What is a responsible cyber power?

Russia’s cyberwar in Ukraine has been as reckless as its physical one. Its cyber-attack on satellites on the first day of fighting mistakenly spilled over into almost 6,000 German wind farms. It sprayed “wiper” malware across the country, irreversibly destroying data. And it directed attacks at civilian power and water infrastructure, adding to the misery of its shells and rockets. It has been one of the most intensive cyber-campaigns ever conducted—and perhaps the most irresponsible.

But what is a responsible cyber power? On April 4th Britain’s National Cyber Force (ncf) sought to answer that question by publishing a document setting out how it views the purpose and principles of “offensive cyber”—the disruption of computer networks, as distinct from cyber-espionage. It also revealed the identity of the ncf’s commander, James Babbage, who has given his first interview, to The Economist.

Britain’s transparency is a welcome step forward. Cyber operations are shrouded in secrecy. They can spill over into the computer networks that modern economies and societies depend on—a Russian cyber-attack in 2017 caused more than $10bn of damage. Their potential is also poorly understood. Many political leaders mistakenly view them as strategic weapons to deter enemies.

The ncf’s new paper is important because it spells out a realistic and circumscribed view of cyber power. It says that its main purpose is not so much kinetic—a digital substitute for air strikes—as cognitive. Russia’s cyber-enabled disinformation is often aimed at entire populations. Britain says its targets are typically individuals and small groups. A cyber-attack might, for example, tinker with their communications so they are paralysed by confusion, or turn on one another.

The British example suggests several criteria to judge whether cyber power is being used responsibly. The first is what sort of targets are chosen. North Korean hackers once attacked an American film studio because it released an unflattering movie about Kim Jong Un, the country’s leader. Iran has attacked American banks in response to sanctions. Russia has used cyber tactics to meddle in elections in America and Europe.

Another is how well attacks are calibrated. Are they precise in their effects and mindful of escalation? Or do they hurl malicious code around wildly? Officials and experts have spent years debating how international law, including the laws of armed conflict, apply to cyberspace. The Tallinn Manual, associated with nato, is one such guide. Russian intelligence services do not pay much attention to this sort of thing, but responsible cyber commanders need lawyers by their side.

A third test is how well cyber forces protect their arsenals. The hacking tools used by states are often powerful and dangerous. They can cause considerable harm if they become widely available. In 2017 a North Korean cyber-attack spread ransomware worldwide in part by repurposing malicious code that had leaked out of America’s National Security Agency (nsa). As more countries embrace offensive cyber operation, the security of their tools will become a bigger issue.

Finally, cyber forces need accountability. Britain’s view of offensive cyber as a means of targeted psychological disruption, rather than an all-purpose weapon of power projection, has much to commend it. But it also pushes cyber power into the murky realm of covert action. Oversight of this is doubly hard: the work is both highly secret and also highly technical. Lawmakers and judges often struggle to grasp the details.

For the time being, Britain’s approach is to be welcomed. Ten years ago Edward Snowden, a former nsa contractor, sent shock waves through the nsa and gchq, its British counterpart, by publicly revealing their industrial-scale intelligence collection in cyberspace. A decade on, the spooks seem to have learned that responsibility requires scrutiny. ■