Information [including cyber] warfare needs to be continuously conducted in peacetime.’ Such open-source articles are indicative of the Russian military’s desire to see cyber warfare deployed against, for instance, NATO states and there has been much thinking about how best to employ it. Its use, in Russian military thinking, will come in two forms: the cyber-psychological (mostly information-based) and the cyber-technical (where technologies are interfered with).
Whatever its military might say, though, Moscow does officially deny conducting any cyber attacks against any ‘potential adversaries’. And it can do so with some impunity because attributing them to any particular source – i.e. Russia – is very difficult. The UK can blame Russia all it likes for any particular cyber attack, but ‘plausible deniability’ can always be employed.
Denied or not, Russian cyber attacks have the capacity to represent a considerable threat to the UK. These attacks generally have three specific aims. The first is to gather general information/intelligence. The second is to probe for weaknesses in computer systems (mostly CNI-related) that can be identified and taken advantage of later. Thirdly, and more fundamentally, these operations are being used to, in essence, help weaken targeted states from within; to destabilise them slowly over a long time-frame.
The threat posed to the UK has been noted. The UK’s Defence Intelligence (DI) agency has warned that Russia is ‘not targeted in its use of offensive cyber capabilities.’ Russian cyber warriors are, it seems, making ‘practice runs’ in order just to see where vulnerabilities exist. According to DI, they ‘are quite prepared to use the world as a range, [saying] “we will give it a go and see what happens.”’ This has its dangers in terms of generating unintended consequences.
Such activity has led to banner headlines—even in quality UK newspapers—such as, ‘Russia is ready to kill us by the thousands.’ This echoed a statement made by then Defence Secretary Gavin Williamson who had warned that Russian cyber attacks against the UK’s energy infrastructure could cause ‘thousands and thousands of deaths.’ He said that Russia wanted to create ‘panic and chaos’ in the UK.
Hence the UK’s need to practice its cyber deterrence signalling. The UK feels a distinct need to warn Russia. The deterrence-by-punishment message is a simple one: ‘you keep attacking us and you may face more damaging attacks in return’. But, as noted, and as we explore in our abovementioned article, such a stance can not only provide a propaganda bonus for the Putin regime, it is also fraught with ethical and legal dilemmas.