UK policy and cyber-warfare

A few years ago I was given a very good piece of advice about technologists expressing a view on matters of policy: don’t.

“Think of three layers”, was the suggestion of my older and wiser colleague: “a bottom layer of technology, a ‘good practice’ middle layer, and a policy top-layer. Be aware that decisions at the policy layer are driven by all kinds of factors over which you will never have control… and however tempting it may seem to do otherwise, restrict yourself to opinions on the other two layers”. I took this advice to heart, and while I have had the occasional lapse, it has not let me down when I have stuck to it.

So, then, what to say about the government’s announcement, last week, of its plans to establish a cyber-security operations centre?

Well, I think there are three questions to ask:

1 – is there a pressing need for a cyber-security capability? I suspect the answer to that one is a clear ‘yes’. There’s no doubt that cyberspace represents an element of the Critical National Infrastructure (CNI), just like the transport, water, power, communications, financial and sewage networks on which our country depends. It may be entertaining to be transported back to the 70s by watching “Ashes to Ashes”, but few of us would much enjoy a long spell of being restricted to 70s technology levels.

And just like all those other elements, the UK’s cyberspace presence is inextricably linked into the global network. (“Sewage?”, I hear you mutter… “How is the sewage system cross-border?” Ask the Dutch… I read a report that, if the Netherlands couldn’t export the excrement by-product of its bacon industry, the whole country would be ankle deep in pig-poo before the year was out. And with all those greenhouses, they use a lot of mulch…). So – cross-border cyber-defence capability? Absolutely.

2 – is the government justified in maintaining/using an offensive cyber-security capability? This one is tricky to answer at the policy layer.

  • At the technical layer, I have no reservation in saying that I want the security services to know how cyber-attacks work, and even in maintaining significant expertise: after all, they can’t mount passive defences if they don’t thoroughly understand the attacks.
  • At the ‘good practice’ layer, offensive cyber-security capabilities tend to be restricted to getting malicious sites/services taken off the internet – and that only after going through ‘due process’ with the telcos, service providers, hosting companies and so on. Clearly, the latest policy announcement is based on the assumption that there may be cases where the security services expect to need to go further than that.
  • At the policy layer, then, I think it boils down to this: what confidence can we have that those responsible for exercising such a capability are doing so proportionately, justifiably and accountably? In other words, it raises all the governance and oversight issues which have been so much in the political searchlight in recent months. There are established structures (such as the Intelligence and Security Committee – ISC) which are intended to make it possible for those ‘on the outside’ to be confident that those ‘on the inside’ have to at least tell a cleared and trusted few what they are up to. It is quite possible that those structures, though, are effective at providing policy oversight, but not effective at building and reinforcing public trust. For instance, Tory MP Michael Mates, a long-standing ISC member, has recently said that policy-forming documents he saw in the run-up to the Iraq War would “make people’s eyes water” if and when they are made public through the proposed enquiry… and yet, the Iraq War went ahead.

3 – Can the cyber-security team meet the security policy objective, while simultaneously protecting the UK against repercussions from the policy, safeguarding citizens’ use of the internet, and providing sufficient evidence of accountability to maintain the public trust?

In policy terms, the cyber-security announcement does include a statement about the appointment of an ‘ethics advisory group’ to complement whatever other governance measures are put in place. This group is apparently to monitor the ‘proportionality‘ of actions taken under the policy. But the ethical issues don’t stop there.

Supposing the cyber-security folks pre-emptively take down a malicious server outside the UK… presumably they would want to do that in a way which leaves no evidence of the attack having originated in the UK (for fear of reprisals…); perhaps they might consider launching the attack from elsewhere, in the hope that any blame (and retaliation) would fall on someone else.

I think the ethics advisory group is going to have a busy time.

Advertisements

3 thoughts on “UK policy and cyber-warfare

  1. I suspect your three layers correspond to Churchman's three types of planner (the ones I mentioned in my reply to your comment on my blog): Goal-planner, Objective-planner and Ideal-PlannerI haven't got to the chapter on Ethics in Churchman's book yet. My assumption is that the goal-planner ignores ethics, the objective-planner respects ethics as a fixed environmental constraint, and the ideal-planner actively engages with ethics.In this post (which I take to be ironical), you take the stance of the objective-planner, identifying a job for the ethics committee but not presuming (as a technologist) to tell them how to do their job.Of course the ethics committee ultimately work for us – in our role as citizens rather than as technologists. Are we supposed to keep these two roles separate then?

  2. Robin Wilton says:

    Thanks Richard. Actually I intended most of that post to be pretty 'straight'… but I probably can't keep a tinge of irony out of my tone from time to time.My colleague's advice was primarily pragmatic; her point was that all the reasoning behind your carefully-crafted plan (whether goal-, objective- or ideal-based) counts for nothing once you have handed it to the policymaker and watched them disappear into the Hall of Power. Your plan will survive not on its merits, but depending on whatever other compromises/favours/deals the policymaker has to do that day. One could formulate it less cynically, but it's probably a good working model.As for me… I find the intersection of ethics and technology fascinating – which is why I enjoy this area of work so much. It's the boundary between objective (techie) and ideal (ethical). I'd be tempted to put the policymakers into the "goal-planner" category. I'd feel quite comfortable advising the ethics panel; less so the policymakers.

  3. Alex says:

    Hai! Buddy,First of all thanks for giving me such type of information which is usefull for my knowledge.The plasticcardmonster company prints and designs all types of plastic cards which can fulfill all of your business needs and we also print & design PVC Card, Gift Cards, Custom Cards, discount cards, VIP Cards. If you want to print any plastic cards then please contact us: http://www.plasticcardmonster.com.

Comments are closed.