The UK could lawfully launch “defensive” cyberattacks against countries which threaten critical national infrastructure, attorney general Suella Braverman has said.
In her speech at Chatham House, Braverman said she believes “that we can and should be clearer about the types of disruptive State activity which are likely to be unlawful in cyberspace.”
She said it is important to continue to apply the principle of non-intervention – the idea that states can conduct their business without interference – in cyberspace, but she said the government was seeking to bring clarity to what does and doesn’t constitute unlawful bevhaviour, and “to move the focus to the types of coercive and disruptive behaviours that responsible States should be clear are unlawful when it comes to the conduct of international affairs in peacetime.”
Braverman spoke around four broad topics, outlining cyber activity may be considered disruptive or coercive and, potentially, unlawful. These were energy security; essential medical care; economic stability; and democratic processes. She said the list was a “non-exhaustive” one “to move the discussion forward”. Examples of what might be considered unlawful coercive behaviour included disruption of hospital computer systems, and interference with power supply to critical infrastructure.
Has the UK clarified its position on cybersecurity?
Braverman’s speech “opens up an international conversation in which the UK wants to be a leader,” says Greg Austin, programme head of cyber, space and future conflict at the International Institute for Strategic Studies think tank. “This represents a radical departure from past approaches to the promotion of lawful behaviour in cyberspace,” Austin says. “The commitment to [clarifying these cyber laws] looks as fresh and inspiring, as has been the commitment of countries like Latvia and the Netherlands.” The difference, Austin says, is that the UK “has got the money to spend, and it’s got the diplomatic strength to spend.”
The speech could also be read as a warning to countries like Russia and China which continually push the boundaries of what is legally acceptable in cyberspace, Austin says. “My first reaction to it was that Russia and China had better pay very close attention to this speech because the United Kingdom is definitely keeping score of all of these untoward and unacceptable activities they are undertaking and they reserve the right to undertake retaliation,” he argues.
Offensive operations in cyberspace
However, Alexei Drew, researcher at think tank RAND Europe was less impressed by the speech, describing it as “showboating.” She says: “The UK is not the first state to say, as this statement suggests, that the existing laws of armed conflict apply in cyberspace. That’s the starting position of a lot of countries in the UN.”
Drew said Braverman’s admission that the UK now condones taking action in certain circumstances troubling. Braverman said the UK could legally strike back as part of a “defensive” measure if some of the critical infrastructure mentioned in her speech was targeted. She drew a distinction between this and the offensive tactics deployed by other countries, which would break the non-intervention principle.
“The concept of defensive cyberattacks to deter actions that might be seen as breaching the law, like the use of cyber attacks against us, is technically nonsense,” Drew says. She argues that a defensive cyber attack and an offensive cyber attack are the same thing, and that trying to make the distinction between them that Braverman did is problematic.
Drew adds: “The technical means of carrying these attack out are the same. It comes down to semantics as to whether you consider something offensive or defensive. I think it’s problematic to frame it this way.”