States’ use of cyber operations

‘Cyberspace’ typically refers to digital networks used to store, modify, and communicate information. It includes the internet but also other information systems that support businesses, services and infrastructure.

‘Cyber operations’ aim to achieve objectives in or via cyberspace. They can include gaining unauthorized access to computers, systems or networks to obtain information; and altering, deleting, corrupting or denying access to data or software.

States conduct cyber operations against adversaries for reasons including to gather information, influence political decisions, support military action or gain financially. Potential impacts include data breaches, website outages, and disruption to online services, telecommunications and supply chains.

The number and sophistication of cyber-attacks on the UK are increasing. In 2020/21, the National Cyber Security Centre (NSCS) dealt with 777 incidents (from non-state, as well as state, attackers), a rise of just over 30% in four years.

The UK Government set out plans for protecting and promoting UK interests in cyberspace in the National Cyber Strategy 2022. This included £114 m of extra funding for the National Cyber Security Programme to help deliver the Strategy over the next three years, which is part of a wider £2.6 bn investment in cyber and legacy IT. The Government is reviewing the Computer Misuse Act and has introduced the National Security Bill, which may help to strengthen the UK’s response to cyber threats from hostile states. It has also said it is willing to use cyber operations alongside its diplomatic, economic and military activities.

Key points

• Typically, states conduct cyber operations for espionage (to obtain data), to disrupt services, or to spread disinformation. Some states commit cybercrime for financial gain.
• Data collected through cyber-espionage may be used to gain political or commercial advantage. Government bodies, NGOs and think-tanks are common targets.
• Disruption in cyberspace has the potential to cause serious disruption in the physical world including to critical national infrastructure (CNI). States may pre-emptively enter an adversary’s network to gain a foothold for a future attack.
• States engage in disinformation operations for various reasons, including: to achieve political goals without escalation to physical warfare; to influence the international response towards a particular nation; or to erode trust, for example in authorities or democracy.
• Nations can be affected by cyber-attacks even if they are not the intended target.
• States may conduct cyber operations through their security and foreign intelligence agencies or via non-state proxies, such as private contractors.
• State-backed operations tend to coincide with a geopolitical dispute, may persistently target strategic assets, and may be especially sophisticated and resource-intensive. However, states also use simple techniques, such as phishing.
• The UK Government has stated that China and Russia pose the greatest of state-backed cyber threats to the UK, and that Iran and North Korea also have notable cyber capabilities.
• The UK is recognised as having world-class strengths in cyber security and cyber intelligence, according to a comparison of 15 states by the International Institute for Strategic Studies. The study noted shortfalls in the UK’s skilled cyber workforce, an inability to invest on the same scale as the US and China, and a lack of an industrial base to build and export equipment that may help to shape the future of cyberspace.
• The UK participates in international partnerships to share intelligence, best practice and cyber capabilities, including the Five Eyes alliance and NATO.

Acknowledgements

POSTnotes are based on literature reviews and interviews with a range of stakeholders and are externally peer reviewed. POST would like to thank interviewees and peer reviewers for kindly giving up their time during the preparation of this briefing, including:

• Dr Adrian Nish, BAE Systems*
• Dr Andrew Dwyer, Durham University
• Dr Bill Mitchell, BCS the Chartered Institute for IT
• Ciaran Martin, Oxford Blavatnik School of Government
• Dr Clare Stevens, University of Portsmouth*
• Conrad Prince, Royal United Services Institute (RUSI)*
• Dr Dan Lomas, Brunel Centre for Intelligence and Security Studies
• Darren Lawrence, Cranfield University
• Department for Digital, Culture, Media and Sport
• Emily Taylor, Oxford Information Labs
• Gabriel Basset*
• Home Office*
• James Sullivan, Royal United Services Institute (RUSI)
• Dr Jamie Collier, Mandiant*
• Jamie MacColl, Royal United Services Institute (RUSI)*
• Jeremy Hilton, Cranfield University*
• Joel Harrison, Milbank
• Joyce Hakmeh, Chatham House*
• Dr Kristian Gustafson, Brunel Centre for Intelligence and Security Studies
• Members of the POST Board*
• Ministry of Defence*
• Miriam Howe, BAE Systems
• National Cyber Security Centre (NCSC)*
• Dr Neveen Shaaban Abdalla, Brunel Centre for Intelligence and Security Studies
• Olivia Griffiths, Rebellion Defence
• Professor Philip Davies, Brunel Centre for Intelligence and Security Studies
• Dr Steven Wagner, Brunel Centre for Intelligence and Security Studies
• Stuart Aston, Microsoft*
• The grugq
• Dr Tim Stevens, King’s College London*

*denotes people and organisations who acted as external reviewers of the briefing.