What will the National Cyber Force do, and will it make the UK safer?

A new partnership between the UK’s military and spy agencies promises to transform the country’s cyber operations. Harry Lye asks what it will do and whether it will make businesses safer.

In November 2020, as part of a raft of defence spending increases, UK Prime Minister Boris Johnson announced the formation of a joint military-GCHQ National Cyber Force (NCF).

Staffed by personnel from the armed forces, GCHQ, MI6 and the Defence Science and Technology Laboratory, the NCF promises to transform the UK’s cyber capabilities.

“The NCF is bolstering our global presence in the cyber domain, and it is a clear example of how we are turning our ambitious agenda to modernise defence into a reality,” said Defence Secretary Ben Wallace at the time.

The new force formalises an existing relationship between the military and GCHQ. It’s a partnership that saw the two organisations formally collaborate on an offensive cyber campaign designed to disrupt the so-called Islamic State’s online propaganda networks.

Operations like these appear to be high on the NCF’s agenda as it builds on the existing National Offensive Cyber Programme and collaboration between the UK Armed Forces Strategic Command, which oversees military cyber and GCHQ.

Separate to the National Cyber Security Centre, or NCSC, which works to protect the UK at home, the key to the NCF is its ability to operate under a civilian authorisation to engage threats rather than merely defend against them proactively.

On the offensive

The government has offered a few examples of the kinds of operations the NCF will be undertaking and clues can be taken from earlier operations against the Islamic State.

When the NCF was announced the government detailed how it could be used to disrupt the mobile phones of terrorists to prevent them from communicating with each other. Offensive hacking could protect military aircraft from being targeted by hostile weapons systems. The government also described how the force could be used to prevent the abuse of the internet by criminals, fraudsters and paedophiles.

At the very high-end, the force also means the UK’s cyber capabilities are continually sharpened, meaning that if they were ever needed in a war scenario, the UK has hands-on experience that could disrupt the infrastructure of other military systems.

“From defending against terrorism, to countering hostile state activity to tackling the scourge of online child abuse, the National Cyber Force brings together critical capabilities from across government to help protect the UK,” said Foreign Secretary Dominic Raab at the time of the announcement.

I can't think of another nation that has developed a similar solution.

Marcus Willett, who spent over three decades at GCHQ and was the agency’s first director of cyber, helped to design the UK’s first national cybersecurity strategy and, with the MOD, ran the UK’s National Offensive Cyber Programme.

Now a senior adviser for cyber to the International Institute for Strategic Studies (IISS), Willett told Verdict Magazine: “The NCF brings greater mass, both in terms of people and investment, to bear on the day-to-day issues that we face in cyberspace all the time, whether that's terrorists trying to radicalise or whether that's serious criminals trying to defraud or, paedophiles doing the horrible things they do or states seeking to achieve malign influence by various means.”

Willett added that achieving those goals requires more investment and people than GCHQ would have achieved on its own. He added: “It covers all national requirements for cyber operations, with the political authorisations and oversight decided by the nature of the operation rather than by organisational stovepipes. I think it is unique.

“I can't think of another nation that has developed a similar solution. In the US that would be the same as putting cyber operators from Cyber Command, NSA, CIA, FBI and a whole lot of other organisations in one place.”

In a written answer to MPs, UK Defence Minister James Heappey elaborated on the role of the NCF further, saying that it would “design and deliver” operations from supporting warfighting campaigns to countering serious crime and combatting terrorism.

National Cyber Force

Safety through collaboration

The NFC is ambitious in its scope and is a significant reshuffling of the deck for the UK’s cybersecurity apparatus. But will it prove to be more effective than current organisations at keeping the country safe? Broadly, the cybersecurity industry seems to think so.

Mark Testoni, CEO of SAP NS2, told Verdict Magazine that “collaboration” among “intelligence, defence and other agencies” would only improve cyber operations, adding that the NCF was a “step in the right direction”.

Testoni added: “Threats aren’t encumbered by organisational walls and silos. Sharing adversarial information and cooperating to create symmetrical offensive and defensive approaches will enhance effectiveness.

“The cyber threat transcends traditional military and civil lines, so it’s also critical that government extends collaborative efforts to the private sector and other critical infrastructure players.”

Sharing adversarial information and cooperating to create symmetrical offensive and defensive approaches will enhance effectiveness.

For Mimecast’s director of threat intelligence and response, Francis Gaffney, the creation of the NCF shows a “real appetite” from government to limit the cyber threat facing the UK.

“The level of uncertainty we still face means that any cyber threat actor can launch a large-scale campaign that could propagate widely, and we need to put all the right safeguards in place to avoid it – which is where the new task force comes into play,” he said.

“By making cybersecurity a national priority, this new National Cyber Force will certainly have a positive impact on the overall cyber hygiene level of citizens and organisations of the UK. I certainly welcome the continued interest and funding of the UK’s cyber-defences. Long may it continue.”

Navigating rules of cyber engagement

Compared with military rules of engagement, the lines are somewhat blurred in cyberspace. There is general agreement that a cyberattack which results in kinetic damage, such as triggering a nuclear plant meltdown, constitutes an act of war. But there are many grey areas in between that the NCF will have to navigate in the course of its duties.

Ed Parsons, executive VP of consulting at F-Secure, told Verdict Magazine there is concern that reactions to cyber incidents or “perceived acts of aggression” could lead to escalation and potential military consequences. This, he said, has emboldened “aggressors” and become a factor in their decision making.

Parsons added that while “we are far from establishing norms in cyberspace”, the NCF would help the UK to protect its reputation in cyberspace through “careful targeting, proportionate action and response, and effective governance”.

Cybersecurity is a complex challenge that requires diversity in thinking, particularly in the field of active defence.

However, Parsons warned that we need to be wary of “the militarisation of responses, which would narrow our options in the cyber domain, leading towards destructive forms of retaliation”.

This could have the consequence of the “over-representation of armed forces in decision-making positions”.

“Cybersecurity is a complex challenge that requires diversity in thinking, particularly in the field of active defence,” he added.

Aside from these concerns, there is an overall sense that having a more collaborative approach will keep the UK and its businesses safer.

“Helping to disrupt adversaries will help make UK businesses far safer and puts more emphasis on the core structure of the country rather than leaving businesses to fend for themselves in the dark,” said Jake Moore, cybersecurity specialist at ESET.

“So many organisations have felt left on their own when it comes to cyber protection, so this being addressed is very positive. This will no doubt act as another layer of defence but of course we can’t become complacent and put full trust in this cyber force. Cybersecurity works best with a multi-layered, multi-agency approach working together, with best practice and support shared.”

Main image credit: GCHQ/Crown Copyright