 I'n edrych i gael. Felly mae'n i gael i'n ddiogelio. OK, rydyn ni'n meddwl y gallai hanfodd ar y dyfodol y dyfodol ychydig yma yw'r amser. Felly, hi, sefydli. Mae'n gyfarwydau yma mor Andrews, a rwy'n golygu profesiadau a'r Argynchysgol Llywodraeth Cymru. A mae'n ddweudio'r gweithio ar y dyfodol yma, ac mae'n gweithio'r ffordd yma yma. Mae'n cyfrifol cyfwyr Cymru, rydyn ni'n gweithio'r perthyn nhw. Uber wanted to talk about that. Now, is this kind of colour specifically about those things that our government have done to. That's got a question mark on the end by the way. It's going to contribute to the emerging debate about an important but relatively little discussed aspect of UK cyber security, namely cyber offensive cyber operations. The new national cyber force has been Cyfnodraeth Cyfnodraethol, a'r Cyfnodraeth Cyfnodraeth Offensive Cyfnodraeth. Mae'r llwysgrifenni ar y cyfnodraeth, Jodavani a Tim Stevens, ac felly, dros y Cyfnodraeth Cyfnodraeth, Andrew Dwyer a Amie Ertan. Mae am amdano am am Amie a Tim yw y gall, ac i gweithio'r cyfnodraeth, a oedd ein gweithio, Marcus Willit a gwbl yma'r Maedir Juliette Skinsley. Rydyn ni wedi bod gwaith arnynnu cwestiynau sy'n rhaid i'r bwysig yn y bwysig i fyfydol Q&A. Rydyn ni wedi bod yn ddwy'r chatbwysig, ond mor fydd yn fyddwch chi wedi'u unrhyw ychydig ysbyt. Rydyn ni wedi bod yn cael ei ddweud ar gyfer y gwaith fyddwch y haskag Ncf 2021. A rydyn ni'n gweldio cyfnodd yn ychwanegi'r ffrind y Youtube, ac mae'n fawr wedi gweithio ar y rhan. Mae'n ddweud y rhan o'r ddweud yn y pertyn i'r gweithio ar y teimlo yn y chatbarr, felly mae'r ddweud hynny'n gwneud hynny. Yn gyfennodd, yna'r peth o'r panlid. The first to go is Tim Stevens. Dr Tim Stevens is a senior lecturer in global security in the department of war studies here at King's, and he is the head of KCL cyber security research group. He's published widely on cyber security and related issues, and it's my pleasure to introduce him. Please go ahead. Great. Thanks, Moira. Good afternoon, everyone, or morning or evening, depending where you are. So, yeah, thanks for the kind introduction. This offensive cyber thing that you may have heard, talked about particularly recently, as Moira says, around the National Cyber Force. For anyone unfamiliar with offensive cyber, what we're talking about there is the use of computer network operations to deny, disrupt, degrade, or perhaps even destroy something that your adversary, another party perceives as being valuable to them. It could be computer systems or data on those systems, or it might be something in a more extended sense, something depending or dependent upon the secure functioning of computer networks, such as pretty much anything you care to think of these days. And a lot of people inside and outside governments are interested in the implications of offensive cyber operations, both at the tactical and technical level, but also at the operational level, if you think about running industrial processes, or perhaps war fighting, but also at the strategic level. What does it mean for geopolitics and international politics? But there's also other dimensions as well, such as the ethical aspects of offensive cyber operations. We'll come to that in a minute. But it's not just people in government and industry, the people who regulate and run computer networks and systems. There's also academics like us working at places like King's College London, like Royal Holloway where Amy works, Durham where Andrew works, working across various disciplines, geography, international relations, security studies, geopolitics, and much else besides, including of course in technical security, computer security, network engineering, software and so on. More to the point, this is not just restricted to the UK of course, this is an international dynamic, and many countries are developing these capabilities for better or for worse. But the UK is one of those countries that's foremost in that debate around offensive cyber and in the development of an offensive cyber capability, a sovereign capability to do these types of computer network operations. So this speaks to a whole range of really interesting political, ethical societal issues. So we brought together people from the King's Cyber Security Research Group and from the Offensive Cyber Working Group to think about this thing called the National Cyber Force, which as Moira said in her introduction is something that the government has put fairly obviously centre to its new revised way of looking at UK national strategy, not least of which is through the integrated review and a recent defence command document as well. And the NCF is set up there to deliver the UK's avowed offensive cyber capability, but within the overall framework of the UK being a responsible cyber power for the 21st century, and that's a whole discussion there about what that actually means in practice. But I just want to make in a couple of minutes, I have one main point by way of scene setting, and a couple of pointers to the discussion. The first is that the National Cyber Force might be new in and of itself, but actually it's an outgrowth of what already exists in the UK National Security Machinery. It's not wholly new in spirits, therefore, even though it has a new name and some revised organisation, something called the National Offensive Cyber Programme has been around for a few years now, and there were other precursors of similar function as well. Like the National Offensive Cyber Programme, which has been around formally, I think, since about 2016, it brings together personnel and expertise from across the military and intelligence piece. Principally, that means GCHQ, the Sovereign Civil Signals Intelligence SIGINT capability of the UK and the Ministry of Defence, so the military, but it also has input from MI6, which is the Foreign Intelligence Service and DSTL, which is the Science and Technology Arm of the Ministry of Defence. There is therefore some continuity with what went before. And as before also, this is very distinct entity from something called the National Cyber Security Centre, the NCSC, they're different. NCSC is formally part of GCHQ, but they have a different functionality, even though there's lots of tasks on which they will cooperate and collaborate. But what the NCF is set up to do is to streamline the UK's offensive cyber capacity to deliver effects in the jargon against distinct sets of adversaries like serious organised crime, terrorists, hostile state actors. Also, as I said previously, also to contribute to this overall strategic ambition of the UK to be a responsible cyber power as set out most formally in the recent integrated review. And this is a logical step in UK cyber, I would argue, albeit, of course, it's one that has a lot of path dependency. We're here because of previous decisions, institutional arrangements and so on. The point being that National Cyber Force hasn't sprung out of nowhere. There was a history and a legacy of this type of joint military intelligence corporation. Now, that's not to say it doesn't raise a lot of questions, because it does and more appointed to some of those in the introduction. And indeed, if you read the forward to this report, you'll see that Ciaran Martin, the former CEO for National Cyber Security Centre has raised the whole set of questions, only some of which we could get to in this report. But there are, you know, there's a fairly robust problem set here. The first is, you know, what is the NCF actually for? You know, what is its mission to be or what will its missions be? What will the UK ask it to do? And is it up to the task of doing it? These are open questions that should be discussed. And as we say in the report, we should realise and government should realise as well that the NCF cannot do everything, nor can it do everything equally well. So I think we have to be realistic about what the NCF is for and what it can do. And how also will it harness the potential of its contributing organisations by which I mean the very different cultures of, for example, GCHQ, which is the signals intelligence organisation, and the Ministry of Defence, which although its military is also equitably diverse internally, plus MI6, who have a different way of working, and of course DSTL. And how will the inevitable tensions over departmental equities be resolved in that context? More importantly, of course, who in government is going to be responsible for that? And we mean that in a very kind of organisational ministerial sense when you have Mediterranean intelligence, they fall under different ministerial remits. There's a whole set of other considerations too, which is, you know, how will the use of offensive cyber operations in peace and war be squared away with UK's ambitions to be a responsible cyber power? Or a concept we've yet to see fleshed out? You know, is adherence to international law enough and then the UK has made several robust statements on that? Or should we be thinking also of ethical issues that the use of offensive cyber potentially raises? And also just a broad kind of international normative point, you know, from the perspective of our adversaries, you know, who might be saying, well, if the UK is doing it, why can't we? Now, I know there'll be some pushback on that question, but this is a live question that we should be wrestling with so that our adversaries can't use it in an equivalent sense like that. But how are we going to constrain and support those activities that the NCF is going to be charged with in a really kind of useful, productive and responsible fashion? Now, there's a whole host of other questions there as well that I don't have time to get to, so I'm going to leave it there, and I'm going to hand back to Moira, and I very much look forward to the discussion that can be used. Thank you. Thanks very much for that, Tim. So next up is Amy Ertan. Amy is currently doing a PhD at the Information Security Group Royal Holloway University of London, where her research focuses on the emerging security challenges relating to military information. She is a co-director of the Offensive Cyber Working Group and has previously worked in strategic cyber intelligence roles. So over to you, Amy. Thank you. Thank you, Moira, and thank you, Tim. So I want to follow on from Tim's opening summary and some of the key considerations that arise when we think about the National Cyber Force to highlight, given the current positioning of the UK and the NCF, our report's recommendations for the UK government bearing in mind the huge current remit of the NCF as stated, the fact that there are many of these open questions, as Tim highlighted, and the fact, of course, that the NCF will have limited resources going forward. So through the report, we reflect and make recommendations across four broad categories, none of which are wholly discreet, and all of which should be viewed as mutually supportive. And the first of these is governance and accountability. For the NCF to succeed, there needs to be strategic leadership from ministers and senior officials from the outset. The integrated review highlighted the recent formation of a ministerial small group for cyber, which aims to cohere cyber decision making across government, end quote. Our report recommends that the government ensures this group delivers the leadership required to ensure that top-level accountability and that's strategic direction. If it's not already the case, we recommend it's chaired by a senior minister, perhaps the prime minister or Chancellor of the Exchequer. And along the same lines, we believe the UK should appoint a deputy national security adviser for cyber, similar to how the US has done. Which both elevates a strategic thinking centrally in government around cyber related defence, but also that coordination of cyber defence and security across and beyond government, which would include NCF and the NCF's mission priorities. The second theme of recommendations is organizational configuration of the NCF in terms of institutional structure and mission focus. So currently the NCF operates under a range of different legal authorities. So the foreign secretary or the defence secretary is required to authorise particular operations, but the exact divisions and those implications are not so clear. Our recommendations is that the government should be clear about this, about NCF mission priorities for offensive cyber operations, including the process for allocating effort between missions and priorities. We also recommend a cabinet office-led cross-government audit across defence security intelligence agencies and departments. Also, recruitment and retention is a significant area of focus within this, particularly as the integrated review highlights that the NCF headquarters will shift to the north of England. The third area of recommendations relates to international cooperation. The any choices made by the UK in terms of offensive cyber strategy must be made considering the international landscape and here alliances are crucial. It makes sense for the UK to work with their closest allies to defend against common threat actors, for example. So, we recommend operational strategic cooperation with our closest allies, Five Eyes, NATO, US should continue, but also that the UK government should identify and strengthen partnerships with others, including the EU, European states, about how the UK can contribute to collective aspirations, but also how to leverage the impact of UK offensive cyber capabilities. Within these diplomatic discussions, we recommend the UK be proactive, transparent about the purpose and functions of the NCF, and also the retention of the sovereign offensive cyber capabilities, which would reside in the NCF. In terms of legal and ethical obligations, we recommend the UK government demonstrate both through operational practice and diplomatic mechanisms adherence to international law and the promotion of norms around responsible state behaviour in cyberspace. Finally, the last set is around mission focus. The NCF needs a clear mission focus. The mission should be proportionate. It should not exacerbate the militarisation of cyberspace and should operate within clear legal and ethical frameworks. We recommend that this means operations consist of persistent, low-level counter-cyber operations, rather than an alternate, more controversial option of targeting adversaries' critical infrastructure, for example. The mission focus and NCF as a whole should be continuously assessed by the National Audit Office, among other institutions, with appropriate oversight to detect whether the UK's offensive cyber strategy is succeeding, in line with ethical and legal obligations, and for there to be mechanisms to change track where required. So, to conclude after that whirlwind journey through the recommendations, they aren't exhaustive. What we wanted to do as creators of the report is draw attention to the many aspects of the NCF as it continues to be built out, particularly when it comes to the wider debate of how the UK should be using offensive cyber capabilities and also draw attention to Ciaran Martin's forward where he very neatly put it, that the UK will have to account for their actions in cyberspace. So it's therefore essential that we have that informed understanding, both by decision makers and in wider discourse of UK strategic posture, policy approach and treatment of governance ethical and legal considerations. Thank you. Thanks very much, Amy. Lots of food for thought there. Turning now to Marcus Willett. Marcus has extensive experience of advising governments and companies on cyber in the UK and internationally. He spent 33 years in GCHQ, the last few as its deputy head. He left government service in 2018 and is now in the world of consultancy where he advises on geo strategic risk. Thanks very much, Marcus. Thank you, Moira. Thank you, Tim and Amy. That was a really good coverage of the report and introduction from Tim. Just say one more thing about who I am. In the latter bit of my career in GCHQ I could be described as Ciaran Martin's alter ego or his intelligence and offensive cyber alter ego and he's a good mate. So, firstly, I would like to warmly welcome your report. As I and others have written, there has thus far been too little public debate about the development and use of offensive cyber capabilities in the UK and elsewhere. Such debate is badly needed, given the important policy considerations that relate. Such debate should of course happen at a strategic doctrinal and policy level, but it still needs to be properly informed by some of the realities of developing actual cyber capabilities and running actual cyber operations. I believe this can be done in a way that does not jeopardize sensitive national operational capabilities. The reasons such a debate is needed are various and I'm sure we'll cover them in detail in Q&A. For example, the risks entailed to a state's own cyber security when it develops and uses certain types of offensive cyber capability. Can offensive cyber have a deterrent effect, either strategically or tactically? What is a responsible cyber actor? And many more. I think your report has plenty of really good insight and will really help encourage such debate. To help today, I'm quickly going to outline my take on the background, the creation of the National Cyber Force, and then provide a few comments related to your key findings. As you say in your report, offensive cyber operations were first avowed by the UK in 2013. This followed at least 10 years of, as you described in the report, prehistory. In that time, so from about 2000 onwards, we developed the relevant tradecraft techniques and oversight by running actual operations. In many ways, the UK approach to such operations was groundbreaking. In particular, we were quick to realize that such operations could have cognitive and psychological effects, not just physically destructive ones. And they did not have to be a zero sum game between intelligence equities and delivering effects. I would note in passing that in those formative years, GCHQ often seems to be a voice in the wilderness with our key international allies when arguing for cyber operations, despite there being risks to intelligence sources. This is of course relevant to your key findings. An organisation like GCHQ is there to deliver effect for HMG with delivery of intelligence just one of the ways it does that. One recurring theme in those years and ever since has been a problem with terminology. Were we talking about computer network attack, computer network operations, cyber enabled information operations or information warfare, cyber influence operations, cyber effects or, and I could go on. Each term had a problem, and by 2013 we had settled on offensive cyber, which we were still using in 2018 when I left it. However, even that term can confuse by feeling a bit warlike. And I know that some people are now talking about cyber operations, whichever term we pick in the UK, we mean cyber operations that are principally intended to deliver an effect rather than those principally intended to gather intelligence. Such operations range from those designed for cognitive effects to those designed for physical destruction, whether in peace or war, and regardless of whether the operations are run by civilians or the military, or whether the targets are civilian or military. The other way of thinking about this is, of course, as your paper and the National Cyber Force do, as a wide range of missions, countering serious criminality, countering terrorists, countering maligned state cyber activity, countering adversary states more broadly, including during conflict or war. From all of this theory, the UK came to two practical conclusions. Firstly, these missions, whether for military or non military effects, are fundamentally underpinned by the same sorts of cyber capabilities. That led to the creation in 2014 of the National Offensive Cyber Program, NOC-P, a joint endeavour between GCHQ, MOD and others to develop those capabilities together. A second conclusion is the more recent one, that it makes sense to even organise the running of the cyber operations themselves, the use of the capabilities jointly between GCHQ, MOD and others, hence the creation of the NCF. I would say there were two other specific drivers for creating both the NOC-P and its successor NCF. For GCHQ, it had successfully and innovatively proved the concepts and techniques for UK offensive cyber, but by itself it knew it couldn't scale in terms of people investment to cover the whole of the UK's offensive cyber needs. For MOD, it knew that modern warfare demands such capabilities, that they reside in GCHQ, that the UK could not afford for MOD to try and duplicate them, but that its commanders needed some sort of assurance that those capabilities would be there and under command when they needed them. That GCHQ wouldn't say, sorry, our intelligence mission takes priority. We can cover the command and authority arrangements for the NCF in Q&A if you want, but essentially the NCF is designed to meet both the GCHQ and MOD needs I've just outlined. Associate your key findings. I agree that the starting point for national cyber power should be cyber security. For example, it makes no sense to develop and unleash offensive cyber capabilities that you cannot defend against, or which inadvertently bring down the global digital commons. In that sense, of course, offensive cyber is an important but subordinate tool in the national cyber security toolkit. Put another way, the NCF has capabilities that the UK National Cyber Security Centre must be aware of, and in some cases can task to help it meet its objectives. For example, to disrupt the cyber attack causing harm to the UK. But of course offensive cyber has a broader role in cyber security in overall national security. For example, its most publicised UK use has been to counter Islamic State, not solely Islamic State activity online, but also to lessen IS effectiveness on the battlefield. It's cohesion as a force, etc. And I should add that the techniques we used and the cognitive effects we sought had no implications for either UK or wider cyber security. So offensive cyber can be used to counter terrorism and serious criminality in the round, often without any cyber security implications. Turning to states, yes, offensive cyber has a role in countering adversary states, adversary cyber activity, whether that be to deter, we can discuss that, disrupt or retaliate. But it can also be used to apply pressure for broader geo strategic or come the moment military ends. This is where we need to deal with hardened and sophisticated targets, whether need to deal with hardened and sophisticated targets could potentially lead to the use of capabilities that could have wider cyber security implications. This is the why this is why the UK is so keen to be a responsible cyber actor. This means that it would not, for example, indiscriminately use uncontrolled worms like want to cry or not pettier or make uncontrolled indiscriminate use of global it vulnerabilities. Put another way, as with all UK intelligence operations, cyber operations are governed by the principles of necessity and proportionality. And in addition, the UK believes the tenants of international humanitarian law, but government warfare apply in cyberspace, therefore adding humanity and distinction to necessity and proportionality. The UK intelligence and military systems have rigorous processes within clear legal and ethical frameworks designed to ensure these principles are followed which, again, we might cover in Q&A if you want. Clearly everything I've said has implications for the NCF balance of missions. For example, my understanding is that the counter cyber mission is well under half of what the NCF is now about. But the subject of missions does bring us to the most controversial area for the UK's and for any responsible states thinking on offensive cyber. Let's for one moment put aside the argument about whether offensive cyber has a deterrent effect. Offensive cyber is also for when deterrents fails and the UK finds itself in real conflict. Even then, as alluded to above, there are a wide range of techniques that can be used that do not have wider risks, but come conflict, as well as considering the air defence system of an adversary, for example, a legitimate target for offensive cyber. Parts of an adversary's critical national infrastructure might be considered too. One of the NCF's missions is undoubtedly to prepare for those sorts of eventualities and the preparations, like reconnaissance, need to be made in peacetime. You can't deliver such complex cyber effects from a standing start. This is an area where operating responsibly is absolutely vital. But I'm afraid we cannot pretend that states like the UK are not going to do this sort of work. As I argued in my SolarWinds article, it is far more important to settle on the types of targets that everyone can agree need to be completely off limits in peace and war, like hospitals, emergency services, nuclear command and control, and otherwise agree internationally what operating responsibly really means. So was the interdepartmental process of developing the NCF difficult? Well, yes, at times it was, but that is because we were doing something truly groundbreaking. If you think about the wide range of missions covered by the NCF, it is the equivalent in the US of bringing together the cyber operational components of at least the National Security Agency, cyber command, the US single services, the CIA and FBI under one organisational umbrella. As the Vice Chief put it in 2018, if we were not having difficult conversations, we were not doing it properly. I will add two things. One is that GCHQ and MOD have developed capabilities and run operations in a closely integrated way for over 100 years. It is in our respective DNA. Think Bletchley Park, for example. As a more personal example, the Vice Chief, I just mentioned, I first worked with when supporting military operations in Iraq in the early 2000s. In 2006, I was on the higher command and staff course at Shrivenham debating the role of cyber in future UK military strategy with fellow course mates who became friends, one of whom later turned out to be the air marshal with whom I ran the National Offensive Cyber programme. So I would say GCHQ and MOD have the sort of close relationships that allowed us to have the necessary real conversations that deliver the right result for the UK. And secondly, the NCF is a trailblazer for the Cabinet Office's attempt to change the nature of how departments work together in government by engendering far closer collaboration between them under its so-called fusion doctrine. Secretaries of State and their respective departments working together to develop capabilities, run operations prioritising according to strategic guidance from the National Security Council and the Ministerial Small Group without having to have their hands held by the centre to avoid being competitive is, I would contend, a good result for everyone and something Cabinet Office would like to see more of. To finish on your point about the importance of international alliances with a here here, the proven ability of liberal democratic states like the UK are five eyes European and other like minded international partners to operating cyber alliances is one of our big advantages over states like China, Russia, Iran and North Korea who have nothing equivalent. And yes, we should indeed be proactive and transparent about the purpose and functions of the National Cyber Force in relevant international diplomacy. I'll stop there, but with one final observation if you'll excuse me. As you might have gathered, I lived and breathed UK offensive cyber for 20 years. I remember sitting in a room in the donor with that air marshal and cooking up the idea that became the National Cyber Force. That cuts two ways for you. You're getting a bit of an inside track, but you're also getting it from someone so immersed in the story that he might at times suffer from slight tunnel vision. That's up to you to decide. And that's now back to Moira. Thanks very much, Marcus. Right. And now we have a last but by no means least major Juliette Kingsley. Juliette is an army lawyer and is currently the chief of the general staffs research fellow in the international security program at Chatham House, where her research focuses on states use of offensive cyber. Now today Juliette is speaking in a personal rather than any official capacity. So please do bear this in mind when listening to what she has to say and indeed when asking any questions later. Thanks very much Juliette over to you. Thank you Moira. Good afternoon everyone. So firstly I'd like to say thank you very much to the organizers for inviting me to take part in this important panel. It's a real pleasure to be here. I'm very fortunate to have spent the last 10 months or so is the army CGS research fellow at Chatham House, where I've been focusing on states use of cyber operations in my research. The NCF is a joint military intelligence organization. There's of course a lot of interest in it from where I sit in terms of how it will operate and on what basis. So it's a real pleasure for me to be part of this important conversation today. So I'll start just by mentioning three key points really from my perspective. Firstly, you know one which sometimes goes unnoticed and but which Marcus has already alluded to. It is really encouraging to see how much more public this conversation about use of offensive cyber has become. This can only be a good thing. And while we know of course as Marcus has mentioned that the use of offensive cyber by the UK has been around for a while. Information in this area has been quite sparse. First in a public confirmation of use of offensive cyber by the UK was back in 2013. But other than that there was really very little detail until around 2018 when the director of GCHQ confirmed that offensive cyber had been used for well over a decade. And of course we know now that offensive cyber was used against ISIS in 2016 2017. But other than that we haven't had a lot of detail about until now as to how and when the UK might use offensive cyber. So there's been a very important evolution here in terms of having a more public discussion about the UK's use of offensive cyber. And so I think the fact that the debate is more public than it has been previously is important in and of itself. And I think this particular fact is often overlooked. So hopefully this is an indication that the conversation as to how the UK uses offensive cyber no longer needs to be in the shadows that we can have these much more open discussions. And this is of course really vital for informing the debate around the way it's used and on what basis. And then of course how to mitigate risks of use. But of course it also means that we can look at what offensive cyber is, how you define it. And again Marcus has mentioned this in passing already. And this also helps to avoid the sort of hyperbole that so often surrounds the use of offensive cyber, you know, in terms of talking about cyber war and cyber weapons and cyber Pearl Harbor. And all of these sort of these terms and ideas which can of course be quite misleading and then unhelpful and informing the debate. So you know when you talk about cyber this can mean a whole range of things and effects and so so much will depend on the context. And if you focus, you know, only on the sort of high end of the spectrum of use this isn't always helpful in understanding that sort of the domain itself. So I suppose the questions to be asked now are, you know, how is the UK going to maintain this trend towards sort of greater clarity and openness and how do we, you know, engender more transparency in the debate. And to my second point then it's worth highlighting a few sort of facts and figures at this point because of course the UK is not the only state that's now openly acknowledging use of offensive cyber so it's important to put that into context. Many other states are increasingly relying on cyberspace as a domain in which they conduct statecraft. So from an era, you know, perhaps in which the US and its close allies were quite dominant in terms of cyber capability. In today's cyberspace, you know the gaps if you like are closing. But of course given the covert nature of offensive cyber, which of course is one of the challenges of the debate in itself. It's hard to assess with absolute certainty, you know what capability states have but there have been some estimates. So in September last year, the Belfa Centre at the Harvard Kennedy School assessed that 29 states now have offensive cyber capabilities to varying degrees. And of course the development of standalone cyber commands and doctrine which includes the use of offensive cyber as a tool of statecraft is also on the increase. And lots of states have now adopted cyber as a separate but integrated warfighting domain, including NATO itself of course in many states within NATO have offensive cyber capabilities of their own, either in the military or intelligence agencies or both. And I think this increase in the number of cyber commands among states and being clear that NCF is not a cyber command as such. But of course, you know this increase in cyber commands elsewhere, you know reflects the importance that states are giving cyber as a domain of military activity. And I think again you know if you look at how quickly strategies have evolved in the past 10 years in relation to use of offensive cyber and the increase in the number and the severity of cyber attacks. It is clear that threats in cyberspace are intensifying. And so as more states develop these offensive cyber capabilities, and instead of cyberspace enters a new sort of era of close competition, then what impact does this have in terms of you know possible new vectors for escalation, particularly you know inadvertent escalation. And so the issue now of course is is how to sort of manage this intensification to ensure that states behave responsibly inside the space and that of course is you know is the million dollar question. And finally to my third point, just mentioning the sort of the legal framework and the importance of international law in this. We know that you know the genie is out of the bottle so to speak with offensive cyber we can't you know sort of go back in time and undo this development but we can of course try to manage its risks and shape the parameters of how it's used. And in this respect you know international law is going to be a critical tool which which really ought to be promoted in this sense. And the UK has of course been a leader in that respect, having been the first state to openly give its views on how international law applies to cyberspace back in 2018. And this, you know, lead has already been taken up by many other states, and the response is really quite unprecedented in the sense that many states have now given their views on how international law applies to cyberspace. But not only that but with real granularity. So you know an example Germany this year gave its views on how international law applies to cyberspace with real detail as to how it how it would apply. So this is really vitally important for making sort of progress towards stability and predictability in cyberspace. And so I think there's an opportunity here to continue this trend, maintaining the narrative on the importance of international law in cyberspace. And so the legal framework under which NCF will operate is of course really important. And that point has been publicly recognised already you know by the director of GCHQ late last year, in terms of giving NCF its license to operate. And the UK has been very clear in its submissions to the open ended working group for example the international law is this critical tool for stability, and that international law applies in its entirety to cyberspace. Of a legal narrative, if you like, is really critical to explain and justify uses of offensive cyber as it sort of lends legitimacy to state activity. So those are my points, I hope to be able to offer perhaps some alternative perspectives as the conversation moves forward, but otherwise over to Moira. Thanks. Thanks very much. Julia. Well that was very interesting. We've now gone around everybody and had their initial remarks. So there's been a loss of publicity around the NCF recently. And so I just want to ask each of you in turn, what do you think will be the biggest challenge facing the NCF commander, whoever that might be, over the first five years of its existence, do you think? Shall I start with you, Tim, if I might. Well, as an academic, I tend to stay well clear of speculation, but I mean on the basis of what we know about the situation and I have to confess that despite all the transparency we don't know an awful lot. I think one of the things the NCF, I mean Marcus would be much better place to answer this than me, but I'm actually mission task prioritisation. You never know this person who the new commander may well be deluge with requests. One of the things we drew attention to in the report was that the NCF is good at some things or will be good at some things and over time may become better at others. But I think we have to be realistic about what the NCF can actually achieve. And I think Marcus drew attention to some very real operational situations in which the NCF can add obvious value based on its long experience in various forms, going back decades. But I do think I mean one of the issues the NCF may face is just being realistic with people higher up the food chain about what it can actually do. Because despite all the fact that we've heard that UK capabilities were used effectively against Daesh, we've heard senior US government officials say that actually on the US side things didn't look so effective or didn't deliver the effect that they desired. And I think that's the important thing. It's not that the NCF can't be effective, it's just meeting the expectations of people ministers principally in Westminster. And I think we need to be very realistic about what the NCF can do because just to open the conversation up a little bit, offensive cyber and Marcus has said it's gone through various iterations, what it's called, what inflections are imputed to it, cannot do everything. It's proven quite difficult, for example, to use a medicine cyber for strategic coercion. But yet at the same time it can be very good at the tactical operational level. And I think, you know, case by case, it's going to be, you know, the commander's job to work out what value they can actually add in the given circumstance. But yet, I mean the UK sovereign capacity in this respect has a great deal of experience in that. I have, you know, relative faith actually that the commander will be able to tell the true story about what it can and cannot do. But yet, you know, who knows what other sort of political challenges it may face. I'm going to come to Marcus in just a minute, but just staying with you for a minute, Tim. I noticed that the reports sort of glossed over the NCF's potential contribution to terrorism and organised crime. And I just be interested to have you say a bit more about why that was or whether you just think that, you know, its focus is obvious and those are sort of also runs. I've glossed over it. I just don't really think we have any details to work on. You know, what we're working off in the non classified realm is what government tells us and what investigative journalism and what sometimes personal biographies of former officials can tell us. And, you know, clearly NCF or NOCPE previously has had a really important role to play in counterterrorism. You know, counterterrorism has been the primary mission, if you like, of what most security and intelligence has been doing over the last 20 years. So, I mean, clearly, there is an impact there. Also, let's not forget that, you know, NCSC, NOCPE, NCA, National Crime Agency have been working very, very closely together in terms of countering serious organised crime. That's a very, very important mission. And I mean, I guess you'd like to see more of that in the report that we're limited in what we can say. You know, we're not working in the classified space, but I mean, I agree with you. One of the things about, as Marcus and Juliet have said, the transparency in this space is really, really important for demonstrating not only what the NCF is going to do and other elements of the UK security establishment, but also to say we're doing it for these reasons and within these constraints. And, you know, not only the operational constraints, but also the normative ones and the legal ones as well. And this is why it's so lovely to hear from someone like Marcus, who's written, you know, quite a bit about related issues. It's because when we quite slightly use the word prehistory Marcus in the report, it was to indicate that we simply don't know enough about this realm as researchers. And we would dearly love, and Joe Devaney and I have talked about this many times, is capturing the oral history, the kind of the something that we are allowed to talk about from former practitioners and officials and actually tell us how do we get. Because sometimes it appears, you know, the NCF has sort of appeared in this space as if it's perfectly formed kind of thing. And as Marcus will tell you when other practitioners have told us, you know, this is quite a complex process of sometimes machination but balancing and development and experimentation that gets us to this point. And some of that's exactly as you say more, it's through actual operationally countering terrorism and countering serious organised crime. You know, and there's a lot of experience there that I hope we didn't ignore in the report, but we just didn't feel feel able to talk about it. Thanks, I didn't mean to put you on the spot there. Okay, Marcus, would you like to add something? Well, firstly to echo the things Tim was saying. Yeah, I think realism is a good challenge. Absolutely. I'm biased on the operations against Irish, of course, whether they achieved effect or not. That might be something I've got tunnel vision on, not sure. I think your point about prehistory absolutely agree. There's a story to be told there. In the middle of the overall story over those 20 years, I think there is definitely more to say on the serious organised crime front. And I think some of the sorts of case studies there will, I think, help people understand the sorts of real results that are capabilities like this can achieve. I think the importance of the priority for the NCF, the biggest issue that it faces, it's a stock answer, but it's so true. It's about people and skills. You know, there's a very competitive marketplace out there for people with cyber relevant skills, both in the private sector, obviously, but also across government. It's one of the reasons I think the National Cyber Force is being set up. You've seen its ambition is to expand to 3000. I think incidentally, that is one of the reasons that it's going to expand out of GCHQ's hub in Manchester. Let's not discuss where the headquarters is actually going to be located and all that rest of the stuff, but the expansion in Manchester is deliberately trying to tap into a different dynamic, a different bit of the UK environment to try and attract those sorts of skills than the traditional M4 corridor. But it's a massive challenge. And if I were the commander of the NCF at the moment, I think I'd be most worried about how I'm going to build up my people capacity with the right sort of skills. That's my answer. Right. OK. I'm going to come to Amy in a minute, but I just wanted to say to our audience that if you would like to ask your question live because we are not inundated with questions at the moment anyway, then please use the raise hand function and we will allow you to answer your question live. So now we're going to come to Amy to have a go at that one. I would completely agree with Tim's point about difficult choices and prioritisation. That would have been my first bet and Marcus as well on the skills development. I just wanted to add really quickly about some of the really zooming out how the UK situates itself in the international landscape, given close ties with the US was a very different approach to offensive cyber and very distinct one as well. The US approach differs to a great extent from the French, from the German, from the approach taken by the Netherlands, so the UK has some choices to make in in how it cooperation, how it chooses to diplomatically engage in this and of course involve itself in the ethical and norms building discussions versus setting the strategy that meets its own interests as well. So some very large questions there. Great. Thanks very much for that. Right, I'm just going to ask one more if I might and and that is really around the governance arrangements because there's obviously you as Tim highlighted the ministerial responsibilities are. It cuts across a spread of different ministerial responsibilities. So I just wondered what the panellists thought might be the most appropriate governance framework for for the NCF. Maybe I could come to you first Juliet. Sure. So I think you know I can certainly talk about talk about the legal framework as that's my sort of area of expertise in answering that question. So I think first of all, we need to be very clear on distinguishing between no legal ethical and policy considerations because the three are not the same. And often they can be conflated in the discourse, you know around this particular subject so we need to distinguish them. So just for clarity then you know what we're allowed to do by law and what we choose to do by way of policy are obviously you know two very different things. As for the legal framework more generally, I think the first point I would make is that just because we're talking about the potential use of the military in certain cyber operations. This doesn't automatically mean that the law of arm conflict applies right so you often hear people discussing international humanitarian law law of arm conflict for example on the basis that you know someone in a uniform might be involved and that's not the correct position. So if we're talking about activities below the threshold or outside of an arm conflict then we don't necessarily apply IHL. But I suppose the second point to be made there is that a common sort of mistake if you like that you often hear is that just because you're outside of an arm conflict so sub threshold or grey zone or whatever term you know you want to use. You know there's still plenty of law that applies. So I'm hopeful that this sort of latter point has been made enough times now but sometimes you know you do still hear it. The idea that you know in the grey zone it's sort of free for all no rules sort of Wild West of cyberspace and of course you know that that's not the position so it's important to remember that different areas of international law will apply depending on the context. I suppose that's what I would say is my key points about the legal framework. Thanks for that Juliet. I wondered Marcus if you had any thoughts on that. Yes, but thank you for Juliet. I thought really really good points there. So when it comes to governance, I think there are as Juliet has indicated so many different angles to what we're talking about. There is sort of the governments governance of the organization so how the people are being recruited how the investments are being made how the thing is actually being held accountable. That's one thing and you can imagine how interdepartmental processes are set up to do that. Then there's, you know, going out to Juliet's point about the different legal regimes. Then there's which minister is under, you know, is responsible for making the decisions over which operations under which authorities are done and again that's that's complex but from when I left it was being well devised as to when when an operation needs to be signed off by two sectors of state. One sector of state with the other informed how that flipped depending on whether the laws of armed conflict applied or not. Then there's clarity of command. And and here, of course, what I think the NCF is trying to do is have a commander who's operating within that strategic framework of the authorities and whatever the strategic guidance is, but is otherwise allowed to adopt mission command, you know, which is, you know, the, the, the doctrine, the UK military is used for a long time, which tries to say, please don't don't constrain day to day and in cyberspace obviously second to second operational decision making with feeling you've got to run everything up to the strategic level. It's done within a clear ethical legal command governance framework and then the decisions are made by the commander. And then there's that final point on governance, which is just be sure how that strategic guidance is sought and developed. Is it the National Security Council, the ministerial small group. You know, however it's done. That's a key part of how this overall oversight work. So I'm sort of separating governance up into its constituent parts. Each one will have a different slightly different solution. And it's how they all intersect that is the is the trick. But that is what fusion doctrine is all about. And that's, I think how the NCF has tried to design its solutions. Thanks. And Tim, would you like to add something? Yeah, thank you more just very briefly. I mean, I can't improve on anything that Juliet or Moira said. I mean, the interesting thing of course is that the laws are on conflict. International humanitarian law doesn't apply to almost everything. Well, most of what NCF is going to be doing. That's not it's not there. I mean, it's there to support war fighting, of course, in a joint context, but it's going to be doing counterterrorism is discussed earlier more serious organised crime. All that kind of thing. Right. So most of the time we're not talking about international humanitarian law and war fighting. And yet it's an interesting how that when we talk about the NCF, people immediately go to the military framing of this. And as Juliet said, this is not a cyber command. This is not what's going on at Fort Meade in the United States. This is which is very much wholly under the Department of Defence Purview. This is this is something else. This is a joint military intelligence organisation that does a much wider range of missions, perhaps. So, but what is interesting is that when we talked about not P, you know, even two years ago, people were saying, and from within the Ministry of Defence as well. This is this seems to be really, really heavily dominated by GCHQ. And now we're in a situation with the National Cyber Force where people are going, this seems to be really, really heavily dominated by the Ministry of Defence. So we've done a little kind of a little turn here, which, which rather than ever to be, I think perhaps puts people in the mind that the NCF is going to do more military things than it actually is. And I don't know whether that's a good thing or a bad thing. But I mean, as Marcus says, over the past few years, that this issue of authorities for missions or for general kind of tasks seems to have worked relatively well. I mean, I understand there's been several instances when there's been difficulties, but, you know, that's to be expected when you're trying to work out this form of fusion joint integrated operations. So, yeah, I mean, it's, there is experience there, but it's interesting how people are framing the NCF as something military when most of the time that's not what it's going to be doing at all. That's that. It's very interesting. I mean, it would be interesting to see how it ends up because obviously if, you know, if GCHQ is sort of the lead organisation, then there is a, you know, a lot of flexibility available to it. Given that it operates under the Intelligence Services Act, which one school of thought is that, you know, that would give it quite a lot of operational flexibility. But anyway, I'm going to turn now to some of the questions. And first of all, I'm going, this is from an anonymous attendee. But they say that the initial job at for the national side before, so maybe they want to join, I don't know. But it required DV clearance. And so they're just wondering whether the NCF might be restricting the skills which it will have access to by insisting on DV. Does anybody have a particular view on that? Amy, do you have a view on that? I think there are a whole host of questions around and beyond DV. So I would be able to comment on the clearance issue specifically, but certainly in terms of where and how they relocate, hiring is something that should be at the top of their mind. I'll hand over to someone else who could talk more about that. I'm not sure. Certainly. I mean, you identified that as one of the challenges, didn't you, in your report about how to attract sufficiently skilled people. And of course, it's interesting. It would be interesting to see to what extent the military contributes staff because there's a contradiction between being a soldier first and a skilled cyberoperative second. Marcus, do you have any views on the DV issue? Well, so I hope that what the National Cyber Force is thinking about is a range of levels of clearance depending on the type of mission that is done. Of course, it is dealing with sensitive capabilities. So some level of clearance is definitely required. And, you know, I hope there's creative thinking being done. And not about the fact that people need to be DV, but the criteria that are used for that sort of developed vetting that doesn't preclude what I might term as low risk on poor grounds. So in terms of careers, I think more you make a really good point there about, I think part of what's gone on for GCHQ and MOD around cyber is thinking about what a career in cyber looks like both in, well, across the public and private sectors and between the public private sectors and the military, including whether you can have a full career in the public sector, including across in the military in cyber without feeling you have to also, you know, after a few years, go and do something else, you know, join your infantry unit for the military component of that of the National Cyber Force. Noting those really important points. It's very easy too quickly to focus on the military aspect. But I think lots of creative thinking is being done both in terms of the criteria used to select people and how you can encourage people in the sorts of careers they can develop. I think we could all deal with hearing a bit more about some of those. So, you know, more power to your elbow for making it a recommendation in your report. Great. Thanks. Now, we've got a question here from, not quite sure how I pronounce it, but it's puree pernick. Now, I'm going to have to read this very carefully because it's quite an involved question. I'm going to have to puree at the screen, so forgive me. Should UK sovereign offensive capabilities to support NATO operations be conducted under the UK National Command or SACR? And in which cases the latter would happen? Or which cases would the latter happen? Sorry. And how does this affect synchronisation and de-conflicting with other NATO nations who may conduct offensive or Intel cyber operations in the same networks under their national command? Who wants to go with that one? Do you want to start off? I think you're on mute. I can if you want. I think Juliet could as well. But I can. I do remember discussing this with a previous NATO Secretary General when I was rolled out to talk about how offensive cyber might relate to NATO. And broadly speaking, I think it sort of adopts the, what we might call without wanting to confuse the two, the nuclear model that says that certain states have advanced offensive cyber capabilities and they make those available to NATO, which I think the UK has done, rather than NATO feeling it as an organisation needs to develop its own offensive cyber capabilities. NATO, I think, has a really big role in worrying about the cyber security of its networks. That's a very clear role for NATO. But I think when it comes to offensive cyber, I think the agreed approach is that NATO would rely on the most capable member states to provide those capabilities to NATO. Juliet, does that make sense from your perspective? Yeah, sure. So I completely agree with what you said. I think the agreement with NATO is it doesn't, exactly as you've alluded to, it doesn't have its own offensive cyber capabilities as a sort of standalone organisation, but that different states contribute offensive cyber capabilities in the UK is certainly one of those, I believe, that said that. So it's not that that person is straightforward. The challenge is how do NATO allies agree on the appropriate procedures and boundaries for use of offensive cyber there? There's quite a well-in-example in 2016, I think, when there was some misinformation or propaganda deluded from a server in another country without the consent of that particular state. So, again, that could potentially cause issues in terms of deconfliction. And I suppose the challenge there is working around those particular issues in a NATO construct. Thanks, Amy. Sure, I can add, within the report, we briefly look at NATO and the fact that the UK did offer offensive cyber capabilities to NATO under the Article 5 commitment to the Alliance. And NATO does have this, as GEM Mark has mentioned. They have the Cyber Operations Centre, or the SIOC, which is due to be fully operational in 2023, which is integrating national cyber effects into Alliance operations rather than these NATO forces. But that SIOC is under SACA, so the Supreme Allied Commander that Perret mentioned. And, again, jumping off what Julia said about this conflict and the fact that it isn't always so clear, we know in the report that where there are divergent doctrinal legal constitutional barriers, they are in theory addressed through formal NATO mechanism called SCEPFA, which is the Sovereign Cyber Effects, provided voluntarily by Allies, which is the mechanism through which the UK in theory would provide these. But we also note that NATO is also under civilian control, so some of the aspects, some of the conflicts, won't always be covered by military doctrine, so very much still questions there, which I don't think we have precedent for, or public precedent for. Thanks. Tim, do you want to add anything to that, Amy pretty much said everything, particularly in the mention of SCEPFA. I think one of the interesting things about NATO in this conversation is the role that NATO itself could play in smoothing over some of the doctrinal differences between Allies. And NATO has a role generally to play in standards, thinking about standards, contributing to the development of norms and thinking about where doctrine does diverge because it does diverge within the Alliance. I mean, it's not that states are so vastly apart that they can't have a conversation about it. That simply isn't true. But there are certain states that have, like the United States, for example, which has a disproportionate impact on what happens inside NATO, where its doctrine is sufficiently different from states like France, Germany and the Netherlands, and indeed a little bit from the UK, although rather less so, that they do need to have a conversation about how SACCO is going to be able to access those capabilities and what situations. SCEPFA has a very important role to play in that, but NATO itself also has a very important role in that conversation. Great. Thanks. Right, Juliet, this is one for you. I'm going to put you on the spot here. In reference to you pointing to the fact that much of cyber activity does not amount to cyber warfare, how can international law participate in ensuring the stability of states' activity in the cyberspace that lays below the threshold of violation of sovereignty or intervention? Thank you, Moira. You've mentioned the sovereignty word there. What I'll do in answering this question is I think this goes back to what I was mentioning earlier about the use of international law as a tool. I think we have to remember here, as the question correctly alludes to, when you were talking about offensive cyber, there's such a broad range of effects that it could potentially be used for. You can turn it up, you can turn it down, depending on what you want to achieve. I think this is again about moving away from the hyperbole of the above threshold activities and the more extreme or high ends of the spectrum in terms of use of capabilities. I think when we're talking about the range of effects here, completely right, that we're likely to see is going to be below the threshold of armed conflict. In this respect, as I mentioned earlier, it is really important to remember that there is still plenty of international law that applies. You've mentioned sovereignty, and obviously the doctrine of countermeasures and the principle of non-intervention are all very relevant areas of international law. Sovereignty likely to be the one that's most commonly raised in the context of a cyber necessity. Again, it's almost like I'm agreeing with the question because going back to what I said earlier, this is about international law being an asset. It's a strength for the UK rather than a weakness, and you'll hear a lot about whether or not the legal framework under international law is fit for purpose in the cyber domain. Obviously, that's a challenge, but I think it's really important, again, going back to the legal narrative point because this lends legitimacy to your actions, and also mentioning the point earlier about allies. It's a way of garnering international support. It's a rallying point for like-minded states, and it creates this narrative about being lawful, which then means that cyberspace contributes to the idea that cyberspace can be more predictable and more stable in the long term. In this respect, the narrative, the public perception really matters. The director of GCHQ himself was really clear on the importance of international law in terms of giving NCF its licence to operate when he spoke at Chatham House last year, as was Commander Strachan again. It's really important that this narrative is maintained going forward, and we use it as a handrail and our central pillow, if you like, and a source of strength in seeking stability in cyberspace. Thanks. Tim, do you want to add something? Yes, everyone on this call will be aware of the problems in talking about sovereignty in this space, but for those of you who don't understand the basics of this debate, it's this. We routinely, as to every other state involved in these activities, breach the sovereignty of dozens of other states every time we conduct these operations. We do that in many other walks of life as well. There is no legal or logical reason why interfering with another country's network doesn't breach their sovereignty in some respect. This is why years and years ago, the American scholar Stephen Krasner called the sovereignty a situation of organised hypocrisy in that we reach for it when it's convenient for us to do so while happily breaching it the rest of the time. I think if you're playing in red space in non-promissive environments, whatever you want to call it, you're breaching sovereignty of another country while you're doing it and vice versa. The situation, and this is why, of course, where influential actors in this discussion argue over whether sovereignty is a rule which when broken can attract a sanction under international law or principle in the sense that you shouldn't really break it, but there are circumstances in which you can. Obviously, the latter allows you a bit more freedom of movement. I don't think sovereignty helps us a lot of the time. There is a framework of international law which does impart stability to the international system. It helps govern and regulate the types of things we can do. I think sometimes we can get a little bit sidetracked by the sovereignty issue, but there is something legal to play for there. If you read the legal scholarship on this issue, it's very, very interesting indeed. I'll leave it there. Great. Thanks, Tim. We're now going to come to one of our audience, Paul Schult. Paul Schult, who is going to put his question to the panel himself. Over to you, Paul. Hello. My question is about a sensitive, but not a fictional possibility, which is the problem of cyber operations around public health. The WHO has pronounced that there is a global infodemic of willfully bad information about COVID-19, and it's easy to see that there will be others, perhaps connected with political military crisis rather directly. So, what will or should be the role of the National Cyber Force in responding to this problem? There has already been an announcement that GCHQ and 77 Brigade have been involved, unleashed, I think was the term used in this, against disinformation in the UK in concert with Five Eyes allies, but not with NATO, but rather little has been reported about how this is being done. And there are huge and obvious political issues and sensitivities about responding, not just to professional state disinformation, but the misinformation of deluded, but perfectly sincere British citizens with different views about the handling of diseases. So, I think this is quite certainly an issue for the future, and I would be interested in panelist views about it. Let me see. Marcus, do you want to duck us off? Yes, certainly. So, as I think implied by the question, I think this is a really tricky area, and I think the way my old colleagues are navigating through this is to make a distinction, as indeed the question has, between what you could to malign state activity, stuff you know where a state is trying to run a disinformation campaign for a strategic effect, that the NCF may well be tasked, and so may other arms of British government to try and do something about, as distinct from broad misinformation that might originate from all sorts of different places, and one person's misinformation is another person's propaganda is another person's strongly held view. So, I think this is a very, this is an area where you have to be extremely careful, which is why, as I come back to where I started, I think there's a look, you know, if you can pin this to a maligned state actor who is trying to do this, to interfere in your, I'm not going to use the word sovereignty, in your country in one way or other, then that's the sort of thing I think the NCF could well get involved in. Thanks very much. Tim, would you like to add to that, do you think? Yeah, I'm going to ignore the should bits of that question. I think, you know, various units within, I mean, you mentioned the 77s, you know, the so-called chindits and GCHQ, I mean, already involved in those kind of activities, but I think, you know, lawyers are going to have to be exceptionally careful about targeting non-state actors in this environment, and there is law that protects those non-state actors, which includes, of course, you and I. So, I think it's a very, very difficult proposition, and it speaks to, I think, you know, the general kind of filth of social media in some respect. There's a role that's not just for government here, and organisations like the NCF, but actually for the social media platforms themselves. And of course, that's been a massive topic of conversation which bumps up, not against sovereignty in this case, but against freedom of speech. And I would not encourage a democratic government to go down that road of regulating freedom of speech in that respect, but yet that's a conversation we need to have, and we are having it. It would be nice to have it rather more nuanced fashion than it's currently being framed. And whether the NCF is the right vehicle for that or not, I have my doubts, but I think it will be involved at some level against state actors, yes. Amy, would you like to add to that? I think I agree with absolutely everything that Tim and Marcus have said, and it's such a tricky question. And I've been in many conversations where I don't think anyone's got close to an answer. I think beyond the legal challenges that were raised this ethical dimension, this idea of freedom of speech as well, and where you interact, especially when it comes to something like fake news that is, as Tim mentioned, could be URI, it's domestic or international. I don't think there's going to be an easy answer anytime soon, so I agree with Marcus' distinction between what can be pinned as a strategic operation by a hostile threat actor and what isn't. And I think that does also play into the wider argument that the NCF is going to have to pick a choose what it engages with. So this is another way that they can do that. Great, thanks for that. I'm now going to come to... I can just add to that if that's all right. So I was just going to add that we have got, we have got some precedent for that kind of thing. So if you look at the United States, for example, and the operations that they undertook in relation to the Internet Research Agency in Russia around the elections, obviously. So there is precedent in very recent history for offensive cyber operations in relation to disinformation. So I just wanted to add that. Thanks. Thanks for that, Juliet. Finally, I think there's probably the last question. I just wondered what role do you see industry playing in the NCF, particularly in the early stages? Marcus, can I start with you? Well, I think the short answer is absolutely crucial when it comes to the development of the technical capabilities and the development of the people capabilities as well. And I think there are some big framework contracts to enable those sorts of capabilities to be tasked and developed. I should add that I think this is about developing capability for the NCF. This is not about industry running operations on behalf of the NCF, just to make that distinction. But I think those relationships are in place, those contracts are in place, those frameworks are in place and are happening. And I will say one other thing. I think there could be, frankly, a bit more flexibility about how an organisation like the NCF engages with the private sector. It is a bit too constricted by those big frameworks. I think there's more opportunity for it to reach out to the more innovative bits, the SME world, the startup world, where I think there are some quite exciting potential capabilities and there has to be an easier way of those smaller companies to dock into a capability like the NCF. I have said that. It is actually a perennial issue. How does the SME community engage effectively because, of course, government cannot maintain hundreds of different relationships. So it's a big issue and not an easy one at all. Tim, do you want to add anything? I agree with Marcus. Of course, it plays into the larger piece around national cyber security capacity and public-private partnerships and so on that we've been talking about since even prior to the first national cyber security strategy back in the proper prehistory, as it were, of 2009. Some of us can probably remember that. There's been lots of different initiatives and different balances put on or stresses put on public versus private and so on, but it also speaks to the fact that other departments are going to need to be involved in this. This is not just a problem for mods. It's not just a problem for FCDO and GCHQ. It's also an issue that organisations or departments like DCMS and Bayes have been working very, very hard to try and encourage different ways into this in terms of careers, but also in terms of fostering innovation and so on. I think Marcus is right. What was striking about this, the NCF announcement, was that DSTL, which is part of effectively part of MOD, was the industry liaison there. Forgetting, of course, that GCHQ has been doing an awful lot of stuff, not only in Cheltenham, but as the aforementioned M4 corridor and many other places besides. We'll see what happens there. I think this is a work in progress. The whole point about, as I think Marcus mentioned earlier, about citing this thing further north and as usual for such organisations, was to capitalise and build capability and capacity in those areas as well. That means employment. That means local businesses, SMEs and so on. I'm sure that will be finessed in time. Great. Just to wind up, I just want to ask each panellist in turn to reflect on the conversation and say whether anything has struck you that's come out of this. Maybe I could start with you, Amy. The whole process of doing the report and coming here and being able to speak about it as well. It's obvious how many opportunities there are for the NCF and the scope of what they could be involved in moving forward. It's so varied. I think some of the main aspect is just the prioritisation and it's interesting to hear Juliette Marcus's insights on that too and how things actually might play out. I think going back to your question a little bit earlier, I don't know what the NCF will look like in five years, but it will be very interesting to see the governance approach that they have chosen and how they have engaged with the wider international landscape, for example. Where we are in terms of norms and responsible state behaviour and offensive cyber when it comes to the UK and our allies as well. There's an appropriate point to bring you in, Juliette, I think. Thanks, Amy. Thank you. I totally agree with what Amy has just said. We're awaiting the next report of the GGE this year, which is going to be so important in terms of, you know, I think the world being at a crossroads now in terms of where we go forward with whether or not we can agree on norms and rules of the road for cyberspace. For me, I don't have a definitive public statement about how the UK is going to use offensive cyber or what the balance is going to be in terms of using offensive cyber as a means of projecting power or what the thresholds are going to be for use of offensive cyber. I think these are all the really interesting questions. Obviously, the next national cyber security strategy will shed light on some of these issues for me, but it will be really interesting to see over time how offensive cyber is going to fit in with the overall strategy for cyber. And if you look at the integrated review, you'll see that integration is mentioned throughout, but there's not a lot there on how that works in respect of the cyber domain. And I think if you look at, you know, an effective strategy is also about articulating your limitations, the challenges that you face, and how you accomplish what is valued in the face of, as has been mentioned already, sort of limited resources really alongside a real proliferation of threats in cyberspace. So what types of threats and actors are going to be engaged persistently and what does the UK value in cyberspace and how is it going to grapple with its limited resources in this regard? Very good point that. Marcus, may I turn to you next? Yes, well, as a truly reflective thinker, if I'm ever going to have a profound thought, it'll probably be in the middle of the night. But for me, I mean, firstly, this conversation, you know, if I had my life again in my career in government, we could have had these sorts of conversations a number of years ago, perhaps even when we were, you know, creating the National Offensive Cyber Program, perhaps the time just wasn't right, but the time is definitely right now. So, I mean, we've all said it, but it's great to be having these sorts of conversations and there need to be more of them. The particular subject that I think I came in to this, you know, prompted by the report and some of the things that have happened in cyberspace recently is the fact that more thought needs to be given, I think, and more discussion needs to happen, more debate around that complex relationship between a country's cybersecurity strategy and a country's offensive cyber strategy. I think the relationships between the two can be confusing and confused. So, I think conversations like this really help and they need to be more of them. Yes, indeed. And finally, you get the last words, Tim. Thank you. Marcus basically summed up what I was going to say and this issue of conversation and shedding light on some very complex issues is hugely important and I hope that our reporters have a bit further that conversation in the UK. I think the thing to bear in mind is probably two-fold. First is that this is not just a conversation that the UK should be having. This is a combination that other countries should be having more both inside their societies but also with each other. And offensive cybers tended to be an issue that countries don't want to talk about very much. And I think that's a shame because there are some obviously kind of pro-social things in this place but we need to think about the negative sides of that as well. And the second really is just that this is not a done deal. Inventing the NCF does not resolve any of the issues that confront us. This is a very dynamic environment both in terms of threat actors and the landscape in general but also in terms of law and ethics and norms and doctrine. None of this has been resolved. This is still open to discussion and debate and when we think we've got to some resolution we'll probably need to renew and adapt again. And I think that that's much easier to do that if you're already talking about these issues because you don't want to come from a standing start when something really bad or obstructive happens. We need to air these issues in the open and hopefully conversations like today can promote that in some small way. So I just wanted to thank my fellow panellist really for being such fantastic contributors to that debate. Thanks, Tim. Well, it falls to me to say thank you very much indeed to all our panellists. It's been a really exciting debate. This event has been recorded, it just to remind you. So if you liked it so much that you want to see it all over again then it's going to be available on the King's website. And also on the website you can search for future events organised by the School of Security Studies. And so we look forward to having you join us again and welcome you to future events. So it just remains for me to say thank you once again to the panel and to thank you all for attending. Thank you and goodbye.