3 Military activity
in cyberspace - conceptual framework
If cyberspace is to be considered a 'fifth domain'
of warfare, any military activity in that domain will require
a firm basis in terms of doctrines, rules of engagement and clarity
about when an Armed Forces contribution or lead is justified or
expected. In 2010, Nick Harvey MP, then Minister of State for
the Armed Forces, said that while cyber activity added a new dimension
to conflict, "what it seeks to achieve should be subject
to the same strategic and tactical thought as a conventional military
Whether the Armed Forces should engage in cyber warfare
will depend on whether particular actions in cyberspace are considered
to be acts of war. Symantec elaborated on some of the scenarios
in which it might be difficult to decide whether or not a cyber-security
incident was 'military' in nature:
Is an attack on a defence contractor, for example,
enough to justify involvement of the military on the basis of
the fact that the compromise is likely to impact sensitive information
of military interest? What would be the 'rules of engagement'
that would trigger the involvement of the military? Would the
involvement of the military be linked to a particular political
context, for example escalating tensions with a particular country
and the possibility of military confrontation when cyber attacks
are attributed to that country? Or, would military involvement
be linked to defending a specific target of military interest,
such as the control of a weapons system? Would this extend also
to systems that are critical to the performance of military operations
but do not belong to the core of the military functions, for example
parts of the national telecommunication network? Or would the
military be involved in the case of a cyber attack that would
not target defence assets but would be of such catastrophic proportion
and effect for the nation that could constitute the equivalent
of an armed attack? An example here could be the use of cyber
attack to sabotage a nuclear power plant. These are very difficult
questions to answer and policy makers may well need to leave open
some of their options, because any of these possibilities, as
well as others we cannot imagine, may lead to situations that
justify the involvement and use of defence assets and ultimately
of the MoD. 
As yet there is no internationally-accepted definition
of a breach of sovereignty in cyberspace, nor is it clear what
types of response would be deemed proportionate to particular
types of breaches. Responses to cyber attack would not need to
be themselves in the cyber domainthey could be economic,
judicial or of a conventional military nature.
Addressing the "policy, doctrinal and legal
basis surrounding the use of cyber tools and techniques"
is one of the tasks that has been given to the Defence Cyber Operations
Group (DCOG). Internationally, the NATO Co-operative Cyber Security
Centre of Excellence in Estonia is working towards the production,
in 2013, of a legal manual to cover such issues.
We asked the Minister for the Armed Forces about the work that
had been done on this issue in the MoD. He responded:
For me, the law of armed conflict applies as much
to cyberspace as it does to any other domain of operation. The
principles of proportionality, discrimination and humanity apply
to actions that we might take in this domain, as they do elsewhere.
We should focus on the intent and the consequences, rather than
the means of delivering the effect. [...] At this stage we have
not sought to develop specific rules of engagement for cyber,
but as our understanding of cyber-operations, their potential,
their capabilities and the associated norms of behaviour develop
and evolve, I could envisage us coming back to that and possibly
devising specific rules of engagement at some point in the future.
The Minister expressed confidence that no new legal
code was needed to regulate military activity in cyberspace, including
the potential application of Article 5 of the North Atlantic Treaty
to a cyber attack and the protection afforded to legal combatants:
"we think that the application of existing law and norms
of behaviour will serve us perfectly well".
General Shaw, Assistant Chief of Defence Staff, argued that a
cyber attack could be construed as an armed attack under Article
5 "if the effect of that attack is so severe that it is judged
to be an Article 5 attack. [...] it is the effect that matters,
not the means through which it is delivered."
John Taylor, MoD CIO, commented that the principal challenge was
making judgements on proportionality.
One of the military functions which the Minister
foresaw the Armed Forces carrying out through cyber means was
to deter attacks on UK national interests.
The UK Cyber Security Strategy noted that "with the borderless
and anonymous nature of the internet, precise attribution [of
attacks] is often difficult and the distinction between adversaries
is increasingly blurred".
General Shaw told us:
The deterrent value of cyber is overstated at the
moment, because there are huge problems with attribution. To take
the simple example of Estonia, to all intents and purposes, the
attack on Estonia appeared to come from California. It makes it
extremely difficult. Until you attribute it, until you can work
out a proportionate response and definite intent, it is a murky
area. We should be hesitant to leap straight to nuclear deterrent,
to theology, and apply it to the world of cyber.
The then Minister for the Armed Forces, however,
told us that "in terms of cyber attacks on networks, we can
in many cases tell pretty much exactly where they have come fromnot
in all cases, by any means."
He saw no inherent problem in applying the concept of deterrence
Perhaps as we go forward and there are more cyber
attacks, or attributable cyber attacks, and people gain a greater
understanding of others' capabilities, that will, perforce, begin
to play into the psychology and logic of deterrence.
John Taylor acknowledged, however, that certainty
in attributing attacks could take "two or three days",
which poses challenges for a posture of "active defence".
General Shaw, when asked about planning assumptions for cyber,
We will need very agile policy decision-makers to
keep up with the reality of the threats facing us. [...] the threat
is evolving probably faster, I would say, than our ability to
make policy to catch up with it.
Events in cyberspace happen at great
speed. There will not be time, in the midst of a major international
incident, to develop doctrine, rules of engagement or internationally-accepted
norms of behaviour. There is clearly still much work to be done
on determining what type or extent of cyber attack would warrant
a military response. Development of capabilities needs to be accompanied
by the urgent development of supporting concepts. We are concerned
that the then Minister's responses to us betray complacency on
this point and a failure to think through some extremely complicated
and important issues. We recommend that the MoD makes development
of rules of engagement for cyber operations an urgent priority,
and that it should ensure that the necessary intelligence, planning
and coordination functions are properly resourced.
The MoD and the Cabinet Office have been very clear
that the MoD's cyber-security role is confined to defending its
own networks and developing cyber capabilities: it does not have
any sort of general responsibility for protecting national infrastructure,
nor is it expected to take the lead in coordinating a UK response
to a major cyber-security incident.
The former task is instead the preserve of the Centre for the
Protection of National Infrastructure (CPNI), which is a government
authority accountable to the Director General of the Security
Service. CPNI advises
organisations in the national infrastructureincluding those
in the private sectoron reducing their vulnerability to
a range of threats including cyber attack.
Some of the evidence we received, however, questioned whether
the military role could be so tightly circumscribed. In its written
submission, McAfee argued that a military interest in the cyber-defence
of Critical National Infrastructure could be justified by the
reliance of some MoD functions on that infrastructure, and by
the potential of cyber attacks to "threaten real loss of
property and life" by targeting those systems.
MoD witnesses conceded that a cyber equivalent of
'military aid to the civil authorities' could be envisaged if
the Government felt that military expertise was needed.
We recommend that the Government
ensure that civil contingency plans identify the military resources
that could be drawn upon in the event of a large-scale cyber attack,
such as additional staff, planning resources or technical expertise.
In its response to this report the Government should set out what
work it is doing to identify the reliance of the Armed Forces
on the integrity and resilience of the Critical National Infrastructure,
the steps it has taken to ensure that the CNI will remain sufficiently
robust to meet the needs of the Armed Forces and its contingency
plans for the event that any relevant part of the CNI should fail.
71 Nick Harvey MP, speech at Chatham House, November
Ev w27 Back
NATO, The Tallinn Manual on the International Law Applicable to
Cyber Warfare [draft] Back
Qq 123-5 Back
Article 5 provides that if a NATO Ally is the victim of an armed
attack, each and every other member of the Alliance will consider
this act of violence as an armed attack against all members and
will take the actions it deems necessary to assist the Ally attacked. Back
Q 124 Back
Q 51 Back
Q 129 Back
Q 79 Back
Cabinet Office, UK Cyber Security Strategy, para 2.8 Back
Q 66 Back
Q 134 Back
Q 130 Back
Q 134 Back
Q 58 Back
Q 180; Q 48 Back
Ev 42, para 2.2 Back
Cabinet Office, UK Cyber Security Strategy, para 4.19 Back
Ev w18, paras 2.3-4; Ev w9, para 9; Ev w33, para 2.12 Back
Q 48 Back