UK foreign policy in a shifting world order Contents

Chapter 3: The transformative nature of new technologies

The proliferation of digital technologies

105.Dr Madeleine Albright, former US Secretary of State, and Chair, Albright Stonebridge Group, told us that the internet has been “a double-edged sword.” While “it was supposed to be … democratising”, it had “disaggregated people’s views in such a way that it’s actually hard to have political parties, and everybody has their own echo chamber”.153 Dr Bolt described:

“one universal media space and all battles take place within that single global media space… It is endless feedback loops that circulate 24 hours a day, seven days a week, without end. Whether it is traditional or legacy media, such as television, radio, cinema and the press, or digital media, such as video games or all forms of cyber and social media, they are all interconnected and they all feed off each other. The difficulty is that inside that spaghetti junction [are]… echo chambers. … [in which] quite extreme discourses become normalised”.154

106.Nima Elmi, Head of Policy Initiatives, World Economic Forum, said “emerging technologies … make us much more interconnected, integrated and interdependent.”155 Merle Maigre, then Director, NATO Cooperative Cyber Defence Centre of Excellence and former Senior Policy Adviser to the President of Estonia, said “the spread of broadband internet access, where every second person on earth is online” had resulted in states becoming “more vulnerable to the malicious-minded use of the internet”.156 The Women’s International League for Peace and Freedom UK said that as a result of new digital technologies, “society has a much greater awareness of what is happening politically in the world, and better opportunities to develop transnational activism using social media and other digital technologies influencing decision makers.”157 Participants in the early-career experts roundtable noted the role that digital communication tools had played in allowing collective action to undermine elite authority, most recently with the #MeToo movement. However, they said that some governments had effectively harnessed them to extend state control.158

107.During our visit to Washington, officials from across the Administration and legislators from both parties were concerned that the disaggregation of information and the loss of trusted sources was making it difficult to govern. One senior official expressed concern that a significant minority of Western citizens was increasingly believing in conspiracy theories about their own governments and adversaries, which affected the Administration’s ability to achieve broad public support for aspects of its foreign policy.159

108.The Foreign Secretary said that technology was “already making its presence felt” and would be a “huge change” in the coming decades.160 Lord Hague told us that there were major global events that could not have happened were it not for the arrival of digital technologies:

“One of the earliest and most obvious examples of this was the Arab Spring at the beginning of 2011 … That would have been impossible to do 10 years before, before the rise of Facebook. Maybe a revolution would have happened in some other way at some other time but it could not have happened in that way or with that speed. There are many other examples of other political leaders arising, such as President Trump, who probably could not have been elected without social media, and the rise of ISIL, or Daesh, with a global franchise of terrorist activity, which would have been impossible to run 10 years before.”161

An earlier stage in the global communications revolution was the development of 24–hour news cycles, which accelerated the development of similar events in the Russian Federation and Eastern Europe towards the end of the Cold War.

109.Dr Haass took a different view: “technology is a part of” the “greater disarray” in the world but he “would not exaggerate its significance.”162 Dr Andrew Futter, Associate Professor in International Politics, University of Leicester, said “we need to make sure that we focus, even in this era of emerging technology and lots of new challenges, on people. It is people who will write the code, build these systems, make decisions based on them and operate them. We have talked about the technology part, but the human interaction with the technology is important as well.”163

The nature of defence and security threats

110.Dr Kello told us that it was now possible to do “significant harm to a nation’s political, economic and social life without firing a single gun.” The advent of cyber capabilities had brought the world to a state between war and peace, which he termed “unpeace”. There existed “mid-spectrum activity, the consequences of which are not overtly violent or destructive in the way that traditional acts of war are, but nor are they tolerable in the way that traditional peacetime competition is.”164 Lord Hague gave Russian activity in eastern Ukraine as an example of the difficulty facing governments in being able to say what is and is not a “state of war”. Russia had been able to combine “deniable military actions, non-attributable social media operations and cyber-attack”, which had allowed Moscow to blur “the distinction between war and peace.”165

111.The FCO said this “rise of disinformation and hybrid threat[s] poses a major challenge to governments and democracies around the world.”166 General Sir Adrian Bradshaw KCB OBE, former Deputy Supreme Allied Commander Europe, NATO, said this was not wholly new: there had “always been this phenomenon of hybrid warfare because, at a strategic level, if you want to achieve big strategic ends, you have to combine the levers of national and collective power”. There were now “new elements within this, particularly cyber and a rather different information environment to the one that pertained decades ago”.167

112.Cyber capabilities have changed the nature of security policy. Dr Kello said “the objective of security policy” had been “to keep your adversary outside. That is certainly true of conventional military doctrine. Today, in the cyber context, it has to be a starting assumption of security policy that your most persistent adversaries are already living inside your vital infrastructure, and you might not even know about it.”168 Box 2 outlines a cyber-attack—NotPetya, in Ukraine—and its consequences.

Box 2: The NotPetya cyber-attack

A notable example of the use of cyber capabilities to disrupt was the NotPetya attack, which took place in Ukraine in June 2017.

NotPetya malware was used by hackers to compromise a piece of accounting software needed by Ukrainian companies to file their tax returns. Since the software was required by the Ukrainian government it had been installed on most businesses’ computers in Ukraine, hence the impact of the malware was extensive. The malware was undetected for four days, in which time it spread across every network, disabling about 10% of government computers and 10–12% of businesses.169

The consequences for daily life in Ukraine were wide-ranging. The effects included:

  • There was an estimated loss of up to 0.5% of GDP;170
  • Medical staff were unable access patient records, so treatments were delayed;
  • Banking systems were significantly affected, including the use of bank cards and ATMs, and the ability of people to access their accounts;
  • Retail businesses were unable to sell to customers due to the disrupted financial systems;
  • Businesses faced irretrievable data loss, which severely affected their operations. Some businesses subsequently closed;
  • Infrastructure including electricity was disrupted; and
  • Broadcasters were unable to broadcast.171

Analysis found that the attack “masqueraded as a criminal enterprise but its purpose was principally to disrupt”, and targeted Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.172

On 15 February 2018, the attack was publicly attributed to the Russian government by the UK Government, after analysis by the National Cyber Security Centre. Other nations including the US and Ukraine also publicly attributed the attack to Russia and condemned it.173

113.The Joint Committee on the National Security Strategy identified the threat posed by the possibility of cyber-attacks on the UK’s critical national infrastructure in its report National Security Capability Review: A changing security environment.174 Dr Madeline Carr, Associate Professor of International Relations and Cyber Security, University College London (UCL), cited the “paradox of the information age” that “the states that have integrated digital technologies into their infrastructures most successfully are most vulnerable to the threats that they present.” This paradox undermined a previous belief that the “state with the most advanced technology” was most dominant in conflict.175

114.Ms Maigre gave a different opinion: while “we often hear that you can have either online freedom or online security”, Estonia’s experience following its 2007 cyber-attack,176 showed that “you can have both”. It had, since the attack, expanded the role of digital technologies in the provision of government services. It was possible to “be transparent and have online freedom while maintaining vigorous cybersecurity rules and procedures”.177

115.Participants in the early-career experts roundtable said the threshold for conflict had been lowered in part due to the difficulty of attributing actions in cyberspace to specific state actors.178 Dr Carr said that while it was often possible to attribute the geographic source of a cyber incident, i.e. to a specific location on the planet, it “can be very difficult or impossible to attribute cyber incidents conclusively to an actor”.179 Dr Gianluca Stringhini, Associate Professor in Computer Science and Crime Science, University College London, said “the difference between cyber weapons—the code that is exploiting vulnerabilities and computers—and traditional weapons is that, once a cyber-attack is launched, the other party can essentially intercept your tech traffic, re-weaponise it and use it later against someone else.” For example, “Wikileaks leaked alleged evidence last year that the CIA was using code from other countries to attack third parties and make it look as though another country was responsible for it. This creates many challenges for diplomacy, because someone might suddenly be blamed for an attack that they did not commit.”180

116.Several witnesses said the challenge of attribution was further complicated by the role of non-state actors. Dr Stringhini told us that “People can attack victims from far away, hide their tracks … make it look as though it is another nation state performing the attack. Often, the two groups are not ‘disjoined’, so we are witnessing non-state actors collaborating with national states to perform cyber warfare, if you like.”181 Ms Maigre told us that “very often, the attacks themselves are conducted by non-state actors”. The target states then needed to consider how to establish a line of command between the state and the non-state actor.182

117.General Sir Adrian Bradshaw told us that this made it difficult for states to determine how to respond. He said “deterrence in the cyber world” was “incredibly hard to achieve”:

“You have the difficulty in identifying who is doing what. Then, if you are dealing with non-state bodies or if it is difficult to attribute the activity to a state, you have the question of whether it is appropriate to respond in a way that damages the host state when you cannot get at the unidentifiable body that is attacking you.”183

118.Lord Hague said that, in light of the challenges of attribution, there were “some suggestions that the burden of proof should be lessened so that we can do without conclusive technological proof that can attribute an attack and rely on evidence such as who had the motivation or which actor had the capacity or stood to gain most from such an attack.” He said this was “a worrying trend, as it leaves us open to these things being spoofed. If we no longer rely on conclusive technological evidence of an attack and rely instead on factors that can be faked, we leave ourselves open to responding to an attack that we should not respond to”.184 We discuss NATO’s response to cyber threats in Chapter 4.

119.Ms Maigre explained that the process of attribution did not rely on “digital forensics” alone. It could “also be based on intelligence, including reliable human intelligence; strategic context, patterns of activities, and the modus operandi of states and their motivations.”185

120.Dr Andrew Futter told us that cyber threats had made existing “instruments of hard power more vulnerable.”186 For example, it was reasonable to assume that there would be state actors who would want to compromise the UK’s nuclear deterrent. Dr Futter distinguished between “intention and capability” but said “the truth is that it can never be invulnerable. No one could say that it is impossible that that submarine, that missile, that warhead and the people involved could be attacked or compromised in some way.” Explaining how this might happen, Dr Futter highlighted the Stuxnet cyber-attack, which was able to jump ‘the air gap’(the term for operating systems that are not connected to the public internet):

“If we take the analogy and call this a sea gap, just because the submarine is somewhere in the north Atlantic on the ocean bed does not mean that it has not been compromised before, at the manufacture stage or with a whole host of other suppliers. Do I think this is likely? No. Is it possible? Yes, probably.”187

General Sir Adrian Bradshaw disagreed; he did not think it was possible “because our nuclear capability is physically protected.”188

121.Several witnesses discussed the possible comparison between the proliferation of offensive cyber capabilities today and the development and proliferation of nuclear weapons during the Cold War. Mr Maidment said there were “interesting parallels between the two.”189 Dr Kello emphasised “the sheer speed and volatility of change”:

“If one compares it again to the nuclear context, one sees that nuclear weapons today are not much different to what they were in the 1970s, largely as a consequence of legal and institutional freezes on the development of those weapon systems. In the cyber context, what was a sophisticated artefact a few years ago might seem crudely unsophisticated and outmoded today.”190

122.When asked whether there were lessons to be learned from the development of a protocol on responding to the threat of nuclear weapons, General Sir Adrian Bradshaw said we should be careful:

“First, with nuclear weapons, rather more obviously their use results in massive destruction straight away. The potential damage is almost unimaginable. The difference is that with cyber warfare there is a matter of degree. A cyber-attack could be relatively mild; it is difficult to imagine a relatively mild nuclear attack. So it is a slightly different scenario in terms of proportionate response. There are other differences. In order to get on to the nuclear team, you have to have certain resources, technical and financial, and there are some really difficult hurdles to get over. That is less the case with cyber; you can get in at entry level with much more modest resources, which is why it is a possibility for so many different nations.”191

123.Franklin D. Kramer, former US Assistant Secretary of Defense for International Security Affairs, told us that while “cyber has gotten the most attention” there were a lot of challenges caused by other new technologies to consider.192 Dr Ulrike Esther Franke, Policy Fellow, European Council on Foreign Relations, gave the example of the already “widespread use of military drones on battlefields around the world.” Drones have “changed our battlespace awareness” with soldiers now able to maintain “24/7 surveillance and reconnaissance” and able to “be directly involved in battle while being very far away.”193

124.Some witnesses discussed the prospect for and challenges caused by increased automation on the battlefield, an issue discussed in the House of Lords Artificial Intelligence Committee’s report, AI in the UK: ready, willing and able?194 Dr Franke said “fully autonomous weapons” did not yet exist: “We do not have the kind of killer robot-type weapons where artificial intelligence is used to find targets and engage them. But there are some plans to develop these.”195 Dr Futter gave the example of a recent announcement by Russia that it was considering developing a “nuclear-armed submarine drone”. This would “essentially be an autonomous nuclear-weapon system. It would be very hard to see how it would be controlled or have much human oversight.”196

125.When considering whether new technologies have revolutionised warfare, Dr Futter said they had “reinforced and augmented hard power rather than shifting it… [Cyber] has been a force multiplier of many things.” Digital technologies were having the biggest impact

“in support systems: greater intelligence collection capabilities, perhaps through drones; better command and control communications; greater precision; and situational awareness through satellites and other technologies. All these have made the use of hard power and force more doable and at least given different options and flexibility in what countries are able to achieve.”197

126.Dr Franke said that, while technology was significant, the human aspect should not be forgotten: “it is important to understand that we may be adding more layers to the battle space but, in the end, to put it bluntly, it will still probably come down to 18-year-old soldiers dying somewhere in the mud”. She thought that “in the next big confrontation, the first attack will probably be cyber and then we will have machines, drones, autonomous weapons of whatever kind fighting the first attacks, but it will always end up with actual people being in war.”198

127.According to one senior US official during our visit to Washington, “a cultural change” had been needed in the Administration. They told us that the economic and security effects of new technologies had previously been considered entirely separate. Senior officials told us that ‘cyber security’ and the ‘digital economy’ were now considered part of the same policy issue where possible.199

The rising power of technology companies

128.Mr Maidment told us “We have a world in which political power is fragmenting and new nodes are beginning to form, while economic power is concentrating. You see that happening very clearly with large multinational tech companies.”200 Sir Mark Lyall Grant said that “the Government can no longer keep their citizens safe from cyber or terrorism … over recent years the Government have increasingly relied on companies and individuals in order to help them keep the people safe.”201 Mr Hannigan said that technology companies “own the infrastructure of the internet”,202 and some of them “have a larger turnover” than many states.203

129.Professor Clarke told us that power was concentrated in cyberspace: “Microsoft and Apple are more or less a global duopoly; Facebook, Amazon and Google are near-monopolies.”204 We were told that Sir Tim Berners-Lee, inventor of the worldwide web, had recently warned that technology companies are “unaccountable and unknown to the general public” and that we should be concerned about the “the concentration of power in companies such as Facebook and that a handful of platforms … control which ideas and opinions are seen and shown”.205 Dr Franke said that in the defence and security sector the development of drones was an example of the “commercial sector catching up if not overtaking the military sector.”206

130.Hugh Milward, Senior Director, Corporate, External and Legal Affairs, Microsoft, disagreed with the idea that technology companies are not accountable. He said that Microsoft, for example, is accountable both to its shareholders and customers, and “to every government in whose jurisdiction we operate”. He said there was “a responsibility that comes with the ubiquity of technologies … When we are in people’s homes and offices, we have a responsibility to behave in a certain way.”207

131.Our witnesses identified two areas where the private sector could play an important role. First, Professor Maura Conway, Professor of International Security, Dublin City University, said social media companies had a significant part to play in dealing with the use of the internet by terrorist groups. The response of these companies had “not [been] what many governments and policymakers thought it ought to be.” She said that progress had been made in recent years, but there were “governments and policymakers who still do not think that the response is sufficient”.208

132.Second, there was a role for private companies in defending against cyber threats. Mr Hannigan said that the “key insight, which we probably came to late but more quickly than most others, was that governments cannot do this … this is really about the private sector. This is about the economy. The attacks are on the economy. The data is in the economy.”209 Sir Mark Lyall Grant said the Government had established the National Cyber Security Centre (NCSC), the agency of GCHQ responsible for supporting the public sector, industry and businesses with their cyber security, to help deal with this issue.210

The impact of technology on the balance of power

133.Witnesses discussed the ways in which new technologies have affected the balance of power. Sir Tony Brenton called cyber a “poor man’s weapon”;211 it had lowered the ‘barrier to entry’ into international relations. Mr Maidment said “International relations have not been immune to the cheap digital revolution that the commercial and business world has experienced. That also means now that very small numbers of people can become international actors in international affairs in a way they never could in the past.”212

134.A second area was Russia and China’s use of technology. A US government official told us that new technologies had allowed an “asymmetrical shift in the balance of power” towards Russia.213 As we discussed earlier in this chapter, the emergence of a cyber theatre in international relations has allowed for disruptive and aggressive acts to take place below the threshold of war. For example Russia “knows it would lose” a war with NATO,214 but had been prepared to conduct cyber-attacks.

135.An official in Washington told us that the US, and the wider West, had been on the defensive in cyberspace for “the last 10 years”, and predicted this would remain the case for the next decade. Another senior official said the US remained concerned that emerging technologies could allow an adversary to “quickly challenge” the US and its allies.215

136.Ms Maigre was less pessimistic: “the picture is not that gloomy … We see that nations have been quick to adapt to the new threats and are taking steps to enhance their posture in cyberspace.” She concluded that “the balance of power in international relations remains unchanged in principle”. However, this balance had “shifted significantly in relation to the distance. Distant objects can now be targeted with cyber-attacks within seconds.”216

137.Professor Clarke thought that “the control of so much cyberspace still resides—at the moment—in Western societies,” giving Western countries power.217 However, Mr Maidment thought that “control of cyberspace” was “already being distributed out to Asia. The largest Chinese e-commerce company is already larger than Amazon.” China, and other authoritarian states, had a greater degree of control over its national technology companies.218 Although it remained far behind the US in terms of military power (as discussed in Chapter 2), Dr Chu highlighted the potential for emerging technologies to give it “first-mover advantage”:

“I want to highlight … China’s vast investment in quantum technologies219 in recent years. This has been identified by the Pentagon as one of the most important emerging technologies, and any country that wants to lead the next military race will have to try to enjoy first-mover advantage in this particular area.”

She said that if China were to develop quantum capabilities before the US, “we are likely to see a very important shift in the balance of power.” 220

138.At present, however, “the US still leads in military terms, as well as in quantum technologies and artificial intelligence; it still has a very strong private sector, with very able firms able to lead”.221

139.Third, several witnesses spoke of cyber espionage as having the potential to affect the balance of power. Dr Futter said it was possible for state actors to “invest in cyber espionage, trying to steal secrets about weapons design”.222 Several witnesses referred specifically to Chinese cyber espionage. Dr Kello said there had been an incident where “Chinese agents stole through cyberspace several terabytes of data, including the stealth engine designs of the F-35, the most expensive and longest-running weapons programme in the United States.” It had then “built, at a much lower cost and in a shorter time, the J31 aircraft, which, according to some analysts, is aerodynamically superior to the F-35.”223

140.Fourth, Dr Ulrike Franke said that by removing more people from the battlefield, increased automation could mean “that players that were not as strong before because they did not have as many people … could become stronger because the impact of the number of people may become less important.”224

141.Fifth, technologies have empowered non-state actors. Professor Conway told us that terrorist groups were using the internet to increase the impact of their existing activities, as well as potentially allowing them to engage in “so-called cyberterrorism”.225 Dr Stringhini said “organised criminals, non-state actor adversaries, are using technology and the internet to perpetrate crimes.”226 As discussed earlier in this chapter, non-state actors sometimes cooperate with state actors, further complicating the issue.

142.Finally, some witnesses highlighted more positive changes to the balance of power resulting from technology. Ms Elmi said developing countries have been able to use new technologies to “leapfrog” stages in their development. Ms Elmi gave the example of the use of mobile technologies to give people access to financial services.227

143.The relatively low cost of some cyber capabilities is one more technological factor that has created an asymmetrical shift in the balance of power. Russia, for example, is able to disrupt international affairs despite its declining economic position.

144.Increased connectivity increases the vulnerability of critical national infrastructure to attack.

145.Major developments in emerging technologies, such as artificial intelligence and quantum computing, by China and other rising powers could further alter the balance of power.

Technology’s impact on international relations

146.Dr Carr thought that “Digital technologies have fundamentally undermined the social nature of international relations because of the capacity for anonymity and the problems that attribution brings”. The “mechanisms that we use to address challenges—diplomacy, international law, political conflict—all rest on the fundamental principle that we know who we are engaging with and we understand that there is that social element to international relations.” She viewed “that difficulty of not knowing who we are interacting with” as “the most challenging aspect of international relations in the information age”.228

147.Sir Simon Fraser said that while new technologies have given the opportunity for greater people-to-people relations, “when you are conducting international affairs, in the end they are international; they are between nations and between governments, whether expressed through bilateral or multilateral relationships and instruments.”229 Lord Ricketts told us that foreign policy making was “now much more influenced by and open to contest from a whole range of different sources” but “foreign policy, defence and national security policy come down to the policies of governments”.230

148.Lord Ricketts said governments “have faced propaganda and efforts to influence public opinion for ever. But it has intensified and become sharper and more aggressive with the advent of our connected world, and with it the opportunity for states and other groups to try to hijack democratic processes and turn them to their advantage and to manipulate the free media. It is definitely a factor.”231

149.Professor Evans took a different view of the significance of new digital technologies in international relations:

“The digital revolution has been used as an excuse for everything, with 24/7 media cycles and people’s passion for Twitter and 140-symbol communication being seen as a dumbing down—an inability to cope with complexity—which is at odds with the kind of complexity and give and take necessary to operate a multilateral agenda. I hear this all the time; we all do. But I think it is an excuse rather than an explanation.”

He thought the best approach was not to be “too spooked by these new phenomena”.232

150.Lord Hague discussed the effect that new technologies have had on national sovereignty. Digital technologies had “opened up new types of action in international relations, in some areas, blurring the distinction between war and peace”—as discussed earlier in this chapter—and “making it easier to intervene in the affairs of another state.”233

Technology’s impact on the conduct of diplomacy

151.Dr Constance Duncombe, Lecturer, Politics and International Relations, Monash University, said social media was “now an important tool of diplomacy”. Both “Government leaders and diplomats are increasingly using social media platforms such as Twitter, Facebook and Instagram to communicate with their counterparts”.234 Tom Fletcher CMG, former Ambassador, and Visiting Professor in International Relations, New York University, gave the example of the British Ambassador in Cairo, John Casson, who has over one million Twitter followers.235 Diplomacy was experiencing an “evolution” due to new technologies.236

152.Several witnesses commented on the relatively recent ability for world leaders to communicate directly with each other using new technologies. Lord Hague speculated that President Trump is likely to be in touch with other world leaders through WhatsApp. Had “Ronald Reagan wanted to talk to a Middle Eastern leader”, then “he could not have done so without his officials and the State Department knowing what he had said”. In contrast, “President Trump can do that now. When American policy gets confused over relations between the Gulf states—the recent events in Qatar, for instance—I wonder whether these informal networks are competing with the formal official networks. So it is making a difference to how relations are conducted.”237

153.Mr Fletcher told us “diplomats have always been slightly frightened of any form of communication that allows leaders to speak to each other more without having to go through them.”238

154.Digital communications tools have intensified public and lobbying pressure on governments, increased the number of actors involved, and resulted in a much wider audience for foreign policy making. This connectivity has increased the pace at which some events take place and information is disseminated, such as during the Arab Spring, as well as governments’ ability to understand events, and the speed at which they have to respond.

155.It will be important for the FCO and the UK’s diplomatic missions abroad to capitalise on the usefulness of digital communications and to be proficient in their use. But care will be needed to avoid crossing the line into interference in their host country’s internal politics.

The challenge of global cyber governance and regulation

156.Several witnesses discussed the prospects of an international agreement regulating behaviour in cyberspace. Professor Clarke said that “all innovations come through, first, invention, then growth—usually chaotic growth—then commercialisation, then regulation.” On cyberspace, “we are half way through the commercialisation phase, and the regulation phase is still kicking in. We do not know how that will resolve itself over the next, say, 20 or 30 years.”239

157.One challenge raised by witnesses was that cyberspace is still evolving.240 Dr Andrea Calderaro, Director, Centre for Internet and Global Politics, Cardiff University, said the “main challenge” was that “the technology evolves more quickly than our capacity to understand the nature of that technology, especially when we need to discuss and identify policy reactions.”241

158.Mr Hannigan raised a second challenge: the difficulty in verifying what cyber capabilities other countries have. He said that “first, it is much more difficult to measure who is responsible and what they are doing, and secondly, you may well not want to reveal how you know that. It is relatively easy in traditional arms control because you can see the explosion and measure it and you can see roughly who has done it, but cyber is more complex”. Nonetheless, “that does not mean we should not try”.242

159.Third, witnesses considered the high number of countries with a role in cyberspace to be a further obstacle to an international agreement, relative to arms control treaties. General Sir Adrian Bradshaw told us that because the ‘cost of entry’ is much lower for offensive cyber capabilities than traditional capabilities, “it is a possibility for so many different nations.” It was therefore “rather more difficult to imagine some sort of arms control structure”:

“It is difficult enough getting one or two nuclear powers to agree to an arms control structure. Getting the world community, and every potential player in cyber warfare, to agree to structures and then ensuring that they abide by the rules—when it is rather more difficult to identify who is doing what in the cyber domain even than in the nuclear domain, where there is considerable scope for masking things—would be even harder.”243

160.The positions of Russia and China were a fourth factor. Dr Carr said that for 20 years, “Russia and later China have been calling for an international treaty, arguing that there is a need for some hard law and agreement on what is acceptable state behaviour in cyberspace.”244 Ms Maigre told us that they were “taking great advantage” of the fact that there was international disagreement about whether or not a new treaty was needed to govern cyberspace or whether existing international agreements should apply. She said countries like Russia and China “come up with proposals saying that new law is needed in cyberspace, but it takes decades to negotiate new treaties and, in the meantime, they are free to operate in cyberspace as they please, claiming that existing international law, or at least big parts of it, do not apply to cyberspace.”245

161.Ms Maigre cited the NATO Collective Cyber Defence Centre of Excellence’s Tallinn Manual and the Tallinn Manual 2.0,246 which she called “the most comprehensive guide so far to how international law applies in cyber space”. She said that NATO had declared at its 2014 summit in Wales that international law applied in cyberspace. Ms Maigre told us:

“the existing international law, with all its complexities, does apply to all state activities, be they carried out in the physical realm or in cyberspace. That said, we recognise that international law is always evolving, through state practice as well as the creation of new treaty law. But when it comes to cyberspace it is evident that that the political will that is required to establish new treaty law is very often overwhelmed by political disagreements on the conceptual level. Here I refer to the understanding of cybersecurity principles that are initiated by the like-minded nations of the West vis-à-vis information security, which is a term I would apply more to countries such as Russia and China.”247

162.Dr Carr identified a fifth complication: while states have agreed that international law applies in cyberspace, “they have been unable to agree how to apply it. There has been no consensus on what constitutes the use of force or an armed attack, in part because cyberspace does not have this physical dimension.”248

163.The choice of international forum to deliberate on international cyber issues was a sixth issue. Dr Carr said that “many of these forums we are talking about [have] old, existing cybersecurity problems [and] no capacity to understand the future problems that are either imminent or in the near future.” She said the UN was “probably not agile enough to deal with those foresight problems.”249

164.Several senior US officials told us in Washington that the US thought a ‘coalition of the willing’ was preferable to a ‘lowest common denominator’ approach that would result from seeking a global consensus. This meant, according to the officials, that Russia and China would be likely to be excluded.250

165.Witnesses stressed that decisions taken today would have a legacy: “A lot of the decisions that we are making now will have lasting influence.”251 Peter Wells, Head of Policy, Open Data Institute, gave two examples: the standards applied to the first wagonways in the UK had gone on to set the standards for the width of rockets in the US space programme, and decisions taken by the Romans in Britain on where towns were sited still affected the UK today.252 Professor Clarke urged the West to make its mark: “while the control of so much cyberspace still resides—at the moment—in Western societies, there is a good possibility that a version of the rules-based international order could be articulated with those monopolistic elements … over the next 10 years, before the control and dominance of cyberspace diversifies much more fully to Asia and other parts of the world.”253

166.Lord Hague proposed seven principles that “should underpin future international norms about the use of cyberspace” at the Munich Security Conference in February 2011. The principles were:

Mr Hannigan described these principles as “very sensible”.255

167.Cyber security is an increasingly important global challenge. The UK has strong capabilities in this area; this presents the UK with an opportunity to be a world leader on a critical global issue.

168.A problem facing any international agreement on cyber security is that attribution is uncertain and the involvement of private actors extensive. Any new rules pose the question of to whom they should be applied, and whether the source can be located.

169.It is unlikely that there would be agreement on a comprehensive, binding international treaty on cyber security. Instead the Government should convene like-minded countries into a ‘coalition of the willing’ to establish ‘rules of the road’ in cyberspace, using Lord Hague of Richmond’s seven principles for an international agreement on cyberspace as the starting point. These ‘rules of the road’ would lay the groundwork for a more binding international agreement in the future.

170.We welcome the Government’s work within NATO to develop the Alliance’s thinking on cyber issues. It should seek to play a leading role in establishing cyber norms, increasing the Alliance’s cyber resilience, and developing a common understanding of the potential impact on security and warfare of emerging technologies such as increased automation.

171.The active engagement of technology companies in establishing behavioural norms in cyberspace, and in any potential enforcement of those norms, will be crucial. The Government should seek better to engage technology companies and international partners in developing rules on cyber security and governance, and solving the challenge of attribution.

153 International Relations Committee, Note from Committee visit to Washington D.C 11–15 June 2018 (1 October 2018):

156 Q 65. In January 2018, there were 4.021 billion internet users, of a global population of 7.593 billion (53%). We are social, ‘Digital around the world in 2018’:–001-GLOBAL-OVERVIEW-V1.00.png [accessed 27 November 2018]

157 Written evidence from The Women’s International League for Peace and Freedom (FPW0023)

158 International Relations Committee, Record of roundtable discussion with early-career experts 27 June 2018 (1 October 2018):

159 International Relations Committee, Note from Committee visit to Washington D.C 11–15 June 2018 (1 October 2018):

161 Q 9.Another example of the use of digital communication tools during significant international events was the use of social media by Turkish President Recep Tayyip Erdoğan during the attempted coup in July 2016. President Erdoğan used the video communication platform FaceTime and the social media platform Twitter to encourage his supporters to protest against the ongoing coup attempt, which contributed to its failure. Merhul Srivastava, ‘How Erdogan turned social media to help foil coup in Turkey’, Financial Times (16 July 2016): [accessed 27 November 2018]

166 Written evidence from the Foreign and Commonwealth Office (FPW0027)

169 Q 58 (Hugh Milward)

170 Marc Jones, ‘Ukraine expects IMF tranche, market return in autumn’, Reuters (5 July 2017): ( [accessed 4 December 2018]

171 Q 58 (Hugh Milward)

172 Foreign and Commonwealth Office, National Cyber Security Centre, and Lord Ahmad of Wimbledon, ‘Foreign Office Minister condemns Russia for NotPetya attacks’ (15 February 2018): [accessed 4 December 2018]

173 Ibid.

174 Joint Committee on the National Security Strategy, National Security Capability Review: A changing security environment (First Report, Session 2017–19, HC 756, HL Paper 104) The Joint Committee has reported on the Government’s approach to ensuring the cyber security of UK critical national infrastructure, in particular how it works together with private-sector operators and industry regulators in doing so. It recommended the appointment of “a Cabinet Office Minister designated as cyber security lead who, as in a war situation, has the exclusive task of assembling the resources—in both the public and private sectors—and executing the measures needed to defend against the threat”. Joint Committee on the National Security Strategy, Cyber Security of the UK’s Critical National Infrastructure (Third Report, Session 2017–19, HC 1708, HL Paper 222)

175 Q 44 (Dr Madeline Carr)

176 The attack—including spam sent by botnets and automated online requests which overwhelmed Estonian servers—severely affected the Estonian government, banks and media outlets over several weeks. Damien McGuinness, ‘How a cyber attack transformed Estonia’, BBC News (27 April 2017): [accessed 4 December 2018]

178 International Relations Committee, Record of roundtable discussion with early-career experts 27 June 2018 (1 October 2018):

190 Ibid.

191 Q 181 (General Sir Adrian Bradshaw)

192 International Relations Committee, Record of the session held in partnership with the Atlantic Council in Washington D.C. (1 October 2018):

194 Artificial Intelligence Committee, AI in the UK: ready, willing and able? (Report of Session 2017–19, HL Paper 100)

196 Ibid.

197 Ibid.

199 International Relations Committee, Note from Committee visit to Washington D.C 11–15 June 2018 (1 October 2018):

205 Q 72 (Dr Becky Faith)

207 Q 56; another example of this is the publication of Google’s seven principles on development of artificial intelligence: ‘AI at Google: our principles’, Google (7 June 2018): [accessed on 4 December 2018]

213 International Relations Committee, Note from Committee visit to Washington D.C 11–15 June 2018 (1 October 2018):

214 Q 102 (Sir Tony Brenton)

215 International Relations Committee, Note from Committee visit to Washington D.C 11–15 June 2018 (1 October 2018):

218 Q 1 (Paul Maidment)

219 Quantum technologies are those that use quantum mechanics to achieve a performance that would otherwise be unattainable. In classical computing a ‘bit’—a single piece of information—can exist as either a 1 or a 0, but quantum computing would allow information to exist in multiple states, or ‘qubits’, as the subatomic particles it would use are able to exist in more than one state at the same time. Developers hope that this would result in computers that are significantly more efficient and sophisticated in their processing of information, and thus better able to solve complex problems. It is anticipated that advances in quantum technologies could allow for significant leaps in scientific discovery, including the ability to model complex chemical reactions, map weather patterns, improve navigation and significantly expand the ability to encrypt, and thus also hack, data.

220 Q 93 (Dr Monique Chu)

221 Ibid.

226 Ibid.

234 Written evidence from Dr Constance, Duncombe Lecturer in International Relations, Monash University (FPW0011)

236 Q 37 (Tom Fletcher)

240 Q 1 (Dr Lucas Kello) and Q 43 (Dr Andrea Calderaro)

246 NATO Cooperative Cyber Defence Centre of Excellence, ‘Tallinn Manual and the Tallinn Manual 2.0’: [accessed 4 December 2018]

249 Ibid.

250 International Relations Committee, Note from Committee visit to Washington D.C 11–15 June 2018 (1 October 2018):

251 Q 76 (Peter Wells)

254 William Hague, ‘Security and freedom in the cyber age—seeking the rules of the road’ (4 February 2011): [accessed 4 December 2018]

© Parliamentary copyright 2018