that this is in itself resource-intensive – the Government must always consider 'naming and shaming'.
21. Nonetheless, this is an era of hybrid warfare and an Offensive Cyber capability is now essential. The Government announced its intention to develop an Offensive Cyber capability in September 2013, and in 2014 the National Offensive Cyber Programme (NOCP) – a partnership between the Ministry of Defence and GCHQ – was established.[1]
22. The UK continues to develop its Offensive Cyber capability. The Ministry of Defence and GCHQ have described it as a "genuinely joint endeavour".[2] This has led us to question whether there are clear lines of accountability. The Committee was assured by the Chief of Defence Intelligence that:
By executing a joint mission, we [the Ministry of Defence and GCHQ] can move seamlessly between one set of authorisations and another, making sure we're acting appropriately, but those that are managing the capability are able to make that switch and run those operations effectively.[3]
We expect to be kept updated on how the dual authorisation process is working as the capability itself continues to develop.
23. GCHQ and the Ministry of Defence have in recent years adopted a more open posture on Offensive Cyber,[4] for example with public references to the successful prosecution of a major Offensive Cyber campaign against Daesh. The issue of Offensive Cyber is addressed in more detail in the classified Annex to this Report.
24. *** – GCHQ acknowledged that*** it would have to broaden its recruitment base, with a shift towards recruiting on aptitude rather than on pre-existing skills. It was also interesting to hear that Defence Intelligence is taking steps to develop and retain these skills through revision of the military resourcing model, which will mean military personnel remaining in cyber roles for longer than the current one to two years. The Committee supports the lengthening of posts as a general principle across the board, not just in Defence Intelligence and not just in cyber. Corporate knowledge and experience are continually lost across Government with such short rotations, and there is a question as to how long an individual needs in a post in order to start contributing or whether they move on just as they are up to speed. We commend Defence Intelligence for being the first to recognise this problem and take action.
25. Whilst the UK must have its own defensive and offensive capabilities, it must also be prepared to lead international action. In terms of attribution, it is apparent that not everyone is keen to adopt this new approach and to 'call out' Russia on malicious cyber activity. The Government must now leverage its diplomatic relationships to develop a
- ↑ The announcement by then Defence Secretary Philip Hammond also included the launch of a Cyber Reserve Unit.
- ↑ Oral evidence – GCHQ, *** February 2019.
- ↑ Oral evidence – Defence Intelligence, *** February 2019.
- ↑ The Director of GCHQ referenced the cyber campaign against Daesh in a speech at CyberUK on 21 April 2018.
7
