Cybersecurity & Tech

A Frontier Without Direction? The U.K.’s Latest Position on Responsible Cyber Power

Andrew Dwyer, Ciaran Martin
Monday, August 1, 2022, 10:16 AM

The U.K. missed an opportunity to clarify its view on non-intervention in international law for peacetime offensive cyber operations, develop perspectives on what states can do in cyberspace, and provide detail on what its own National Cyber Force does.

QuoteInspector.com Copyright: © 2018 Advantus Media, Inc. and QuoteInspector.com (http://contemporarysecuritypolicy.org/files/2021/02/Padlock-keyboard-key.jpg)

Published by The Lawfare Institute
in Cooperation With
Brookings

On May 19, Suella Braverman, the U.K.’s attorney general, delivered a highly anticipated speech to Chatham House, building on the U.K.’s position on the applicability of international law to offensive cyber operations conducted during peacetime. Such public statements have become essential in the U.K.’s ongoing efforts to develop its credentials as a “responsible, democratic cyber power” that includes an overt offensive cyber capability in its newly avowed National Cyber Force (NCF). For the U.K. to be seen as credible in its effort to responsibly deploy offensive cyber capabilities and uphold accountability in its pursuit of cyber power, articulating a clear legal position is crucial. This is also integral to the U.K.’s efforts to challenge “systemic competitors” in cyberspace, including China and Russia, while participating in a broader coalition of like-minded states based on a democratic, rules-based order, such as through President Biden’s Summit for Democracy

Yet Braverman’s speech demonstrated a lack of ambition from the U.K. in leading the agenda on how offensive cyber operations can be used by a “responsible and democratic cyber power,” to use the U.K.’s own branding. There was little substantive legal development on how the U.K. conducts its own cyber operations through the NCF, as much as novel interpretations in the application of international law through the principle of non-intervention need further work. This results in interpretative gaps in the U.K.’s application of international law as laid out in public fora. For a country wishing to be seen as a leader in cyber power, the U.K. can and should do better.

Unsurprisingly, the speech repeated a clear U.K. position—reiterated at various U.N. fora on cyber norms—that “cyberspace is not a lawless ‘grey zone.’” However, Braverman’s speech then went on to articulate a rather distinct U.K. interpretation of the application of international law to peacetime offensive cyber operations. Braverman affirmed the U.K.’s continuing reliance, during peacetime, on the narrower principle of non-intervention, rather than the more commonly agreed-upon principle of national sovereignty in cyber governance. In the U.K.’s interpretation of non-intervention, a breach of one state’s sovereignty by another through offensive cyber operations itself does not constitute a breach of international law. To address when there is such a breach, Braverman turned to an expansive interpretation of coercive behavior under the principle of non-intervention as a means of scoping what is legally permissible. According to Braverman, to breach the principle of non-intervention, the action(s) must be “forcible, dictatorial, or otherwise coercive, depriving a State of its freedom of control over matters which it is permitted to decide freely by the principle of State sovereignty.” 

To demonstrate this, she offered illustrative examples from four areas—energy, essential medical care, economic stability, and democratic processes—to outline activities that would be considered in breach of non-intervention. Braverman built on examples presented by former Attorney General Sir Jeremy Wright’s 2018 speech, which was the U.K.’s first major statement on peacetime operations. Like Braverman, Wright focused on the principle of non-intervention and how certain activities in cyberspace might violate the principle. Examples included “operations to manipulate the electoral system … , intervention in the fundamental operation of Parliament, or in the stability of our financial system.” Upon reading both speeches, one could conclude that there has been little substantive development of the U.K. position between Wright in 2018 and Braverman in 2022. Yet some important distinctions—including Bravernman’s interpretation of coercion, the precision of the illustrative examples given, and the lack of engagement on the NCF—require further scrutiny. 

The first distinction is Braverman’s expansion of the concept of coercion—which has historically been difficult to define but can be understood as one state’s exertion of pressure to deprive another state of its free will. As Michael Schmitt notes, the U.K. had been expected to soften its approach to coercion to address concerns from other states over its rejection of sovereignty as a general rule in cyberspace. To do so, Braverman applied the concept of coercion to specific targets (for instance, disruption to supply chains for essential medicines and vaccines) beyond the usual context of a nation’s domaine réservé, or a state’s domestic affairs. Schmitt, however, considers Braverman’s interpretation an oversimplification of common interpretations of coercive behavior and its relation to non-intervention. 

Indeed, the distinction between a target and coercive behavior under non-intervention in a state’s domaine réservé can appear similar due to their similar perceived outcomes. This is especially so when applied to Braverman’s illustrative example of “causing hospital computer systems to cease functioning,” as was the case in the 2017 WannaCry ransomware attack that severely impacted the U.K.’s National Health Service. As Marko Milanovic and Schmitt explain, although WannaCry was disruptive, it was intended to gain a ransom payment and not to gain control over the U.K.’s health service or to affect the U.K.’s health care choices, and therefore would not conventionally be considered coercive behavior. However, if the intention of North Korea (which was behind WannaCry) had been to limit the U.K.’s health care choices, this could have been considered coercive behavior, even though the outcomes of both intentions are similar (namely, hospital computers are rendered unusable). Braverman’s expansive interpretation of coercive behavior to targets for the purposes of non-intervention, then, requires further legal refinement and framing to understand how a focus on targets may work alongside the more commonly adopted interpretations in international law. 

Second, the four illustrative examples of behavior in breach of non-intervention presented by Braverman are more precise than those offered by Wright in 2018, suggesting that a greater range of actions may be considered coercive from the U.K.’s perspective than before. For instance, Braverman offered electoral count tampering and the disruption of systems controlling medical transportation as examples of coercion. Wright, in comparison, offered similar examples that required substantive coercive behavior within a state’s control of domestic affairs to breach the principle of non-intervention. (This included altering election results, undermining the operation of Parliament or the stability of the financial system, any of which would affect the U.K.’s control of its domaine réservé.) Rather than the more conventional reading by Wright of the principle of non-intervention, Braverman presented tightly defined examples. This then implies that coercive behavior is applied to particular targets—such as electoral counting machines—where this behavior would breach the principle of non-intervention. This is distinct from the general principle of national sovereignty where a state conducting operations on another state’s territory would be regarded as in breach of international law regardless of whether it was coercive behavior. 

By advocating for the expanded use of coercion, Braverman may be offering greater operational flexibility for the U.K.’s NCF (and other countries’ cyber forces) to engage in peacetime offensive cyber operations by weakening conventional readings of the principle of sovereignty but strengthening those typically offered by readings of non-intervention. Simply, it may be a new middle ground between these two positions. Yet Braverman does not set out how these two principles work together, and the public is left with only four illustrative examples to ground what this new perspective on coercion may be. If the U.K. wishes to convince other states to align with its view on non-intervention rather than sovereignty as a general rule, the U.K. must fully explicate what states can do with offensive cyber operations and why non-intervention and an expanded view of coercion may allow a way forward in this new potential middle ground. The U.K. must also address how its interpretation of non-intervention and coercive behavior would not lead to a militarization of cyberspace beyond the current range of examples, what limits on state behavior there could be, and how this would enhance responsibility. Without such an explanation, it is difficult to see how the U.K. could convince other states that this is a responsible path forward.

As much as Braverman claims that these examples offer a “clearer [view] on the range of potential options that can lawfully be taken in response” to cyber operations, the speech risks clouding interpretation of the U.K.’s position on the scope of non-intervention and when an offensive cyber operation is considered coercive. Wright’s speech was the first substantive contribution on the U.K.’s position on peacetime cyber operations in international law. Yet Braverman’s was comparatively ambiguous by covering similar illustrative areas with more precise examples that expand how the U.K. interprets the principle of non-intervention and coercive behavior. 

How these two speeches work together in outlining the U.K.’s position, then, is far from clear. Simply, does the U.K. ascribe to conventional interpretations of coercion, to a novel interpretation that focuses on predefined targets, or a combination of the two? Braverman’s speech did not specify exactly how these two perspectives relate, especially as her definition of coercion lends itself to the conventional reading as much as the illustrative examples point toward a new articulation of what is coercive. This leads to the creation of interpretive holes that need further dedicated resolution and exposition. 

Furthermore, what was not included in the speech is as important as what was. The U.K. is open to the charge that, in Braverman’s speech, it set out a long list of ways other countries can break international law and norms. Interestingly, Braverman’s illustrative examples would suggest much of Russia’s activity in cyberspace around energy disruption and electoral interference, for instance, are illegitimate. At the same time, these illustrative examples would seem to legitimize China’s campaign of intellectual property theft despite years of remonstrations from the west about the unacceptability of such activity. This is because both Braverman’s illustrative examples, as well as conventional interpretations of coercive behavior, require some form of coercive effect on the affected state, which the theft of intellectual property itself does not cause.

But if the speech said a great deal about how other countries might break international laws and norms, Braverman said little, if anything, new about the U.K.’s own use of offensive cyber operations. A few weeks before the Chatham House event, the U.K.’s cyber security community gathered in Cardiff, Wales, for the government’s flagship annual cyber event, CYBERUK. There the assembled experts and the press were briefed that Braverman’s speech would set out what the British state thought being a responsible cyber power involved. Interested parties, not unreasonably, assumed the British government would use this opportunity to explain its approach to the responsible use of its own capabilities.

But in the event, Braverman said virtually nothing about how the U.K. uses, or might use, offensive cyber. The NCF was mentioned, but only in the context of the long, obligatory list of new institutions the government has established as part of its cyber efforts. Prior to her speech, there was little publicly available information about the NCF’s likely activities. The government’s major review of national security policy, known as the Integrated Review and published in March 2021, contained less than one page of detail. 

The 2021 review gave three limited, hypothetical examples of potential NCF activity: hacking a terrorist phone to prevent contact with accomplices, taking down the digital infrastructure of online sexual predators, and protecting British military assets from targeting by weapons systems. A subsequent NCF explainer on the government’s website added little. Braverman added nothing at all. She didn’t even match the limited disclosures of Gen. Paul Nakasone, the head of U.S. Cyber Command, about the pursuit of cyber operations in support of Ukraine. 

So the NCF’s posture remains largely analogous to Special Forces: The government acknowledges its existence but says nothing about what it does, even in outline terms. Operationally, many observers will see the wisdom of such a posture. But it’s hard for the U.K. to be credible in asserting its own position as a “responsible” cyber power through public statements that list the “crimes” of other countries while adopting what might be called the Ronan Keating doctrine for itself: saying it best when saying nothing at all.

This could well prove a mistake for the U.K. and its allies. It ignores the lessons the Five Eyes alliance learned painfully from the Edward Snowden leaks: that when a crisis comes, it helps if there is some general understanding in political and media circles about the sorts of activities digital spies undertake, and why. After Snowden’s disclosures, the then-U.K. government, facing pressure to modernize intercept legislation, embraced a remarkable form of glasnost: engaging policymakers and the media to an unprecedented extent to explain the nature of the agency’s work. 

One key aspect of this process was an independent review by a senior lawyer with broad appeal across the political spectrum and a reputation for unimpeachable integrity, Lord David Anderson QC (Queen’s Counsel). His report, “A Question of Trust,” set out in previously unimaginable detail what operations intelligence agencies might be required to undertake, such that a proper legal basis could be established for them. Without providing any operational detail that may have undermined sources and methods, the report helped reduce parliamentary, public, and tech industry opposition to the new powers for the agencies. Moreover, Parliament and the media will not be able to question the scope of the powers granted in the 2016 legislation if another Snowden-like revelation or operational disaster concerning the agencies occurs. When the Snowden leaks erupted, most of the criticism against the U.K. government—and against many other governments—was that there was no public awareness that this sort of activity was being conducted by the agencies. Following the new legislation, that charge is now unsustainable. The enthusiastic engagement of the intelligence services with Anderson proved a worthwhile investment. 

The lessons of this transformative period have been forgotten when it comes to offensive cyber. The government is assembling potent capabilities through the NCF but says next to nothing about how it might use them. And this could matter. In the event of, for example, a major theft of cyber capabilities of the kind witnessed in the Shadow Brokers affair, or were there to be a botched, harmful offensive cyber operation by the U.K. as with the Russians and NotPetya, there will be no widespread understanding—let alone acceptance—of the sorts of operations the state undertakes in cyberspace, nor of the risks that they involve. 

Moreover, if the U.K. wishes to be a leader in both democratic and responsible activities in its ambitions for cyber power, then its current legal position on coercion and non-intervention needs clarification as much as it needs to engage fully with its own legal and ethical options for the NCF. As Max Smeets has argued in a Lawfare post, there are too many red lines in cyberspace, and the U.K. has an opportunity to lead again in this area by stipulating what it, and others, can do. Although the easier task is undoubtedly to declare which activities one deems undesirable—such as the illustrative examples that Braverman provided—the difficult but more important task is to articulate the legal argument for operations from democratic states, perhaps through an expanded view of coercion and its application to non-intervention, and what they may look like on the international stage.


Andrew Dwyer is an Addison Wheeler Research Fellow at Durham University, co-lead of the U.K. Offensive Cyber Working Group, and in Fall 2022 will be Assistant Professor in the Department of Information Security at Royal Holloway, University of London.
Ciaran Martin is a professor of practice at the Blavatnik School of Government at the University of Oxford. From 2014 to 2020 he set up and then led the United Kingdom’s National Cyber Security Centre.

Subscribe to Lawfare