Speaking at Glasgow University last week Foreign Secretary Jeremy Hunt called for a strategy that deters hostile states from intervening in free elections and the introduction of a new doctrine of deterrence against cyber-attacks in democracies.
He announced: "Britain now has a National Offensive Cyber Programme, delivered by a Joint Mission between GCHQ and the Ministry of Defence.
"The UK has already conducted offensive cyber-operations against Daesh terrorists in the Middle East, designed to hinder their ability to carry out attacks, protect British and coalition forces, and cripple Daesh’s online propaganda."
He said that the British Government’s starting point is that we must impose a price on malicious cyber-activity, including crime and interference in elections, sufficient to deter authoritarian states. He added that reaction to each individual incident will not be identical and a cyber-attack will not necessarily encounter a cyber-response. However, he stated that the approach to cyber-deterrence does have four uniform principles:
"First, we will always seek to discover which state or other actor was behind any malign cyber-activity, overcoming any efforts to conceal their tracks.
"Secondly, we will respond. That could include naming and shaming the perpetrator in public, in concert with our allies, exposing not only who carried out the action but, so far as possible, how it was done, thereby helping the cyber-security industry to develop protective measures.
"Thirdly, we will aim to prosecute those who conduct cyber-crime, demonstrating they are not above the law.
"And finally, with our allies we will consider further steps, consistent with international law, to make sure we don’t just manage current cyber-attacks but deter future ones as well."
Examples of transparency - naming and shaming - include the British Government exposing a series of incidents, including the Russian cyber-attacks in Ukraine, North Korea’s infection of thousands of computers with ransomware, the targeting of 300 universities by an Iranian group, and the theft of commercial data by hackers acting for China’s Ministry of State Security.
"In every case, Britain made these attributions in the company of our allies. Fourteen countries joined us to expose China’s actions; 19 publicised the operations of the GRU," said Hunt.
But he added that a doctrine of deterrence "will require us to go further," noting how perpetrators must believe they run a credible risk of additional counter-measures – economic and diplomatic - over and above public embarrassment.
Hunt pointed out that the European Union has agreed that economic sanctions, including travel bans and asset freezes, could be imposed to punish malicious action in cyber-space.
He added that last October, Britain helped secure a decision by EU leaders to create a new sanctions regime for this express purpose, and went on to say that after Brexit, the UK will be able to impose cyber-related sanctions on a national basis.
"As for diplomatic penalties, we won’t hesitate to highlight any breaches of international agreements, such as when the operation by China’s Ministry of State Security broke a bilateral agreement with the UK and a commitment from every G20 country not to conduct or support malicious activity of this kind.
The Foreign Office now has 50 ‘Cyber Attaches’ in British embassies around the world, charged with working alongside their host governments to raise the cost of malicious cyber-activity and safeguard a free and secure internet.
Hunt says the UK will increase their number by a further eight as part of expansion of Britain’s diplomatic network. And the UK is helping more than 100 countries to strengthen their cyber-security, partially funded through our overseas aid budget. Among them are Commonwealth members, from Botswana to Jamaica.
"We can no longer afford to wait until an authoritarian regime demonstrably succeeds in changing the outcome of an election and weakening trust in the integrity of democracy itself," concluded Hunt, suggesting that after just a few cases, a pall of suspicion could descend over a democratic process and the damage would be difficult, perhaps impossible, to repair.