If cyberspace is to be considered a 'fifth domain' of warfare, any military activity in that domain will require a firm basis in terms of doctrines, rules of engagement and clarity about when an Armed Forces contribution or lead is justified or expected. In 2010, Nick Harvey MP, then Minister of State for the Armed Forces, said that while cyber activity added a new dimension to conflict, "what it seeks to achieve should be subject to the same strategic and tactical thought as a conventional military operation."[71]

Whether the Armed Forces should engage in cyber warfare will depend on whether particular actions in cyberspace are considered to be acts of war. Symantec elaborated on some of the scenarios in which it might be difficult to decide whether or not a cyber-security incident was 'military' in nature:

Is an attack on a defence contractor, for example, enough to justify involvement of the military on the basis of the fact that the compromise is likely to impact sensitive information of military interest? What would be the 'rules of engagement' that would trigger the involvement of the military? Would the involvement of the military be linked to a particular political context, for example escalating tensions with a particular country and the possibility of military confrontation when cyber attacks are attributed to that country? Or, would military involvement be linked to defending a specific target of military interest, such as the control of a weapons system? Would this extend also to systems that are critical to the performance of military operations but do not belong to the core of the military functions, for example parts of the national telecommunication network? Or would the military be involved in the case of a cyber attack that would not target defence assets but would be of such catastrophic proportion and effect for the nation that could constitute the equivalent of an armed attack? An example here could be the use of cyber attack to sabotage a nuclear power plant. These are very difficult questions to answer and policy makers may well need to leave open some of their options, because any of these possibilities, as well as others we cannot imagine, may lead to situations that justify the involvement and use of defence assets and ultimately of the MoD. [72]

As yet there is no internationally-accepted definition of a breach of sovereignty in cyberspace, nor is it clear what types of response would be deemed proportionate to particular types of breaches. Responses to cyber attack would not need to be themselves in the cyber domain—they could be economic, judicial or of a conventional military nature.

Addressing the "policy, doctrinal and legal basis surrounding the use of cyber tools and techniques" is one of the tasks that has been given to the Defence Cyber Operations Group (DCOG). Internationally, the NATO Co-operative Cyber Security Centre of Excellence in Estonia is working towards the production, in 2013, of a legal manual to cover such issues.[73] We asked the Minister for the Armed Forces about the work that had been done on this issue in the MoD. He responded:

For me, the law of armed conflict applies as much to cyberspace as it does to any other domain of operation. The principles of proportionality, discrimination and humanity apply to actions that we might take in this domain, as they do elsewhere. We should focus on the intent and the consequences, rather than the means of delivering the effect. [...] At this stage we have not sought to develop specific rules of engagement for cyber, but as our understanding of cyber-operations, their potential, their capabilities and the associated norms of behaviour develop and evolve, I could envisage us coming back to that and possibly devising specific rules of engagement at some point in the future.[74]

The Minister expressed confidence that no new legal code was needed to regulate military activity in cyberspace, including the potential application of Article 5 of the North Atlantic Treaty[75] to a cyber attack and the protection afforded to legal combatants: "we think that the application of existing law and norms of behaviour will serve us perfectly well"[76]. General Shaw, Assistant Chief of Defence Staff, argued that a cyber attack could be construed as an armed attack under Article 5 "if the effect of that attack is so severe that it is judged to be an Article 5 attack. [...] it is the effect that matters, not the means through which it is delivered."[77] John Taylor, MoD CIO, commented that the principal challenge was making judgements on proportionality.[78]

One of the military functions which the Minister foresaw the Armed Forces carrying out through cyber means was to deter attacks on UK national interests.[79] The UK Cyber Security Strategy noted that "with the borderless and anonymous nature of the internet, precise attribution [of attacks] is often difficult and the distinction between adversaries is increasingly blurred".[80] General Shaw told us:

The deterrent value of cyber is overstated at the moment, because there are huge problems with attribution. To take the simple example of Estonia, to all intents and purposes, the attack on Estonia appeared to come from California. It makes it extremely difficult. Until you attribute it, until you can work out a proportionate response and definite intent, it is a murky area. We should be hesitant to leap straight to nuclear deterrent, to theology, and apply it to the world of cyber.[81]

The then Minister for the Armed Forces, however, told us that "in terms of cyber attacks on networks, we can in many cases tell pretty much exactly where they have come from—not in all cases, by any means."[82] He saw no inherent problem in applying the concept of deterrence to cyberspace:

Perhaps as we go forward and there are more cyber attacks, or attributable cyber attacks, and people gain a greater understanding of others' capabilities, that will, perforce, begin to play into the psychology and logic of deterrence.[83]

John Taylor acknowledged, however, that certainty in attributing attacks could take "two or three days", which poses challenges for a posture of "active defence".[84] General Shaw, when asked about planning assumptions for cyber, commented that:

We will need very agile policy decision-makers to keep up with the reality of the threats facing us. [...] the threat is evolving probably faster, I would say, than our ability to make policy to catch up with it.[85]

Events in cyberspace happen at great speed. There will not be time, in the midst of a major international incident, to develop doctrine, rules of engagement or internationally-accepted norms of behaviour. There is clearly still much work to be done on determining what type or extent of cyber attack would warrant a military response. Development of capabilities needs to be accompanied by the urgent development of supporting concepts. We are concerned that the then Minister's responses to us betray complacency on this point and a failure to think through some extremely complicated and important issues. We recommend that the MoD makes development of rules of engagement for cyber operations an urgent priority, and that it should ensure that the necessary intelligence, planning and coordination functions are properly resourced.

The MoD and the Cabinet Office have been very clear that the MoD's cyber-security role is confined to defending its own networks and developing cyber capabilities: it does not have any sort of general responsibility for protecting national infrastructure, nor is it expected to take the lead in coordinating a UK response to a major cyber-security incident.[86] The former task is instead the preserve of the Centre for the Protection of National Infrastructure (CPNI), which is a government authority accountable to the Director General of the Security Service.[87] CPNI advises organisations in the national infrastructure—including those in the private sector—on reducing their vulnerability to a range of threats including cyber attack.[88] Some of the evidence we received, however, questioned whether the military role could be so tightly circumscribed. In its written submission, McAfee argued that a military interest in the cyber-defence of Critical National Infrastructure could be justified by the reliance of some MoD functions on that infrastructure, and by the potential of cyber attacks to "threaten real loss of property and life" by targeting those systems.[89]

MoD witnesses conceded that a cyber equivalent of 'military aid to the civil authorities' could be envisaged if the Government felt that military expertise was needed.[90] We recommend that the Government ensure that civil contingency plans identify the military resources that could be drawn upon in the event of a large-scale cyber attack, such as additional staff, planning resources or technical expertise. In its response to this report the Government should set out what work it is doing to identify the reliance of the Armed Forces on the integrity and resilience of the Critical National Infrastructure, the steps it has taken to ensure that the CNI will remain sufficiently robust to meet the needs of the Armed Forces and its contingency plans for the event that any relevant part of the CNI should fail.