Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management
UK Forms National Cyber ForceAgency Will Engage in Offense as Well as Defense
U.K. Prime Minister Boris Johnson announced Thursday the creation of a National Cyber Force designed to strengthen Britain's cybersecurity posture and give the country new defensive and offensive capabilities. Some security experts, however, are raising concerns about recruiting enough qualified staff members.
The U.K. plans to increase defense spending by 24.1 billion pounds ($31.5 billion) over the next four years, including funding both the new National Cyber Force as well as a brand-new Space Command, according to the announcement.
The National Cyber Force will draw its initial personnel from Britain's spy agency, GCHQ; the Ministry of Defense; the Secret Intelligence Service, MI6; and the Defense Science and Technology Laboratory. It’s the first U.K. organization designated to work on offensive cyber action against overseas adversaries.
The BBC reports that the National Cyber Force has been secretly running since April, operating from GCHQ's headquarters at Cheltenham, the DSTL Lab at Porton Down, Wiltshire, and from various intelligence agencies located in London. It’s expected to eventually move into its own headquarters.
Stepping Up Offense and Defense
Johnson told Parliament this week that the creation of the National Cyber Force will help the U.K. step-up its cybersecurity offensive and defensive capabilities.
"Our enemies are also operating in increasingly sophisticated ways, including in cyberspace," Johnson said. "Rather than being confined to some distant battlefield, those that seek to do harm to our people can reach them through the mobile phones in their pockets or the computers in their homes. To protect our citizens, U.K. defense therefore needs to operate at all times with leading, cutting-edge technology."
The National Cyber Force initially now has 250 million pounds ($327 million) in funding, of which 76 million pounds ($100 million) is to be spent during the first year, according to the Cyber Security Intelligence news site. Its staff, projected to be 2,000, could eventually grow to 3,000, according to the announcement.
Several cybersecurity and military experts question how the U.K. will be able to grow the staff of the new National Cyber Force, given the lack of those with the necessary skills.
"The people side will be very difficult," says John Walker, a visiting professor at the School of Computing and Informatics at Nottingham Trent University and a former member of the Royal Signals and Radar Establishment.
"You can't just put a civil servant in the job. You need to think differently," Walker says. "One of the issues identified was how to attract skilled personnel from the private sector to come to the public sector and reward them adequately to stay. Are they going to pay 100,000 euros ($117,000) for a desk job? I don't think so. So how do you attract - and then retain them - especially after training them?"
Phil Cracknell, an independent security consultant and a former cabinet office cybersecurity expert, says the British military is still working to develop personnel to meet the country's cybersecurity needs.
"Clearly there are two problems here and these problems apply to cyber across industry as well as the armed forces," Cracknell says. "One is the current cyber skills, which clearly need to be bolstered for our military but also for our future forces who need to develop in-house expertise over the coming years. Undoubtedly, the National Cyber Force will be composed of reserve specialists, civilian contractors, potentially an academic alliance and redeployed regular military personnel. A good portion of [its budget] will need to be invested in education."
On the Offensive
Examples of offensive cyber operations that the National Cyber Force could be involved in down the road include keeping U.K. military aircraft safe from targeting by hostile weapons systems as well as interfering with mobile phones to prevent a terrorist from being able to communicate with their contacts, according to Thursday's announcement. The agency might also be used to police the internet from being used as a global platform for serious crimes, including sexual abuse of children.
Britian has had previous cyber offensive efforts. In 2018, GCHQ director Jeremy Fleming confirmed "a major offensive cyber-campaign" against the terrorist group ISIS. And Mark Sedwill, former National Security adviser, confirmed Britain used cyber measures against senior Russian leaders, according to the Financial Times.
In a bid to quell possible concerns about terms of engagement for an organization largely operating in secret, lawmakers emphasized that the National Cyber Force would be subject to external oversight as well as ministerial authorization for more risky or novel operations. The foreign secretary and defense secretary will sign off on certain operations conducted by the new agency.
"The U.K. is committed to using its cyber capabilities in a responsible way and in line with U.K and international law," said Foreign Secretary Dominic Raab. "Past and future cyber operations have and will continue to operate under existing laws, including those granted by the Intelligence Services Act and the Investigatory Powers Act. This ensures U.K. cyber operations are responsible, targeted and proportionate, unlike those of some of our adversaries."
Those sentiments were echoed by GCHQ's Fleming.
"Working in close partnership with law enforcement and international partners, the National Cyber Force operates in a legal, ethical and proportionate way to help defend the nation and counter the full range of national security threats," he said.
Cooperation Welcomed by Allies
The creation of the National Cyber Force was welcomed by the U.S. Cyber Command, which fills a similar role.
.@US_CYBERCOM warmly welcomes our newest partners in cyber operations: the UK National Cyber Force. We look forward to working with the NCF against cyber threats. https://t.co/MA5cTymV4o— U.S. Cyber Command (@US_CYBERCOM) November 19, 2020