Well, they do say attack is the best form of defence. Britain is to develop the capability to launch cyberattacks, not just defend against incoming threats, UK defence secretary Philip Hammond announced this week.

The shift in tactics is part of the Ministry of Defence’s £500 million plan to create a military unit – the Joint Cyber Reserve – that will be staffed by hundreds of reservists, including experts leaving the armed forces and people “with no previous military experience” who have stellar computing skills.

“In response to the growing cyber threat, we are developing a full-spectrum military cyber capability, including a strike capability,” Hammond said in an MoD statement.

Cyber law

The move to a cyberattack stance is thought to have been partly provoked by the joint American and Israeli Stuxnet computer worm – which destroyed hundreds of Iranian nuclear weapons centrifuges.


In addition, a team of NATO lawyers this year decided that international law backs the use of military force or cyberattacks against online attackers whose actions can cause physical harm – whether it is toxic contamination of a reservoir or a power cut to a hospital.

The UK is not alone in considering its attacking options. “Every other nation state is now considering offensive as well as defensive cyber operations as part of their strategy, so it is about time,” says Jay Abbott, a security consultant and a chairman of Cyber Security Challenge UK, an annual competition designed to spot infosecurity and cryptologic talent.

Protecting assets

Care needs to be taken over first strike issues, Abbott says, since it was revealed that Stuxnet, once released, could be reprogrammed and could potentially be used against its creators. “It’s a bit like a missile. Once you’ve fired it, you don’t get to protect it. Stuxnet was completely pulled apart and others learned from it.”

“Whether or not a first strike capability is the right route to go, only time will tell,” says Steve Durbin of the Information Security Forum, a London-based non-profit organisation. “But there is no question that the UK needs to be taking the most appropriate measures and steps to protect its cyber assets.”

The idea of using reservists to provide the cyberattack workforce on an as-needed basis makes sense, says Abbott. “The Territorial Army already has for many years had what’s called the Land Information Assurance Group. LIAG’s members are regular reservists who also happen to be strong computer techies – and it sounds like this MoD move is an extension of this.”

The MoD says it will begin a pilot recruiting scheme in October, working out how training, employment and retention of “cyber reservists” will be done in practice.