Update: After I published this post, it was reported (check the update on Kim Zetter’s story here) that the US government had denied cancellation or delay of “any cyber operations directed against malicious Russian targets”. In respect of which denial, I may have been the only person drawn to speculate on the significance of the word “malicious” - and whether it operated as a qualifier or mere descriptor. In any case, please bear this in mind when reading the post below, which, assuming all US cyber operations were directed against “malicious Russian” cyber activity, might still prove instructive as a reflection on what questions for UK cyber statecraft might be entailed by future shifts in US cyber strategy.
According to one report today, there is “shock” in the UK security commentariat about a recently reported US decision that could leave the UK “more vulnerable” to Russian cyber threats. This isn’t how I would frame the implications of that US decision for UK cyber statecraft - at least, not on the basis of what we currently know.
The US decision - first reported in The Record - reportedly involves a temporary pause on offensive cyber operations against Russian targets. The reported rationale is that, whilst the US tries to broker negotiations to end Russia’s war against Ukraine, it wants to suspend US cyber operations which might displease Russia and therefore jeopardise the negotiations.
The scope of this order (more reporting here and here) isn’t thought to include cyber espionage or signals intelligence against Russian targets. But that still leaves quite a lot of uncertainty about what operations, against which targets, and at which point in their respective life cycles, are potentially affected by this decision. Nor do we yet know what, if any, criteria are in place for resuming said activities depending on the outcome of the aforementioned negotiations.
Clarity about these details matters. Without it, there is a lot of uncertainty to navigate for anyone trying to determine the implications for the UK and other US allies. Reportedly, something like one quarter of US offensive cyber effort is devoted to Russian targets. That is a scale of activity that the UK could not simply accept as new tasking for its own, much smaller National Cyber Force.
But the UK will absolutely want to clarify where the US decision leaves allied cyber operations against Russian targets. It might be that there are no immediate changes necessary in the UK’s existing prioritisation of cyber missions. Even if there were, that would probably raise some sensitive questions about whether the US would actually prefer the UK - or any other ally - to refrain from filling gaps that the US had intentionally created. The UK might not, for example, share the Trump administration’s theory about how best to influence Russian government behaviour towards peace negotiations (and the decision has already been criticised from this standpoint), but it would need to think very carefully about doing anything that could be perceived as trying to undermine the intended effects of the US decision.
The hypothetical case where that would become most difficult for the UK would be something like this: if the US decision paused cyber operations to frustrate Russian hostile state cyber actors or cyber criminals, then the UK might hypothetically find itself in a position where it must choose between denying those malicious state or criminal actors the ability to victimise UK targets, or choosing not to do so because of wariness about any perceived US reaction. You can assume that where the UK judges it to be in UK interests, it will act. But you can also imagine that there could be some cases where that judgement requires prioritising between different interests.
These problems would obviously become more significant over time, so the length of the pause is a key question, as is the prospect for “post-pause” US operations being significantly different (in totality, restrictions, etc.) from “pre-pause” operations. The UK’s response to this decision would need to reflect not just on what, if anything, needs to happen now, but also on what might become necessary if the US pause were to continue to the point where it became proof of the expression that “nothing endures like the temporary.” If the Trump administration were to execute a wider shift in its operations against Russian targets - perhaps less sweeping than the reported order, but a more nuanced change that persisted over time could still be significant for US allies - then it would absolutely require allies like the UK to think very carefully about what new areas of operational activity they might need to prioritise.
The great advantage of a strong partnership with the United States is that, so long as the UK and US share the same perception of threats and necessary responses, the UK benefits from the superior size and capability of the US cyber force. It should be possible for the UK to maximise the outcomes from its own, smaller investment in offensive cyber, if the UK ensures a de-conflicted division of effort with the US.
But an obvious consequence of this approach is that US decisions about US operations can have a direct and significant impact on the totality of allied effort against particular targets, and can thereby affect the calculation about how the UK and other US allies should be using their own cyber forces.
If, over time, there is a divergence between UK and US prioritisation of Russian targets, then this would require the UK to think again about how much of its finite offensive cyber resources are devoted to Russian targets, and what would have to give elsewhere to make this possible. That’s a very different point from claims that the current US decision makes the UK more vulnerable to Russian cyber threats - a claim which anyway assumes that the UK has itself no effective means of deterring and responding to such threats, which is to deny UK agency in this domain. But it is certainly the case that developments in US cyber strategy can have implications for allies’ cyber strategies. Like so much else in UK statecraft, the US dimension is a crucial element of UK cyber statecraft.