Speaking at a cyber conference in Manchester, UK, in April 2018, GCHQ director Jeremy Fleming revealed that the UK had carried out cyberattacks against the ultra-violent jihadist group Islamic State (IS) the previous year.

As one might expect from the head of the UK’s signals intelligence agency, Fleming’s speech was short on specifis about the online attacks, but it marked the first public acknowledgement that the country’s cyber capabilities had been deployed to make “a significant contribution” in the fight against IS.

The attacks, launched as part of a joint military campaign with the US and other western states, successfully hacked and jammed the terrorist organisation’s online channels used to disseminate its violent propaganda – one of its key assets in the recruitment of new members.

A little over a year later, in May 2019, the UK Ministry of Defence (MoD) announced the launch of a dedicated cyber unit within the British Army.

The new hybrid unit, known as the 6th Division, is made up of up troops spanning several regiments across the British Army, including the 77th Brigade, the Specialised Infantry Group, and the Surveillance and Reconnaissance Brigade. To support the new group, the MoD has allocated £22 million in funding to establish a network of cyber operations centres across the country. Focused on intelligence gathering, electronic warfare and counter-propaganda, members of the 6th Division will also be deployed abroad as part of counter-insurgency missions. The move reflects the MoD’s recognition that the boundaries between conventional and unconventional warfare are no longer clearly defined, blurred by the rampant digitalisation of the 21st century. Furthermore, it signals that the mounting of cyberattacks on military targets is no longer the preserve of intelligence agencies like GCHQ.

“It is certainly an interesting development,” says Ewan Lawson, associate fellow at the Royal United Services Institute (RUSI). “What we are seeing here is an awareness from the British Army that it needs to be in the digital game – especially when it comes to social media.”

The turning point

Between 2012 and 2014, Lawson, a former military officer, was responsible for developing the UK’s cyberwarfare operations. As far as misinformation and propaganda went, it was a simpler time, he says, recalling a “game of leaflets and radio stations. We were only just starting to think about social media.”

Since then, Russia has been widely accused of meddling in both the 2016 US presidential election – through the theft of data from the Democratic National Committee – as well as the Brexit referendum that same year. A year earlier, a group linked to the GRU, Russia’s military intelligence agency, was also alleged to have conducted a cyberattack on the French television network T5 Monde. China, too, is suspected by the US and UK of launching a series of cyberattacks in recent years targeting western governments and Big Tech groups. Such incidents have changed the way in which militaries regard cyberwarfare. Speaking in 2013, Jean- Yves Le Drian, France’s then defence minister, said that, “In times of war, cyberweapons may be the response, or part of our response, to an armed attack, being of a cyber nature or otherwise.” These words from Le Drian – now foreign minister – prefigured France’s updated military cyberwarfare strategy that, since 2018, has included offensive capabilities.

“The new offensive doctrine represents a turning point for France’s armed forces, breaking offensive operations from their intelligence silo,” says Arthur Laudrain, a consultant for cyber, space and future conflicts at the International Institute for Strategic Studies (IISS). “It also sends a clear signal to Russia, which the country had previously been reluctant to send in such stark terms.”

“It is certainly an interesting development. What we are seeing here is an awareness from the British Army that it needs to be in the digital game – especially when it comes to social media.” Ewan Lawson

An unconventional appearance

But what exactly does offensive cyberwarfare look like? Is it mainly a case of manipulating and interfering with the data and computer systems of adversaries? How does it fit into conventional military operations?

“For France, the offensive approach can best be described as stealthy actions aimed at denying the availability or confidentiality of adverse systems,” says Laudrain. “Implicitly, this seems to exclude operations with destructive kinetic effects. It mentions the neutralisation of enemy systems, but the concept is ambiguous.

“Offensive operations can prepare or complement conventional operations – acting as a force multiplier – or substitute them entirely where appropriate.”

According to Lawson, the line between defensive and offensive capabilities in cyber might be hard for the layman to identify. “One way in which you might deal with an adversary attacking you is to hit back at their infrastructure,” he says. “That might sound like an offensive action, but, within the army, it would be described as a defensive capability.”

£22 million
Allocated by the UK government for the formation of dedicated cyberoperations centres.

As much of cyberwarfare occurs below what Lawson – who is also a military cyber consultant to the International Committee of the Red Cross (ICRC) – describes as “the threshold of armed conflict”, there is some debate over the specific legal frameworks by which it should be governed. The ICRC is unequivocal that international humanitarian law is as applicable to cyberspace as it is to the traditional battlefield, although its implementation is somewhat more challenging.

“This is really to do with the principles of necessity, proportionality and discrimination,” says Lawson. “The ICRC has been looking at some of the risks of offensive operations against a military network or system spilling into civilian networks and having unintended effects and consequences. How do militaries think about this and practically make those assessments?”

In Laudrain’s view, France’s updated offensive doctrine correctly accentuates the consideration and mitigation of political, legal and military risks, in keeping with both international humanitarian law and public international law.

“The doctrine introduces the principle of risk, balancing in the preparation and conduct of offensive operations, as well as the risk of escalation in an asymmetric environment, collateral damage and unforeseen indirect impacts on civilian infrastructures.

“In a nutshell, France aims to promote international rules and stability in the cyber domain to prevent the escalation of crises, yet seeks room to manoeuvre to support conventional operations, deterrence and retorsion. It’s a delicate balance.”

Out in the open

That the MoD and its French equivalent decided to go public with their new cyber military strategies – in contrast to a previously clandestine approach – is also noteworthy, says Lawson. “We are seeing more public conversation in the western states, such as France, the UK, Denmark and the Netherlands around cyber capabilities,” he says. “This is healthy because the fact of the matter is that most capable countries are operating in this space, albeit below the threshold of armed conflict and on the basis of plausible deniability.”

Compared with the US’s cyber strategy, known as Persistent Engagement, the UK’s cyber capabilities are akin to a “cottage industry”, says Lawson. As evidence of its power, he cites the 2019 revelation that the US military took down Russia’s infamous Internet Research Agency during the 2018 midterms in a bid to thwart attempts to interfere in the election.

The Internet Research Agency, which is backed by the Kremlin and often referred to as Russia’s largest troll farm, was implicated in previous meddling in the 2016 elections. Speaking to Wired in 2019, Sergio Caltagirone, a former technical lead at the US National Security Agency, said the attack was “nothing more than a signal to the Russians that what you did was not acceptable, and we’ll take action to counter that”.

The US operation also subverts the commonplace narrative that only Russia and China operate below the threshold of armed conflict. “The big difference is that the US can claim to do so while applying the principles of international humanitarian law,” says Lawson.

Back in the UK, the MoD has timetabled its new cyber facilities to be up and running across the country within the first half of this decade. Construction had been pencilled to start this year, although it is likely this will have been thwarted by the onset of the coronavirus pandemic. However, when operations do commence, it will officially mark the British Army’s entrance into the era of hybrid warfare.