Turn off the lights in Moscow? This is just one of the possible uses of offensive cyber operations (OCOs) briefed to the press by senior British defence sources.[1] Put simply, OCOs ‘project power to achieve military objectives in, or through, cyberspace.’[2] In everyday language, we are talking about ‘cyber attacks’ – from knocking websites offline to disabling computers on a network, shutting down a power grid, manipulating centrifuges in uranium enrichment facilities, or undermining an adversary’s air defences.
Over the last decade, the UK government has talked more openly about its cyber capabilities.[3] The latest step was the Prime Minister’s recent avowal of the National Cyber Force (NCF), which has been operational since April.[4] Uncertainty remains, however, about the role of OCOs in wider UK strategy and how our political leaders are navigating the complex choices involved in deciding when to use cyber operations to secure national objectives and project British values overseas. For example, should OCOs only target an adversary’s defence and security infrastructure, or should the UK follow the contemporary trend in targeting civilian infrastructure, as implied in the Moscow scenario briefed to the press?
There is a burgeoning academic literature on covert action as an instrument of state policy.[5] There is also an extensive and growing literature on the legal and strategic issues raised by state and non-state cyber operations.[6] Cyber operations during an armed conflict are covered by the existing law of armed conflict, and should abide by the principles of necessity, distinction, proportionality and unnecessary suffering. Much cyber activity, however, takes place beneath this threshold. Domestic legislation – the Intelligence Services Act (1994) and the Investigatory Powers Act (2016) – provides the process for senior ministers to authorise operations such as equipment interference where these are deemed to be necessary, proportionate and have a sound legal basis in the interests of national security, economic well-being, and the detection or prevention of serious crime.
The joint nature of the NCF, combining personnel from GCHQ, the Ministry of Defence and other agencies, is an efficient use of limited expertise in this field: it houses under one roof, so to speak, the capability to operate under these different operational authorisations.[7] Whilst the UK has committed to abiding by international law in its conduct of cyber operations, there is legal uncertainty about when precisely OCOs should be regarded as reaching the level of a use of force.[8] Must they cause injury or physical damage, or could, for example, serious economic damage or the degradation of military infrastructure be sufficient to be interpreted as a use of force?
Whilst there is an international debate about the legal status of OCOs as a use of force or as an otherwise prohibited intervention in the sovereign affairs of another state, less attention has focused on the specifically ethical dimensions of political decisions to approve OCOs.[9] This piece aims to stimulate further ethical debate about OCOs as the NCF emerges as an instrument of the UK’s wider national security strategy. Whilst there is not yet a substantial literature applying moral philosophy to this issue, there is no shortage of theories and traditions to draw on. One obvious step would be to apply the principles of ‘just war’ theory directly to cyber operations, another to frame discussion around acceptance or rejection of a realist approach to cyber dilemmas facing political leaders, according to which the UK should develop formidable offensive cyber capabilities and be prepared to use them to enhance national power and security.
As a shortcut, I employ Max Weber’s distinction between the ethics of conviction and the ethics of responsibility, and the importance of the latter in exploring the challenges of political leadership.[10] Put simply, as voters we do not expect our elected leaders to make decisions solely on the basis of their personal beliefs. They should be mindful of a duty to act in accordance with the best interests of the nation – and perhaps with some broader conception of the common good, including global public goods. Defining the national interest is, of course, a contested, inherently political act. Nonetheless, political leaders are morally responsible for the consequences of their actions and omissions in pursuit of their conception of the national interest, however imperfectly articulated or socially divisive it might be.[11]
Political leaders are not the only moral agents involved in this OCO process. Officials and military officers have responsibilities for: shaping the processes that determine strategic priorities for intelligence collection, effects operations and the development of capabilities; producing submissions and plans for specific OCOs; and shepherding the equities process to determine whether vulnerabilities uncovered by UK cyber operators are retained for offensive or surveillance purposes, or are disclosed to enable patching, enhancing the global public good of systemic cyber security.[12]
A typology of offensive cyber and its ethical dilemmas
At this point, it is perhaps useful to explore a typology of activities that are pursued under the umbrella term OCO. In a recent speech, former National Cyber Security Centre chief executive Ciaran Martin proposed an escalating ‘five tier structure of cyber warfare’, conveniently forming a mnemonic acronym, HACKS.[13] Martin’s lowest level is hacking in support of national security objectives, gaining access to adversaries’ electronic devices, possibly degrading or deleting content. The second tier is ‘adversarial infrastructure destruction’ in which digital infrastructure, such as a terrorist organisation’s online propaganda network, is destroyed. The third tier is ‘counter-influence’ operations, essentially the use of OCOs to achieve deterrence. The fourth tier is ‘kinetic’ attack, a cyber operation that causes significant damage to specific infrastructure, for example disrupting the electricity supply to a city (the Moscow example above) or taking a television network off the air. Finally, the fifth and highest tier is system-wide, all-out cyber attacks on military and civilian targets during an armed conflict that sees cyber used as part of integrated operations.[14]
The HACKS model is useful because it highlights the spectrum of severity on which any OCO can be placed. It also demonstrates the variety of ethical dilemmas posed by different OCOs, where some proposed operations are likely to command more universal agreement that they are morally justified. Few would argue against (appropriately authorised) cyber operations that disrupted the digital command-and-control infrastructure used to direct a terrorist attack or to mastermind a global ransomware campaign. Far more would question whether it could ever be ethical, or indeed lawful, for the UK to attack an adversary’s national power grid or civilian air traffic control system.
Another way of thinking about this is to simplify Martin’s structure – losing the HACKS mnemonic in the process, alas – so that the typology of OCOs is reduced to three tiers: skirmishing; strategic ‘cyber solo’ operations; and cyber operations integrated with non-cyber operations during an armed conflict.[15] At the basic level of skirmishing, states and other actors are competing for advantage in cyberspace. When a hostile state actor, terrorist or organised crime group uses digital infrastructure directly or indirectly to harm the UK – whether that harm is electoral interference, disinformation, preparation for an armed attack, or running a ransomware campaign – then the Government should have a relatively easy time justifying the necessity and proportionality of a counter-cyber operation to degrade, disrupt or destroy the digital infrastructure used by these hostile actors. Skirmishing could aim to pre-empt an attack, prevent a ransomware campaign, or punish a hostile state actor or its proxy, increasing the ‘tactical friction’ and ‘strategic cost’ faced by the UK’s cyber adversaries.[16] This tier includes operations to take down disinformation websites, as has been recently reported in efforts to counter anti-vaccine ‘fake news’.[17] The dilemma is harder if an adversary’s digital infrastructure is hosted in a state unaware of the malign activity. Ordinarily, we would expect the UK government to work with the government of that state to resolve the issue, but, in extremis, there would be a clear ethical case that it would be proportionate and necessary to conduct a specific and limited OCO to eliminate an imminent threat, even though that constituted a covert breach of the other state’s sovereignty.
The second tier, strategic ‘cyber solo’ operations can be split into two: a lower tier that tries to deter adversaries by signalling that the UK has the capability to use cyber operations against adversaries’ infrastructure, perhaps restricted to defence- and security-related infrastructure, but perhaps not; and a higher tier that actually involves using such capabilities, for example to enforce a red line when the lower tier of deterrence had failed. The interesting thing about this tier is that it inhabits the challenging grey zone of cyber operations that hover below the threshold of armed conflict. Even where the intention is only signalling and not to conduct an attack, the decision must be very carefully considered – not least for the potential that a pre-positioned implant is misinterpreted by the adversary as an indicator of an imminent attack, precipitating a crisis. Depending on the choice of infrastructure targets, this tier also raises broader ethical questions about the sort of internet that the UK should be trying to promote. Does it really want to be in the business of targeting civilian infrastructure, even if only for deterrent effect? Bearing in mind that, for deterrence to be credible, the adversary needs to believe that you will be willing to carry out the attack.[18] This tier of the typology also poses ethical questions about the second-order consequences, or system effects, of targeting infrastructure: does it undermine the rules-based approach to the Internet that the UK upholds elsewhere? Is there value, in other words, to acting in a more Kantian fashion, refusing to pursue civilian infrastructure targeting that, if universalised as the practice of all cyber-capable states, would exacerbate threats to critical infrastructure around the world?
The third tier of OCOs, cyber operations as part of an armed conflict, represent the highest level of possible damage but, paradoxically, pose the fewest new ethical dilemmas. This is because, as the UK has repeatedly emphasised, it considers cyber operations to be subject to the same body of law as other operations during an armed conflict. All such operations can, therefore, be assessed by traditional ethical principles of military necessity, proportionality, discrimination between military and civilian targets, and the requirement to avoid unnecessary suffering. This is the tier in which the UK can rely most confidently on the ethical principles that have evolved over decades of warfare.
This simplified typology encompasses a broad range of tactical, operational and strategic decisions about whether or not to use OCOs. It isn’t clear yet what the proposed balance of missions is for the NCF: will it be primarily a cyber skirmishing force, a deterrent against hostile state actors, or a developer of OCOs to support integrated operations during armed conflict? As outlined above, whatever the priorities of the NCF, each of these decisions is implicitly ethical. An effective ethic of cyber responsibility requires deliberation, technical and strategic understanding that depend on agency (the role and character of individuals) and structure (the impact of routines and processes). These issues may or may not be addressed in the integrated review of security, defence, development and foreign policy. Whether or not they are, the National Security Council (NSC) and Prime Minister should have been using the review’s process to reflect carefully on Britain’s use of OCOs, which would require the application of moral reasoning.
Optimising the ethic of cyber responsibility
One of the biggest challenges facing government is how to structure its underlying processes to provide sufficient support for political leaders to take informed ethical decisions about OCOs in support of national security, economic well-being or countering serious crime. There are already strategic processes that produce requirements and priorities for intelligence coverage, effects operations and capability development, and these will naturally shape the NCF’s priorities. Even with the reported increase in the defence budget, difficult decisions still must be made about the balance of investment between the three tiers of possible missions outlined above. Another issue is raised by the limited pool of top cyber talent: with finite expertise to allocate to different missions, government must decide how to structure its wider cyber workforce, across not only OCOs but also digital espionage and the cyber security work of the NCSC.
A democratic state should configure its structures and processes of decision to guarantee that the relevant moral issues surface sharply in pre-decision debates in the presence of the appropriate (and appropriately-informed and actively-participating) accountable elected figures. Similarly, there is an argument that enhanced legislative oversight might help improve the quality of executive deliberation about OCOs, notwithstanding the need for operational secrecy.[19]
This issue was highlighted in contrasting approaches to US OCOs under the Obama and Trump administrations. The Trump administration reportedly relaxed the tightly-controlled authorisation process exercised by the Obama White House.[20] Trump’s process afforded greater latitude for both US Cyber Command and the Central Intelligence Agency’s clandestine cyber operations.[21] The contrast between administrations highlights the existence of a spectrum on which we can place any executive, according to the relative depth and rigour of its OCO processes.
Notwithstanding criticism of Obama’s process as inflexible, it is clear that he took seriously the ethics of cyber responsibility. Under Trump’s more devolved process, the importance of the responsible leadership exercised by unelected individuals arguably increased, for example head of US cyber command General Paul Nakasone.[22] Whilst the incoming Biden administration might not reset the authorisation process back to the strictures of the Obama era, it may nonetheless reassert a more prominent and hands-on role for the White House in active management of OCOs. This would be equally desirable in the British case, especially where questions exist about the current Prime Minister’s attention to detail and priorities.[23]
A well-formed OCO process should clarify the important ethical dimensions, so that political leaders better understand the decisions they are being asked to take. Insofar as operational urgency permits, these decisions should be taken in the collegial environment of a committee, chaired by the Prime Minister and including the Attorney General and the relevant authorising ministers (the foreign secretary and defence secretary). Something like this process may already exist and even be used prudently by the Prime Minister. It is not imperative that the process be publicly avowed. Operational secrecy is manifestly necessary. But better communication might improve public confidence in the ethics of UK OCOs and that government is striking the right balance between OCOs and the public good of cyber security. Ciaran Martin’s recent speech helped to advance such a public debate about the need to consider the cyber security implications of Britain’s emerging offensive cyber strategy.[24]
Former cabinet secretary Lord Sedwill recently claimed that OCOs were part of a ‘series of discreet measures’ taken by the UK against Russian leaders and their interests after the 2018 Salisbury attack.[25] A hypothetical decision to approve cyber operations against, say, financial infrastructure to target illicit wealth might have been justified, in principle, as a deterrent or retributive act, necessary to protect national interests. This decision – in the grey middle tier of our cyber typology – should, however, balance expected national gains against wider ethical considerations such as the integrity of the financial system – a global public good, from which everyone benefits, including UK citizens. Adverse reputational impact on the UK as a lawful actor, if such an operation was exposed, should also be assessed. This approach would be consistent with the principles that the Government has previously stated would guide its cyber operations, but ambiguity – perhaps deliberate – remains about UK decision making in practice.
Operational exposure or compromise of a capability can lead to more than reputational damage. What happens if capabilities developed to enable British cyber operations are leaked, leading to their use by hostile actors? This hypothetical has a disturbing basis in fact: the widely-reported loss and disclosure of US National Security Agency hacking tools that led to waves of cybercrime, most notably the WannaCry ransomware that ravaged networks across the globe, including the National Health Service.[26] This is a striking example of the potential damage to the public good of cyber security when, rather than disclose vulnerabilities, states secretly buy or develop them for digital surveillance or OCOs.
In principle, there is nothing uniquely cyber-related about this dilemma: it would be dangerous if, for example, lax security at a military facility led to weapons and ammunition falling into hostile hands. The reason that the cyber debate is more urgent is that this has already happened, and the very nature of cyber operations is that adversaries can potentially detect and re-purpose cyber tools for their own ends. There are valid reasons of state for maintaining offensive cyber capabilities, just as there are reasons for retaining digital surveillance capabilities. There is, however, an equal need for rigorous, reflective processes to determine when to prioritise offensive or surveillance objectives over those of cyber security.
Decisions about the size and structure of national cyber forces are inherently political. They reflect an executive’s risk appetite, prioritisation of objectives, and understanding of the system effects of approved operations. In some ways, ethical dilemmas are identical to other domains, e.g. the choice between counterforce (military) and countervalue (civilian) targeting. But in others, particularly the middle tier of our typology, the precision and non-lethality of OCOs potentially obscures their second-order effects. For example, a targeted operation against one bank account, or the non-disclosure of a vulnerability to use it for a specific offensive cyber operation, can be seen to achieve a specific and limited national objective, but how should political leaders weigh the broader implications and risks, such as eroding a global public good – cyber security or the integrity of financial infrastructure? As one former senior GCHQ official noted after the NCF announcement, offensive cyber has its place in national strategy, but it should not distract from the imperative to improve cyber security.[27]
Recommendations
An effective ethic of cyber responsibility requires active and informed political leadership. This entails clear and sustained commitment from political leaders, but also that the right processes are available to ensure that the underlying risks are understood. Technical knowledge is needed to make informed decisions, but these decisions are ultimately political and freighted with moral considerations. To this end, a ministerial cyber sub-committee of the NSC should be reconstituted and it should meet regularly to review the totality of cyber strategy, including updates on current OCO. It should act as a forum for deliberation and decision about the dynamic balance between the different aspects of national cyber strategy. The ethical case for tier 1 (cyber skirmishing) and tier 3 (cyber operations during armed conflict, supporting integrated operations) missions is most compelling. There is a strategic imperative for both missions and it will be for ministers to decide how to balance these competing priorities for the NCF’s capability development and operational activities. Tier 2 operations, including deterrent signalling of capabilities to undermine critical infrastructure, are ethically and legally more complex, to say nothing about their strategic efficacy. More research is needed about how the NCF might best incorporate tier 2 missions within its remit, without prejudice to its other missions.
The current vulnerabilities equities process, which only escalates the hardest cases to secretary of state level, should in future be placed formally under the NSC cyber sub-committee, to provide regular ministerial review of the findings of the official equities process. This improvement in ministerial engagement with the equities process is arguably worthwhile given the possibility of more disagreement in future at official level, as the NCF becomes a more active player in generating and seeking to retain vulnerabilities for offensive purposes. As the equities process diverges from its origins as a predominantly espionage- or security-focused debate, GCHQ-driven system, there is the potential for sharper disagreements about releasing or retaining vulnerabilities – particularly between NCSC and NCF if the latter pursues tier 2 targeting of civilian infrastructure. Given the strategic significance of these questions, it is right that ministers should take a more active interest in this process.
At this broader strategic level, it would also be advantageous to streamline existing ministerial cyber responsibilities. Whilst the most sensitive cyber operations will continue to be authorised by the foreign or defence secretaries, in dialogue with and after input from the Prime Minister’s and Attorney General’s respective offices, there is a strong argument for improving the quality of more continuous ministerial engagement with overall cyber strategy by creating a network of joint ministers of state across several departments with cyber-relevant operational and policy remits, e.g. between the Cabinet Office, Ministry of Defence, Foreign, Commonwealth and Development Office (FCDO), the Home Office and Department for Digital, Culture, Media and Sport. Cyber issues are complex and interconnected: a network of ministers empowered to focus more intensely on these issues, understanding the cross-departmental overlaps and dilemmas, would improve the quality of ministerial involvement in and active management of this process.
Regarding wider oversight, it is welcome that the Intelligence and Security Committee of Parliament (ISC) will assume oversight of the NCF. This will, however, surely require uplift in the resources and independent expertise at its disposal, notwithstanding the Prime Minister’s stated belief that it is already ‘well equipped’ to perform this task.[28] The ISC should also draw more of its secretariat from outside the operational community which it oversees. Whilst the mechanics of ISC oversight of the NCF are presumably still a work in progress, the Committee should also consider the benefits of conducting (and publishing some of the findings of) an annual review of the equities process, providing further oversight and improving public confidence in the accountability of that significant part of UK cyber strategy.
As with other areas of defence strategy, the UK does not have the resources to exercise cyber power in the same league as the US. It must carefully balance its investment and deployment of top talent across all cyber missions. There are limits to what the UK can realistically achieve. Its allocation of resources must be guided by an incisive strategic assessment of national priorities. Such a strategic audit of the offensive cyber workforce and its mission priorities should be conducted following the agreement of national strategic objectives in the integrated review, as part of the next iteration of national cyber strategy due in 2021.[29] It should also be actively overseen by the proposed ministerial cyber sub-committee of the NSC. Furthermore, this review should be pursued explicitly within an alliance context. As with the FIVE EYES partnership in digital espionage, the UK should collaborate and, as far as possible, deconflict with the US and other close partners to ensure that the alliance derives optimum value from the UK investment in offensive cyber capability development and its conduct of OCOs.
Conclusion
In an ideal world, all cyber-capable state actors would agree not to target civilian critical infrastructure or to undermine the integrity of global public goods in cyberspace. Achievement of such agreement would be an incontestable victory for multilateral cyber diplomacy, delivering better norms of cyber competition between states – notwithstanding the severe difficulties that would await any formal verification process. In reality, however, unless adversaries – and perhaps also allies, in keeping with the interdependent nature of cyber competition – change their behaviour, it is possible that tier 2, primarily deterrent operations might well form an important part of the new NCF’s mission.[30]
With this caveat, the UK is arguably better off prioritising its limited high-end cyber resources on tier 1 and tier 1 missions, concentrating on counter-cyber skirmishing and the development of counterforce capabilities to support integrated operations during armed conflict, rather than pursuing a countervalue approach to targeting civilian infrastructure. This is consistent with international law, as well as with British values and the liberal way of war, described by John Stone as being ‘concerned with breaking things as an alternative to killing people’.[31]
In exercising the ethic of cyber responsibility, our political leaders should apply a principle of ‘minimum effective offensive cyber capability.’ The global public good of cyber security, from which everyone benefits, should be prioritised wherever possible. This is particularly the case in the equities process, only retaining the capabilities to conduct a carefully selected number of offensive operations and weighing seriously the potential risks that these capabilities would pose if the escaped into the wild. That these capabilities should be well protected is a given, but their very engineering should reflect on the damage caused by uncontrolled, self-propagating viruses. A responsible state cyber power should act in a more restrained and discriminating manner. The UK should be able to compete with and successfully deter less responsible or restrained cyber powers, such as Russia, without compromising our principles and pursuing a similar turn countervalue targeting of civilian infrastructure.[32]
Dr Joe Devanny is a lecturer in the Department of War Studies, King’s College London, and deputy director of the Centre for Defence Studies at King’s. He writes here in a personal capacity. Joe was previously programme director for security at Ridgeway Information, a King’s spinout company, and a research fellow at the International Centre for Security Analysis, part of the Policy Institute at King’s. Prior to this, Joe was a postdoctoral researcher on the contemporary history of Whitehall, a joint project between King’s and the Institute for Government. Before this, Joe was a UK civil servant working on national security issues.
Image by Cabinet Office under (CC).
[1] Caroline Wheeler, Tim Shipman and Mark Hookham, UK war-games cyber attack on Moscow, The Sunday Times, October 2018, https://www.thetimes.co.uk/article/uk-war-games-cyber-attack-on-moscow-dgxz8ppv0
[2] Ministry of Defence. 2016. Cyber Primer (2nd Edition). Shrivenham: Development, Concepts and Doctrine Centre: 54.
[3] David J. Lonsdale. 2016. Britain’s Emerging Cyber-Strategy. The RUSI Journal 161, no.4: 52-62.
[4] Gordon Corera, UK’s National Cyber Force comes out of the shadows, BBC News, November 2020, https://www.bbc.com/news/amp/technology-55007946
[5] Elizabeth E. Anderson. 1998. The Security Dilemma and Covert Action: The Truman Years. International Journal of Intelligence and Counterintelligence 11, no.4: 403-427; Austin Carson and Keren Yarhi-Milo. 2017. Covert Communication: The Intelligibility and Credibility of Signaling in Secret. Security Studies 26, no.1: 124-156; Austin Carson. 2018. Secret Wars: Covert Conflict in International Politics. Princeton, N.J.: Princeton University Press; and Rory Cormac. 2018. Disrupt and Deny: Spies, Special Forces, and the Secret Pursuit of British Foreign Policy. Oxford: Oxford University Press.
[6] Michael Schmitt (ed.). 2017. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2nd ed.). Cambridge: Cambridge University Press; Brandon Valeriano, Benjamin Jensen and Ryan C. Maness. 2018. Cyber Strategy: The Evolving Character of Power and Coercion. Oxford: Oxford University Press; Ben Buchanan. 2020. The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. Cambridge, MA: Harvard University Press; and the various contributions to the Fall 2020 edition of the Texas National Security Review, https://tnsr.org/volume-3-issue-4/
[7] Marcus Willett, Why the UK’s National Cyber Force is an important step forward, International Institute of Strategic Studies, November 2020, https://www.iiss.org/blogs/analysis/2020/11/uk-national-cyber-force
[8] Jeremy Wright, Speech: Cyber and International Law in the 21st Century, May 2018, https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century; Jeremy Wright, Speech: Attorney General’s speech at the International Institute for Strategic Studies, January 2017, https://www.gov.uk/government/speeches/attorney-generals-speech-at-the-international-institute-for-strategic-studies
[9] Randall R. Dipert. 2010. The Ethics of Cyberwarfare. Journal of Military Ethics 9, no.4: 384-410; Edward T. Barrett. 2013. Warfare In A New Domain: The Ethics Of Military Cyber-Operations. Journal of Military Ethics 12, no.1: 4-17; and David J. Lonsdale. 2020. The Ethics of Cyber Attack: Pursuing Legitimate Security and the Common Good in Contemporary Conflict Scenarios. Journal of Military Ethics 19, no.1: 20-39.
[10] Max Weber. 2000. The Profession and Vocation of Politics. In Political Writings. Cambridge: Cambridge University Press: 309-369.
[11] Arnold Wolfers. 1952. “National Security” as an Ambiguous Symbol’. Political Science Quarterly 67, no.4: 481-502; Bob Jessop. 2015. The State: Past, Present, Future. Cambridge: Polity: 51.
[12] An outline of the UK equities process, its decision and oversight arrangements, has been published by GCHQ: The Equities Process, November 2018, https://www.gchq.gov.uk/information/equities-process
[13] Ciaran Martin, Cyber-weapons are called viruses for a reason: Statecraft and security in the digital age, King’s College London, November 2020, https://thestrandgroup.kcl.ac.uk/event/ciaran-martin-cyber-weapons-are-called-viruses-for-a-reason-statecraft-security-and-safety-in-the-digital-age/
[14] UK Ministry of Defence. 2020. The Integrated Operating Concept 2025: 10.
[15] Dipert, The Ethics of Cyberwarfare: 403; David Betz and Tim Stevens, 2011. Cyberspace and the State: Toward a Strategy for Cyber-Power. London: Routledge for the International Institute for Strategic Studies: 97.
[16] The quoted phrases are taken from the Command Vision of US Cyber Command, which provides a concise statement of the current US offensive cyber strategy. See: US Cyber Command, Achieve and Maintain Cyberspace Superiority: Command Vision for U.S. Cyber Command, April 2018, https://www.cybercom.mil/Portals/56/Documents/USCYBERCOM%20Vision%20April%202018.pdf
[17] Lucy Fisher and Chris Smyth, GCHQ in cyberwar on anti-vaccine propaganda. The Times, November 2020, https://www.thetimes.co.uk/article/gchq-in-cyberwar-on-anti-vaccine-propaganda-mcjgjhmb2
[18] Martin makes both these points eloquently in his speech: Cyber-weapons are called viruses for a reason, 10.
[19] Joe Devanny, Richard Brown, Grant Christopher, Michael Endsor and Matthew Zelina, Written evidence by the International Centre for Security Analysis, King’s College London, to the Parliamentary Joint Committee on the National Security Strategy’s Inquiry on Cyber Security: UK National Security in a Digital World, UK Parliament, 2017, http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/national-security-strategy-committee/cyber-security-uk-national-security-in-a-digital-world/written/47199.pdf
[20] John Bolton. 2020. The Room Where it Happened: A White House Memoir. New York: Simon & Schuster: 174-175.
[21] Zach Dorfman, Kim Zetter, Jenna McLaughlin and Sean D. Naylor, Exclusive: Secret Trump order gives CIA more powers to launch cyberattacks, Yahoo News, July 2020, https://news.yahoo.com/secret-trump-order-gives-cia-more-powers-to-launch-cyberattacks-090015219.html
[22] Garrett M. Graff, The Man Who Speaks Softly—and Commands a Big Cyber Army, Wired, October 2020, https://www.wired.com/story/general-paul-nakasone-cyber-command-nsa/
[23] Rory Stewart, Lord of misrule: Boris Johnson: an amoral figure for a bleak, coarse culture, The Times Literary Supplement, November 2020, https://www.the-tls.co.uk/articles/boris-johnson-tom-bower-book-review-rory-stewart/
[24] Martin, Cyber-weapons are called viruses for a reason.
[25] Tom Newton Dunn. 2020. UK Targets Putin Allies. The Times, 24 October 2020, Times2 1, 4.
[26] Lily Hay Newman, The Leaked NSA Spy Tool That Hacked the World, Wired, March 2018, https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/; Nicole Perlroth and Scott Shane, In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc, New York Times, May 2019, https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html
[27] Conrad Prince, On the Offensive: The UK’s New Cyber Force, RUSI, November 2020, https://rusi.org/commentary/offensive-uk-new-cyber-force
[28] Boris Johnson, HC Deb, 19 November 2020, c.496,
[29] John Gearson, Philip Berry, Joe Devanny and Nina Musgrave, The Whole Force by Design: Optimising Defence to Meet Future Challenges, Serco Institute/King’s College London, October 2020: 69.
[30] Paul M. Nakasone, A Cyber Force for Persistent Operations, Joint Force Quarterly 92, January 2019, http://cs.brown.edu/courses/csci1800/sources/2019_01_22_JFQ_CyberRoleForPersistentOperations_ Nakasone.pdf
[31] John Stone. 2013. Cyber War Will Take Place! Journal of Strategic Studies 36, no.1: 106.
[32] Andy Greenberg. 2019. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. New York City: Random House.