UK Offensive Cyber & the National Cyber Force

By

EVENT TRANSCRIPT: UK Offensive Cyber & the National Cyber Force

DATE: 2pm, 12 May 2021

VENUE: Online

SPEAKERS: Amy Ertan, Dr Danny Steed

EVENT MODERATOR: Dr Danny Steed

 

Danny Steed  00:00

Good afternoon, everybody. Welcome back to Henry Jackson Society. It’s great to be hosting yet another cyber event. It’s been one I’ve been, you know, quite excited to do for a while now on offensive cyber here at the UK and the announcement of a National Cyber force being being constructed off the back of the integrated review. I’m really thrilled to be able to welcome Amy Ertan as our guest today, who’s going to be really speaking off the back of a report she co authored on the National Cyber Force that person needs with the question mark on this. But just before introduce it, Amy, I think really when it comes to offensive cyber, the one thing that it’s it’s quite an interesting aspects here in the UK for several years is it’s almost been much more like the rule with Fight Club of the one thing we don’t speak about in UK cyber has been offensive cyber, and now, we’re kicking the lids off of this. And we have so many questions that need to be tabled and figured out. And I think it’s quite clear, we won’t have all the answers. But it should be a very interesting exercise just to shining the torch where it needs to be pointed for Whitehall at this point. So Amy, welcome. I’m just going to introduce your details very quickly, before we leap right into this. So Amy is currently a doctoral candidate at Royal Holloway London on Information Security, but she’s also the co chair of the offensive cyber working group and visiting fellow at NATO’s CCD COE. I wont say it out, Amy because every time even if someone inside but I always get it wrong. It’s quite a mouthful. And also a visiting fellow at Harvard’s Belfer Center. So, Amy, this the report, you co authored with the offensive cyber group, what what really brought this about? How did this this project really kick off?

 

Amy Ertan  02:19

Good opening question. First of all, thank you for having me. Pleasure to be here. And yes. In terms of the report that came out through King’s Policy Institute, Joe and Tim from kings contributed Andrew from Durham offensive cyber Working Group. We, over the last year or so we looked at the news, the updates coming out around the National Cyber force, which was established out with statement November last year and expanded on slightly through the integrated reviews through a Defense Command doctrine. But just looking at how it came about, and when we didn’t have details, is what really brought us together. So going through and introducing a little bit about the National Cyber force and where it is, we know that it’s just joint military intelligence unit is bringing its partnership with GCHQ with MAT, drawing in from MI6 intelligence services, DSTL coordinating offensive cyber activity, as as they define it, we know that it’s not a new program, there’s been the national offensive cyber program for a number of years, which was this cooperation between mid and GCHQ, but we have this new organizational unit that’s been announced, which is very interesting, but also raises a huge number of questions. I know, Danny, raises too, that not much public debate has happened around this. And most, some of that is good reason. For some things, you can’t have transparency when it comes to the nuts and bolts of operational offensive cyber capability. But what brought us together was thinking about the implications of a unit like this, this coordinating capacity, which has a huge tasking, it’s, you know, supposed to be this core tool within the UK, cyber capabilities of detecting, deterring, and defending against your hostile states, your terrorist groups, your serious organized criminals, and exactly what that scope means the responsibility of the unit, the governance of the unit. The actual mission, as its, as it kind of has to be stated publicly. Our report goes through a number of questions and considerations. we reflect on those we reflect on the UK as well right now, within the UK landscape, and we started thinking about recommendations. But what brought us all together was this idea that actually we should be able to discuss a lot of this in public and we know that like Kieran Martin, former CEO of the NCSC Marcus Willett, former director of cyber GCHQ. They agree with the idea that while we can’t talk about some of the technical fundamentals, we should be able to talk about the responsibility, the governance, the strategy and the doctrine of a unit like this. And that’s what the report is trying to do is trying to kickstart this debate, trying to get people speaking, it’s trying to tease out some of the nuances of some of the questions that are raised by the National Cyber force and get people engaged. Also through events like this. We obviously had one last bit today that what also brought us together was the fact that we do have different backgrounds. So we have Tim Stevens, Joe Devonny, from the war studies, Department of kings, very much security studies focus, Andrew Cayman with geography and geopolitics, and then myself as well, geopolitics and information security, and we all have those aspects. But together, we’re all able to look at different parts of the NCF.

 

Danny Steed  06:12

No, it’s it is fascinating. And as you say, like kicking, kicking off debate. So just before I forget to making sure to the audience, please pump in any questions you have on this into the the chat channel. We’ll be triaging them as we go. And we do want to open up to everybody’s questions as quickly as we can. Today, good ones already pinged in but yeah, Amy, this. Obviously, it’s it’s a huge area on this. So I think as well, just to prime everybody in attendance, you able to stay, you really covered the main findings that you’ve come through, because I know, obviously, it was going over accountability, governance, mission focus, I think, yeah, I could probably ask 10 questions on each area, but it’d be a little unfair of was, I’ll just be chatting to you on the phone rather than hear. So would you just be able to really run through the report’s findings?

 

Amy Ertan  07:12

Yeah, I can pull out some of the top ones for sure. And, and this is definitely a challenge even writing the report, there are so many things you could delve into, at the operational side, but also the strategy doctrine, legal and ethical side that you could, you know, we could have written so many reports on this. Probably the first aspect when we reflected on, okay, we have this National Cyber Force, we have some detail about its scope. And what it’s supposed to do as part of the wider UK cyber strategy and cyber posture is that the NCF still has to be realistic, in terms of what we can just in terms of what the UK can do in terms of resources in terms of scope, offensive, cyber being one part of a much wider cyber strategy, offensive cyber being kind of, yeah, just one part, but not necessarily the most important part of the strategy to the National Cyber force could have so many different missions, given that it’s been stated it will be countering state threats, terrorism, serious organized crime. And something that we’ve written in the report. And we say every time we speak is that the ncf can’t pursue all these missions. Equally, they can’t do them all, and they can’t do them equally well. So the UK, the ncf, will have to make some hard choices in terms of prioritizing mission focus, and actually what the ncf will engage with. And maybe one small example there is that we know the ncf will aim to grow capacity to 3000 personnel by 2030. And that’s half the size of the US Cyber Command today. And that’s not to try and compare the UK with the US that doesn’t necessarily make sense. But it’s to really drive in this point that the UK will have different constraints that will need to bear in mind to think about where best and where most efficiently to dedicate resources to in terms of actually, that finding and the recommendations that we attached to that we said the ncf needs to have a clear mission focus mission should operate. Clearly it should be proportionate. And our recommendation is that actually, operations conducted within the offensive cyber banner by the ncf should be persistent low level counter cyber operations, targeting critical at targeting sorry, cyber infrastructure of adversaries, criminal groups or operational support to military operations, which is high priority work and a good focus and is much less controversial than other options like targeting adversaries critical infrastructure. So there’s more than enough in that sense for the NCF to focus on. We also think the focus should be continually assessed by an Audit Office and other institutions. So you have this oversight to always check that the mission scope is always realistic. It’s always in line with legal and ethical obligations, which is a whole other bucket, I think we’ll hopefully have time to talk about later. second main aspect main finding is that we need to understand the context of the ncf is a body that hasn’t emerged from nowhere. It’s grown, it’s developed. And it’s come through this process of MOD GCHQ partnership for years. And thinking about how you build out the NCF, its capabilities should bear that in mind should bear those cultural aspects in mind, in terms of thinking about how the future of the organization will work. And in our recommendations attached to that it’s really about having a clear organization, organizational configuration for the unit. So presently, the ncf operates under some different legal authorities. So the Foreign Office will approve particular operations defense secretary sorry, authorize others. And it’s not quite clear where that divisions are, where those implications are. So we recommend the government be very clear about those mission priorities. And also be clear about the process and allocating out those priorities to, again, with audit oversight as well. Almost coming back slightly to this idea about the ncf having to be realistic about its goals. We have this kind of reference in in government documents talking about the NCF, about whole of government approach to cyber. And we can apply that to talking about the joint nature of the ncf and how that should be governed at a ministerial level by government to there shouldn’t be difficulties in deciding the future of the ncf based on competition between departments. So when it comes to governance and accountability, we need that strategic leadership from ministers from senior officials from the outset. So the integrated review highlighted kind of a reformulation of a ministerial small group for cyber, which is great, we recommend that the government ensures this group actually delivers that leadership required to get that accountability for the NCF. And if it’s not already the case, the report recommends is chaired by a senior minister, perhaps Prime Minister or Chancellor Exchequer, we also state and recommend that the UK should appoint a Deputy National Security Advisor for cyber, similarly to how the US has that post, which again, would facilitate this strategic thinking and coordination about cyber related defense and securities issues. And that would encompass the NCF Two. And then, probably the last main finding is reflecting on the UK is positioned right now in the international landscape, what that means in diplomatic terms, but also in terms of international law, in terms of the alliances and partnerships that the UK has or may wish to build. So it does make sense for a number of the threats that the UK faces, which are also a threat to allies, for the UK to cooperate to keep on cooperating with structures like NATO, or the Five Eyes intelligence Alliance, but also to build on and discuss new partnerships, potentially, notably across other European states, or in line with EU to work out Firstly, how UK cyber expertise could contribute, but also how the UK can leverage coordinated activity to because again, we have these resource constraints to and in terms of those recommendations. We also think that in diplomatic discussions, the UK should be proactive, transparent about what the ncf does. And that includes talking about software and offensive cyber capabilities, which will stay with the ncf. through cooperation to and then these wider legal ethical obligations of which there are many. The UK should demonstrate operationally through diplomatic discourse and diplomatic mechanisms, adherence to international law and also further in that discussion about how international law actually applies to offensive cyber capabilities. So that’s the top level layer of findings and recommendations that we came up with, which of course, isn’t exhaustive, isn’t discreet. Going through the report, you’ll see they’re just it’s all incredibly nuanced. And very, very interesting. So we’re just hoping that it does provide that basis. And that springform for discussion and also informed decision making from government as well about how the potential path forward for the NCF.

 

Danny Steed  14:59

Thanks so much, Amy. I’ll let you take a breath as well at this point. Not for too long, though. But yeah, it’s that fascinating bit of there are so many questions in this to really reconcile and it was almost quite surprising in some respects that the You certainly in my mind, perhaps it’s just an opinion, but that the ncf announcement predated by quite a margin really a good few months, the integrated review and of course, a full year, roughly ahead of the the cyber strategy jewess some points in the autumn or early winter. And I suppose, thinking to that question, Mark, you had on the strap line of the reports about the force the UK needs. If I was going to be the go doing my journalist impression, I’d probably opens the entire talk today with asking, what is it going to do? Because what the NCF actually does is its routine daily practice, which surely goes quite a long way to answering that question of needs. So I’m really fascinating in this balance of are we talking about counter state activities? Is it the hints given in the IR and Jeremy Fleming’s speech for GCHQ rebels degrading ISIS capability as part of support But then part of what almost doesn’t seem to get mentioned at all, even though it surely seems to be quite a leading answer is how big a support role does the NCF play in protecting the British Armed Forces and supporting existing military operations? So I just wonder if you’ve got insight, I know I have opinions which I’ll, you know, push there, because they raise enough questions in itself. But especially with a force that, as you say, is only going to be 3000 strong in a decade’s time, not now. So it’s what what do we actually expect them to be doing tangibly as the most routine type of operations? And how does this start to really push us down that path of answering these broader questions and impacts about allies, proportionality, our legal positions, etc?

 

Amy Ertan  17:18

Yeah, I think you’ve hit the nail on the head in terms of one of the questions that brought us all together is that when the NCF was announced, in that November statement, last year, you had the statements that it was effectively defending the UK. It gets you tired of the threat landscape, you have you have your state actors, state sponsored groups, you have your terrorist, you have your serious organized crime. And the examples they gave were you interfere with terrorist mobile communications, but also protecting military assets? I think they were referred to aircraft or something like that. So was really a statement that I think, opened them to everything. And our next question was, okay, well, that’s probably not feasible. So actually, what will happen and And where would that balance be? And it’s something I don’t have the answer to. It’s something we try and go through and try to talk about, well, what would be the best use of the UK is resources, this 3000 people, it makes sense that the NCF exists in this structure, and it draws in all these capabilities from MAD from intelligence services from the different aspects because it is efficient, it means that you have all that talent that resource, that technical capability in one place, so that sometimes you can do military support operations. And sometimes you can actually do something which is closer to countering propaganda things that we know the UK has done in the past. But there isn’t any clarity just yet on what that splits gonna look like or how that will work in practice. And that’s that kind of process question is something that I think can be debated. Because it talks about it leads into questions about accountability and who authorizes what and the very structure of governance across all organization as well. So big questions.

 

Danny Steed  19:18

Yeah, it leads me to these are just some of the bits I had planned for you Amy of that. I’m not sure if it’s attention or a not even a contradiction but something that needs a little bit of reconciling where NCF will have GCHQ leadership, but the funding is predominantly mod. The bulk of forces appears on value from everything we’ve seen that it’s going to be a much more military units with intelligence leadership, and should we be reading anything into a military funded intelligence led body with a slightly hazy remit of, okay, are we talking false protection, which makes it a much more conventionalized package, which would be easier to understand and it becomes much more of a doctrine question, or are we pushing towards that blurred line between intelligence and special operations where other force structures will protect the Armed Forces ncf will go and do the very interesting stuff like taking down ISIS networks, potentially countering election interference, hacking back against organized criminal groups, those sorts of things. Do you think that the hints we have about the leadership structure push us in in certain certain ways to observe?

 

Amy Ertan  20:56

I think it certainly raises questions. And I think it’s what nudged us to have the aspects like clear mission scope, and this informed government strategic leadership and strategic accountability, this auditing power on top to make sure that you kind of mitigate any risks associated with tensions or agendas. And the idea that actually this should be a body where it’s extremely clear what the scope and mission focus is That stated, and you could talk about that. You have the frameworks that the union will operate in, and then you can kind of rely on that to work. But I agree in the sense that it’s not clear. I agree. Yeah, that it’s it’s something that we spoke about at length, in terms of what can you recommend? If If you could have a conversation with decision making now? and kind of give your views to them on the future? The answer of how would you try and mitigate historical aspects of the organization, what’s been happening in the last, while not the organization, but offensive cyber in the UK, the fact that you’re not starting from scratch. So you have all these not necessarily tensions, but historical culture, or precedent or path. And then you just have to bear in mind. No tie back way beyond a decade. And we talk about mid and intelligence, for example. And different states are doing this in different ways, too. So that’s another interesting aspect of looking at the UK. We briefly looked into the report, of course, at the US in the Euro, US approach to offensive cyber, but also France, Germany, Netherlands, how other states are defining offensive cyber, how they’re approaching it, and where they’ve drawn their lines in terms of frameworks and setups to so interesting to see as well where the UK will go in terms of building itself out cooperating with allies while maintaining and promoting their own National Cybersecurity goals as well.

 

Danny Steed  23:14

Yeah, absolutely. I think this this leads into the audience questions. I think the one I’m going to go with first is Paul Sanger Davies one. Because this, this does dovetail quite nicely to what you were saying, Amy about this not a blank slate, and other people are doing things as well. So Paul’s got two but they’re very closely related. How close do you think the UK will drift towards the UK Nakasone doctrine? And if the UK and the US-UK routinely operating within networks of others, can we not expect the adversaries to do likewise? And he’s asking off the back of that? To what extent will this likely cause escalation of cyber hostilities? So I see those as very related questions. Do you think there’s a bit of an escalation dynamic in in hidden in there?

 

Amy Ertan  24:13

Um, so jumping into the first part about the UK, maybe comparing or not with the US approach? I think. I think it would be not hugely helpful to try and understand the UKs approach to offensive cyber, just looking at the US and US doctrine and persistent engagement, defending forward this extremely proactive one side of this scale. And as it sets up, the UK hasn’t made statements like that. I think there’s a good reason for that in terms of the sheer amount of resources like I mentioned earlier, the UK just can’t posture itself. To do that, and be that aggressive just in terms of finance, talent, resources, so so that’s the first point I’d make. And in terms of this aspect about offensive cyber being escalatory, it’s, I think there are wider Yeah, there are wider questions. The we asked in the paper about this militarization of cyberspace that we see, of course, we see it in documents like the integrated review. And we see uncertain statements as well. And like you mentioned, it will be interesting to see how, beside the UK cyber strategy the end of this year comes through and the tone that struck that strategy takes two. I think the risks of militarization and the risks of escalation are, again, part of the questions why we really want to discuss and debate some aspects of the National Cyber Force because it depends, like everything, it depends on how it operates, in what frameworks it operates. Some of the discussion that we have through the paper is around legal obligations, the application of international law, the progress that’s been made. Today with the UN governmental. It’s another acronym, governmental group of experts talking about what is responsible state behavior in cyberspace, the combination in the Paris call which was signed by many, but not all states, which try and I suppose set those norms to prevent this kind of escalation. Because the US didn’t sign the Paris call. Neither did some, neither did Russia and China, I believe. So very much not a settled questionnaire, even the norms and understandings that we have are still really early days. I think that’s another good reason why we talk about international cooperation in the paper as well. Because if the UK is able to further both be consensus, international law applies to offensive cyber and cyber and human behavior in cyberspace, but also works together with partners and other states to talk about exactly how international law applies, then you start to veer away from the ethical true pattern that gets in some way there as to why bursaries will do. Yeah, a lot of speculation that people can make.

 

Danny Steed  27:30

Yes, I really, I really raise that point, Amy, you’ve made of, we need to remember how small this unit is at the moment? And how far could the capabilities actually go in thinking like almost from a legal perspective, the case law that they would be developing, it might be fairly small, small and very highly targeted. So rather than worrying about the traditional international relations, escalatory model per se, we might be just talking about very limited use cases, more than anything. Just going to start getting going a bit more into audience questions. Sam North, will you ask your question?

 

Samuel North  28:22

I suppose my only question is, it’s kind of around industrial espionage, because it’s my understanding there is a lot of the that’s been going on for years. So what would the UK cyber force do to kind of mitigate? Or what approach would be taken to sort of overcome some of those challenges related especially to, you know, device research and the rest of it?

 

Amy Ertan  28:53

That’s a really interesting question. And last week, I was on a panel for the report with Marcus Willett. So former director cyber GCHQ, who made the distinction between espionage and actual malicious cyber activity designed to destroy, disrupt, etc, as you have an impact. And so it seemed that actually, it was a focus more on that disruptive capabilities at that point. So we didn’t come across too much material on the Espionage side, doesn’t mean it’s not that just means that there were so many. This was one of those things we had with the scope where there are so many questions you have about when and how you can operate in another environment, in which cases how do you do that an ethical way? What legal constraints Do you need to have in place? We didn’t. We didn’t specifically go into the scope of espionage as well. Can you I don’t know if you have thoughts on that.

 

Danny Steed  29:59

There’s a point, Kieran Martin makes so many brilliant points all the time. But it was something he said specifically in the in the foreword to your report about there is that very blurred line that is almost inherent to cyber about when does activities for espionage crossover into proactive activities which start becoming much more military actions or pursue some security objectives? Because, you know, what looks perilously thin lines in technology is actually a huge rubicund legally. The crossover from espionage not as, as the Italian manual says not per se, being covered in international law, its source of permitted internationally is that about domestic law interface, as opposed to we definitely know you can cross into international laws of armed conflict and ihL. As soon as you actually start attacking networks exfiltrating data interfering and such like so it is, it is interesting, and that that was part of the that I’m not sure if it’s a dilemma o in the intelligence leadership for a predominantly military units for a mission set. And that that’s the thing about that mission focus of exactly what it does, it highlights more, that there is a blurred line in between intelligence and warfare, full stop in the world of cyber and it might take a lot of practice institutional practice in someone like the ncf to actually figure out, is there a new? I hate the phrase gray zone I genuinely do over the last few years. But a new difficult boundary?

 

Amy Ertan  31:56

I think, yes, gray zone like many phrases, quite frustrating. But it is applicable in the sense because then, when we talk about things like international law and actual frameworks that we have, when it comes to armed conflict, that end of the scale, we actually do have international law that is understood, we know that certain kinds of offensive cyber activity at that level are not permitted. But when it comes to some of these lower level activity that isn’t, you know, critical infrastructure, for example, you do have this kind of wide open space of ethical legal, so one might call that a gray zone?

 

Danny Steed  32:45

We’ll go next to Malcolm Warr.

 

Malcolm Warr  32:52

Amy, thank you very much. I have a bit of a specialist in maritime security, as some people know. And of course, it tends to be sometimes behind the screen because it’s a global issue. And I just wondered having had have a skim through your report, whether you at least thought about that and whether you think you might be included in some future force arrangement?

 

Amy Ertan  33:20

That’s a good question. And I’m not sure. We generally didn’t look at specific parts of the armed forces. We kind of just looked at mid where that authorization line goes. So I’m afraid I can’t answer that one specifically, probably pass over to Danny, if you can.

 

Danny Steed  33:45

I think again, I know I’m repeating it ad nauseum. But that whole base of that mission focus and it just piques my curiosity in the in the integrated review about, okay, this is a predominantly military body. But we’ve already spent years building a joint cyber unit. And hence why is the ncf supposed to be much more akin to UK special forces that it’s its own command structure that does a very high end mission set. And we delegate to other areas of motd and specific military force structure force defense in cyber or is there going to be plugin from the NCF? I think it’s a really big open question because doctrine needs updating. There’s going to be a very clear learning curve when the Queen Elizabeth the Second does go into the South China Sea in a few weeks time, and is no doubt going to enter a barrage of ew operations out there as a test case. So I this is just something that keeps mulling in my mind Malcolm as well of is there an interface Between the, between the NCF and the armed forces operationally? Or will each service unit need to effectively start working on its own answers to these questions out there. Okay, Asta next. If you are there, please. I don’t know,

 

Asta Zelenkauskaite  35:31

So first of all, thank you very much for this forum for the public as a tweeted, I think it’s a, I think it’s a great moment to engage different types of people. And this is how I found this forum. So I’m an Associate Professor of Communication. So I’m analyzing social media, and kind of my question comes more from them social science, and perspective, by looking at first of all, you know, identifying these definitional boundaries in some ways, because, as we know, from the past examples of, for example, of Russian trolling, you know, how these operations take place online, they shift very rapidly. And also the definition how they operate by incorporating groups, like authorized groups, for example, or capitalizing on the existing infrastructures, or social media kind of culture. So I’m wondering, first of all, you know, is it to what degree it’s a challenge, kind of to define these shifting contexts? and to what degree as I see that, you know, your presence, Amy particular, in particular, shows that, you know, academics are welcome in this conversation, and as you kind of representing also being part of the university, are part of this, you know, defining elements, but to what degree, you know, how this is going to play out? Do you see those given what we have seen so far, and from the definitional perspective, but also changing these how these social media spaces that are considered mundane, are capitalized. And then it’s very hard to argue that there are really spaces for kind of this interference, for example, happening, as it has, we have seen that public cannot accept the fact that it can take place. So what would be some of them thinking definitional thinking that you had within your group?

 

Amy Ertan  37:40

I’ve just been madly scribbling. So I’ll try and go through that in parts. And the first bit, if I understand correctly, is about just the very flowing, changing nature of some of the threats, and especially when you look at activities, which are not playing computer network intrusion, but you have trolls, propaganda, etc. Engaging in this kind of contractivity, we speak a little bit about the implications and cognitive effects of offensive cyber activity and what that means for the UK as well. So we talked about, and I think, generally, we care about some of the ethical puzzles and how you engage here, like, when is an offensive cyber activity, ethical when you’re not when you’re targeting non combatants? For example? Is there a framework for kind of contrary propaganda, for example, like how do we do that? How do we discuss that in a public forum as well. And an interesting example I came across recently was the UK, actually, the voluntary force. They’ve been engaging and taking down fake news related to COVID. So there’s an article online somewhere about the work that they’ve been doing last year. But that was fake news that came from foreign state actors. So there were just distinction drawn there about how to engage in that kind of activity. But a lot of the time, and I think as the points out quite well is that if we don’t have a clear understanding of what’s happening, then it can be very difficult to have a very focused, step by step approach to counter that. And that, again, just comes back to this idea of the clear mission focus of the NCF. And it and of course, as they outline it, huge range of threat actors who dreams of threats. So it’s not going to be easy to shape that and develop that over the next few years. But it is what aspects that we need to think about the fact that the threat landscape is always always changing. In terms of engaging with different types of people, different aspects of people. We of course, recommend that I recommend, firstly, that we do have expertise from government, we have this strong leadership, but we also have this double hattingh of ministers. So ideally, you have different points of expertise that can give that oversight and give that leadership for the organization. But we also recommend unit. But we also recommend that the government engage beyond that leadership pool as well to go talk to academia to go talk to industry, to get these different parties on in different aspects. Because yes, we all have something to give. And, again, we are four academics that wrote this paper. And it is a policy paper. But that’s the view that we brought in. And that’s a lens that we brought to talking about legal frameworks or organizational configuration, for example. So absolutely, there should be more drawing in and this wide range of expertise, and the public to and actually, that last point, I didn’t get the notes down completely. But the point I would make about explaining this to the public and explaining this to others is, it can be difficult with cyber issues, because it’s not always necessarily relatable, in the same way that other aspects of national security are. The fact that a lot of money, a lot of relatively a lot of money has been dedicated to setting up and building out the National Cyber Force, which will be engaging in activity that goes beyond the UK borders, it’s not necessarily something that’s going to be on the minds of people who aren’t scholars in this field. And nor should it be necessarily, there is an aspect that you do want people to be you want people to be able to access information relating to the NCF, you want to be able to hold this debate on how it should operate, how it should be organized, how we know that it’s in line with Britain as a responsible democratic state in the international environment. But you have to find ways to make it relatable as well. Don’t have a wonderful answer on that. I think everything is so complex right now, and the UK has a lot on its plate right now. But obviously, there has to be opportunities to engage for anyone who’s interested.

 

Danny Steed  42:13

Thank you, Esther yohannes is next. You just need to unmute, feel free to ask away. I think we’ve lost that one. If I just ask this one. Amy, it’s what is the connection with GC HQ specifically? Or is it completely independent?

 

Amy Ertan  43:01

So the NCF is defined across literally this joint military intelligence unit. So this partnership where you do draw in from GCHQ and MOD, you don’t and from special intelligence as DSTL, but it is not under the GCHQ umbrella in the sense that completely different organization, the National Cybersecurity center is I don’t want to introduce more acronyms, but you have this. So the relationship is that you’ll have this authorization and parts you have this partnership as well. But it’s very much a joint venture that draws in from these parties. Danny, I think you’ve actually written about this.

 

Danny Steed  43:54

Yes, it’s trying to really probe these bits. I think just it’s it’s adding is not necessarily my own question, but it’s a question that will need to be answered, in Whitehall and I go back to the way ncsc was set up again, not throwing more acronyms around right Amy of National Cybersecurity center itself an offshoot of GC HQ. One of the questions that was never really truly answered then was its ministerial line of commands, because technically, it’s an intelligence service operating under the Intelligence Services Act under the foreign Secretary’s authority, but it hugely, operates domestically in support of Krishna critical national infrastructure. Now the way and I think the ncsc had a clever trick up its sleeve because rather than following any sort of legislative dogma, it simply allows the incidence to determine the ministerial line of response ability. So when wanna cry hits, it came under department of health and the health minister would take the lead with ncse supports on the technical backing, when it was things like Tesco bank, it came under Treasury and it comes under the Chancellor per se. They there won’t be the luxury of this with NCF. And I just think there has to be a better answer this time around. So a different elements of gch q leadership will have to have its own answer to a very similar aspects. That’s that’s where my thinking has been going. I’m not sure if you have a reflection on that, Amy.

 

Amy Ertan  45:38

I think it’s completely right, to kind of probe that relationship structure, and to always be pushing for clarity on exactly which kinds of operations are going to be authorized by whom, in what fashion? Because I think the point that you’ve raised earlier, and that’s coming through the questions is you have this foot, this National Cyber force, it has this huge scope, it’s huge capability, you have work that’s previously been undertaken by GCHQ to collaborate at GCHQ, which has been not very transparent at all. And actually, we’re trying to push for that to change slightly in terms of what takes place. So I think that does mean that we have to understand the organizational structure, the lines of reporting, who authorizes what, and also how that’s audited and where the governance is off that. I don’t think we have that clarity just yet.

 

Danny Steed  46:38

Daniel, if you are still on the line?

 

Daniel Dobrowolski  46:55

Okay. Thank you. So I mean, this is coming in a little bit clearer, actually, from your previous answers. But to what extent do you think the work work concerning online influence operations, both offensive and defensive, should be within the remit of NCF? So I can a little bit more specifics on this. Do you think that moderating or policing online discourse is something that is ethically justified? Do you think that sort of allowing greater transparency and discussion of the actors involved in online discourse, particularly around elections, is something that’s, that would be within the remit of the NCF?

 

Amy Ertan  47:51

It’s a really, really interesting question. And one that taps on so many different themes, like you point out like ethics, but also mission creep. I think. So we know that there have been no influence operations, but counter propaganda operations against foreign terrorist groups, for example, that the UK has contributed to the UK have contributed to with the US in terms of moderating public discourse, I would, my view is that the ncf would not step to near that. I think the distinction again, that Marcus Willits raised last week was between foreign state foreign threats, sorry, states from outside the UK boundaries and domestic as well. So I think there are instances where when you can make that distinction, there’ll be counter propaganda, counter fake news activity, that will be the focus of the ncf. But I think when it comes to these general themes that you’ve mentioned, the kind of discourse that is now ubiquitous, everywhere, you can’t make that distinction. The NCF wouldn’t engage that that would be my view. One, because that’s not clear. That will be complicated. And also because you have this aspect of mission creep, and also all of these ethical questions about what is what is right, it is much clearer to have an operation to counter ISIS propaganda that’s targeting your citizens than it is to start interfering in discussions about elections, etc.

 

Danny Steed  49:37

Yeah, there’s quite a question there. I wonder about even if not, say, carrying out influence operations, but about the defensive aspect of Will there be a remit for safeguarding elections and countering influence against our own democratic processes, especially thinking if it anybody remembers the Russia reports when it was finally released? Last summer after a I think it was a nine month delay about the hesitancy on intelligence bodies to engage in measures that were seen for fear of being seen, to interfere in the electoral processes. And you wonder, is there a points there of election protection within within the remit? But it yeah, it doesn’t seem like it’s been brought up at all.

 

Amy Ertan  50:32

I think this is super interesting, because it’s also a question. You mentioned, I’ve been a visiting scholar with the NATO cooperative cyber defense Center of Excellence. And this idea about fake news and trolls and influence operations. It’s something that we don’t have any cookie cutter response to. Offensive cyber, again, as I mentioned, at the beginning, it’s just one tool in our toolkit. And with something like fake news and the way it spreads, last that hinted at earlier, you could use something like electoral or you could take down one group that wouldn’t necessarily fix the problem. It’s not necessarily something that offensive cyber is going to solve. We’re going to hear a lot more about it the next few years, and I think there’s going to have to be a range of policy, tech platform led different kinds of solutions, but there’s not going to be any kind of silver bullet here that offensive cyber or anything else will do. To counter that kind of thing. And yes, I’m speaking in a defensive aspect here rather than carrying out influence operations ourselves.

 

Danny Steed  51:43

I think I’m gonna need to ask this one. So various actors are now a few steps ahead, in terms of utilizing sophisticated techniques against other states, ie election interference, COVID vaccine hacking disinformation, do we expect to see a service force that will be matching the level of these attacks?

 

Amy Ertan  52:44

I don’t think it’s about matching attacks. And I think we could go into this whole different discussion about what deterrence means in cyberspace. And, of course, what we mentioned earlier, what it means to escalate in cyberspace, which would be, I think, matching the attacks. It’s the UK and the progression and development of the cyber force is, of course, shaped so much by the international context, and so much of that is the threats that they’re facing as well. But it’s about defending and offensive cyber capabilities, as defined at the end of the day is about going out to your network to disrupt or degrades or deter. Like the assets of your adversaries before they attack you. It’s still about proactive defense or anytime like that there are so many times you can throw about. It’s not necessarily engaging in some kind of tit for tat dynamic, which no one would want because then you do have this escalation. And you know, in the academic literature around cybersecurity, you have so much of the so much discussion on things like an arms race and a security dilemma. And that’s where I think you put weight on these discussions around norms, building processes, things like the UN governmental group of experts, and the Paris call and these attempts to build consensus, to not engage in that kind of activity to prevent that kind of ramp up to everyone attacking everyone. So my answer will be in a sentence. Yes, UK has to bear in mind and taking all the intelligence around threats happening to it, but in order to better defend itself.

 

Danny Steed  54:38

Okay, good. Time for one more Yuri if you are still on the line.

 

Yuri Poluneev  54:46

Yes, I am. Thank you. I have written already my question in any q&a, but I’ll repeat it. first, thank you very much for a very Interesting report and your presentation. Do you envisage NCF participation in the information warfare operations aimed to assist UK key allies, especially those that are now on the intensive information and cyber attacks? One very eloquent example here is Ukraine. And probably you’re aware that UK is assisting Ukraine in many aspects, including military support and information support. So would you envisage any role for NCF in this area?

 

Amy Ertan  55:45

I think that’s an interesting and open question. So I, none of us will be able to comment on on specific examples or cases, like you mentioned, but when we look at the support that the UK is to the support the UK is already committed to internationally, we know what will vary is a memorandum of understanding with the US from 2016, which means its cooperation in that aspect. The UK was also the first member state, from the NATO alliance to say that contribute offensive cyber capabilities to a NATO coordination body. So the cyber Operations Center, which is being built out now. So it’s possible that the UK could contribute to, you know, efforts unilaterally or bilaterally as part of a NATO structure, for example. Not sure exactly what that will look like just yet. It very much is that case where when we have all these questions, but to this capability is being built out now, both by the UK, both that NATO that body becomes operational in 2023. But also, other states, when we look at the National Cyber force, it’s the first kind of set up of the structure, we don’t see it happening so much, apart the US, for example, of course, many of our allies. So I think it’s an extremely open space. And I think, again, that brings us right back. And this is kind of a neat finishing up point is that so much depends on the scope of the ncf. And what is actually agreed, right now. It’s very broad, it’s very open. But the more you read into it, the more you understand the UK in the international context, and, and the UK in the domestic context between Brexit COVID and fiscal constraints that the government is going to have the next few years. The fact that the UK is going to have to pick and choose where engages and the operations engages in. So we’ll see.

 

Danny Steed  57:51

Amy, thank you, I think yeah, that’s, as you say, really dovetails very nicely on 59 minutes. There’s a real high bar set for the National Cybersecurity strategy this year to mark these delineation points of where offensive cyber works, where it hands off to domestic resilience, where it goes to online harms and protection of elections. So yeah, there’s a lot that has to be reconciled that the the integrated review has pointed us towards, but it’s very clear, there’s a lot of details to be worked out this year. Amy, thank you so much for your time. I know we’ve really put you through it today. So I want to both thank you and let you start taking a breather for the rest of our guests. Just to remind everybody our next event is going to be on May 27. When I’ve got an offer interview with Nicole Perlroth and her book, They Tell Me This Is How The World Ends about cyber weapons arms trade. It’s a really fascinating read. That event is for members only. So if you’re not already a member, please head to HJS websites and join up. Otherwise, thank you all for your questions and attention. And once again, thank you, Amy, and we look forward to seeing you all again soon. Thanks, everybody, and have a good rest of your day. Take care.

HJS



Lost your password?

Not a member? Please click here