30 September 2023

British Army general says UK now conducting ‘hunt forward’ operations

Alexander Martin

Lt. Gen. Tom Copinger-Symes is the deputy commander of the United Kingdom’s Strategic Command, responsible for the Ministry of Defence’s offensive and defensive cyber capabilities — as well as activities that lie somewhere in between.

He told Recorded Future News that Strategic Command was now opening up about its hunt forward operations — a type of defensive activity pioneered by U.S. Cyber Command in which military cyber experts deploy to a foreign nation to detect malicious activity on the host nation’s networks.

These operations were previously softly referenced in the Defence Command Paper 2023, when the MoD stated: “Our ability to both learn from events and hunt forward to find threats will generate strategic advantage for our personnel and partners in conflict.” Explicit confirmation that the British Armed Forces have been conducting hunt forward operations has not previously been reported.

Affectionately known as General Tom to his subordinates, Copinger-Symes has recently overseen the creation of the National Cyber Force (NCF) which consolidates British offensive cyber activities and includes staff from the signals intelligence agency GCHQ, the Secret Intelligence Service and the MoD.

Although the NCF is not yet fully staffed — and its new permanent base in the village of Samlesbury in Lancashire in North West England has not yet been built — officials say it is already “carrying out operations on a daily basis,” though these are considered to be covert, and officials don’t discuss them publicly.

Recorded Future News spoke to Copinger-Symes during the Defence and Security Equipment International (DSEI) conference in London earlier this month. This interview has been edited for length and clarity.

THE RECORD: Since the beginning of Russia's full-blown invasion of Ukraine last year, how has the British Army’s thinking changed about the role of cyber during armed conflict?

LT. GEN. TOM COPINGER-SYMES: Great question. I think I'd start by saying, clearly you don't want to draw any one strand from Ukrainian lessons. Jim, my boss, [Gen. Sir Jim Hockenhull] has this lovely phrase: “If you screw up your eyes tight enough, you can learn any lesson you want.”

So the first thing is just a caveat that we are the cyber domain leaders and therefore, we are more prone than most to learn the lessons we want to learn from Ukraine, rather than ones we should. I think to start with, there was this great myth that cyber was the dog that didn't bark. Now, it might — to extend that metaphor — be the dog that didn't bite. But that was because of a huge amount of hard work, not least since 2014 by Ukraine, and then a huge amount of hard work, at very short notice, by some of Ukraine's friends and partners.

And those friends and partners aren't just countries, they were big digital primes, like Amazon Web Services and Microsoft. So getting the Ukrainian data out of Kyiv and into some secure cloud-like capability hosting was, you know, that's the 21st century equivalent of Charles de Gaulle, leaving Paris with gold and state papers. So at that national level of what resilience looks like, and how data plays into that, and the security of your data, I think that's a really important lesson.

Likewise, the sort of threat intelligence that was flowing into Ukraine from very early on from people like Microsoft. And of course, we're very proud of how much cyberthreat data we gather as Defence, but that's tiny compared with what Microsoft gathers every day of the week… I mean, it's awesome, the scale they work at. And that just highlights to me this really important relationship we've got in the cyber domain with our industry partners. That is different from in the land domain, or the air domain, or maritime domain, where ultimately industry partners hand over a tank and then we operate the tank — often with folk mending the tank for us once in a while — but it's much more of a handoff. Whereas in the cyber domain, we're working with industry literally the whole time, quite similar to the space domain actually, where you're much more integrated with industry. So I think that's one of the features I'd just point to: the criticality of that partnership with industry in the cyber domain.


All images: U.K. Ministry of Defence

The next one, and we in the UK, we define the cyber domain as the cyber and electromagnetic domain. And there, we're going back to the future, we're just reminding ourselves that no tank fights with a big cable coming out of its backside. No plane flies with a cable [tethering it to a computer network], and we get our data, and we share our data, via the spectrum. So the criticality of the spectrum and the levels of contestation of the spectrum — and frankly, just the level of environmental difficulty with the spectrum, you know, just the impact of weather, and the rain, and so on — is really important. And that's allowing us to re-identify those sorts of lessons we've known for at least 100 years, possibly more, about the criticality of the spectrum, and what I would call a converged domain between online and the spectrum. The importance of that, and the ability to fight in and around the spectrum, and to fight for temporary dominance there, is just as acute as fighting for air superiority.

TR: Is there such a thing as spectrum superiority, in the way that there is air superiority?

TCS: I think like air — in a state-on-state conflict where there's parity — the idea of air supremacy, or cyber supremacy, is probably a bit dubious. And if you think you've got it, you're probably in for a rude shock. But this idea — there's a lot of thinking coming out of America about pulsed operations, or the ability to, what in the First World War would have been an artillery-salient sort of standing for that achieved dominance — have your effect, and then pull back, I guess that's where we're going to go to. And in the spectrum, you know, it's really, really hard to gain and maintain absolute supremacy. But gaining superiority for the purpose you need it for, is going to be really, really important.

TR: Earlier this year, the National Cyber Force published a paper about being a Responsible Cyber Power. It set out what was described as “the doctrine of cognitive effect.” In those terms, how does cyber fundamentally differ from kinetic warfare?

TCR: Without teaching grandma to suck eggs, all war is cognitive. The inevitable human reaction to a round going over your head is usually to put your head down, it doesn't really matter whether the bullet hits you or your next door neighbor, it has a cognitive effect. And that should just be a good reminder that that's what war is about. There are human beings involved. It's never about killing everybody, it's about bending people to your will, and getting them to behave in the way you want them to behave.

And, of course, we've used non-kinetic, whatever you want to call informational effects, to do that forever, from the Zimmermann Telegram to whatever else. And cyber is very much part of that continuation of history. But of course, cyber, the digital domain, the spectrum, has these huge amplifying effects. Some of that will last forever, some of that is a phase in time, in the same way as the printing press led to wars and pamphleteers of the 19th century impacted politics, because not only of its amplifying effect, but initially it's shocking, it has is an immense impact on people because they haven't grown up with it. So I think the cyber domain, the information environment — and military doctrine hasn't quite sorted out what we mean by those two things yet — as the lens through which all warfare is communicated, has been really prevalent here.

Let's just focus on the national strategic level communications of Ukraine. We are really proud of the support we're giving to Ukraine, and we're there for the long term. We have been awestruck by the moral resilience and courage of the Ukrainian people, and their army, but the Ukrainian people and — we probably won't go into it all today, but you know, we're really proud of the technical levels of support we’ve offered and given — but I don't think anybody is telling President Zelensky how to communicate across the world. He's giving us a master class in how you communicate really important messages to multiple audiences. And that is cognitive effect. And, of course, the interplay between that and what [Valerii] Zaluzhny [the commander-in-chief of the Armed Forces of Ukraine] is doing… you're seeing statecraft and warfare exercised at a PhD level there, learning as they go.


But that's a really good reminder of how the information environment is the thing that actually wins wars. Battles get won by armies … [but] wars get won by nations and their nation's spokesman. And it's a combination of those things that really wins a war. And we're relearning that because inevitably for 20 years, we’ve been focused on a very different sort of conflict, much more counterterrorism, much more counterinsurgency, against a different sort of threat and a different level of warfare. And we were using information in a different sort of way.

TR: At the moment the National Cyber Force is operational but not fully staffed. Under current plans, eventually it will be composed of an equal share of Defence personnel and intelligence community personnel from GCHQ and MI6. How confident are you that the capability it is meant to offer will be in place within the next three or four years?

TCS: With the current plan, and size and shape … I mean, we're bending ourselves out of shape together, [building the NCF] means recasting a lot of the trade groups in the Army, Navy and Air Force, and the civil service, to get the right blend of skills. That's proving hard work, but we're getting on top of it. We're doing that in close partnership with those intelligence agencies and our scientists at DSTL [the Defence Science and Technology Laboratory], to get there. I'm very confident that over the next three, four or five years, we're going to get there. As you know, we've announced the future location in Samlesbury. As we get there, we'll find out what the partnership is between other sites around the country and Samlesbury, and some of the human factors about moving people around. The curve is up, I'm not going to pretend that it's all been perfect or simple. This is a new thing. And injecting pace into a new thing where even some of the job titles, you know, people around Defence don't yet know, I spoke on a panel earlier about unlocking our potential and one of the points I said is, in unlocking our potential, we have need for it outside of cyber, just in digital, we have new trade groups and job roles that people don't understand yet. And guess what, that's the same in a bank. Same in an energy company. You know, this is unknown territory.

TR: For the sake of our U.S. audience, how would you explain the difference between the NCF and U.S. Cyber Command?

TCS: It would probably be improper for me to talk too much about Cyber Command, because I can't remember right now, what they've released publicly and what they haven't. I think for us — and this will be appropriate the world over — we have defensive cyber operations, which at the national level clearly run through the National Cyber Security Centre (NCSC). And then through us at Strategic Command we run Defence Digital which is federated across Defence, so the Navy will have a CySOC [Cyber Security Operation Center] the Air Force has a CySOC, the Army has a CySOC, but all of them are working into Corsham, our GOSC [Global Operations Security Control Centre] where we center our cyber operations. That works very closely with NCSC in terms of information sharing, threat sharing, and so on.

And then we have an offensive capability which we've spoken about really quite publicly. I think we're kind of leading the world in that, and the idea of Responsible Cyber Power is really important to that. And then we have some bits that sit slightly between offense and defense, and we've just started talking about our hunt forward operations. The idea of forward defense, you know, going and helping our partners secure their own networks, which starts to blur the boundaries between offense and defense.

TR: Does the United Kingdom also use the term hunt forward? I thought it was a U.S. coinage.

TCS: We're using hunt forward because we're learning lots of lessons from them. Other nations around the world talk about offensive cyber, cybersecurity and cyberdefense. We'll refine our language over time, but for the moment we use hunt forward. I think people intuitively understand what that means.

As we develop the NCF, develop our defensive piece, develop hunt forward, what we're trying to do in Strategic Command is build a much more coherent cyber domain. The American model is slightly different, but they have a different defense force. They have not just the Army, Navy and Air Force, they have a Coast Guard and Marine Corps, and that's separate and so on. Clearly, we work very, very closely with Cyber Command. And where we differ from them, it's for good reasons. And where we can copy from them, we do. But we copy from a huge bunch of people, because this is a race, and it's a sort of Olympic-level sport. If you're not copying other people, and if you're not learning lessons from other people, you're probably going backwards, not forwards.

TR: One of the more obvious differences between the U.K. and U.S. is the resources available to the armed forces. How are those limitations affecting integration across Defence?

TCS: Ironically, and this is one of those too-good-to-be-true answers, so spoiler alert, one of the great spurs to integration is not being too well resourced. Because integration is about making the whole greater than the sum of the parts. And one of the reasons to do that, is because you don't have endless amounts of money to build these huge stovepipes [military systems that aren’t interoperable].

Now, that is not necessarily the case alone. But I think the point is, integration doesn't have to come from over-resource, sometimes you can be really pushed to integrate stuff because you're trying to get the most out of the whole force. So I don't think money is an issue there. What I would say about integration, and just how we want to take cyber forward, or digital forward is, we can endlessly ask for more money — actually, we're going to get more than £50 billion next year, and over the next 10 years, we're getting £600 billion of our money, taxpayers money. That's quite a lot of money. And I reckon we can do a lot more with that than we are at the moment. If you offered me more money, I'll take it, but in the meantime, we're going broke for skills and people quicker than we’re going broke for money.


I think the greatest limitation on how quickly we can play out our ambitions, whether it's in cyberspace or for integration, and you know, Strategic Command does three big things: it integrates Defence, it leads the cyber domain, and then it supports campaigns.

For all of those things, people and skills are the greatest limiting factors. So that's why we announced the new bursary scheme that we're starting, initially up in Lancashire to work with the Lancashire Skills and Employment Hub, with initially 100 people. Just this year about £1 million of investment is being put in, and I hope in a few years that's thousands of people, that's how quickly I want to scale it, and I hope it's significantly more than one million quid. We're doing that in Lancashire, so that we can focus on the NCF and get some young — and some not so young — people interested in cyber careers, whether it's in the offensive, the defensive, or work in spectrum for instance. And I would focus not so much on money in this particular case, but on attracting the right aptitude, not necessarily polished skills. We don't need lots and lots of math PhDs from Imperial or Cambridge or whatever, but we need people with aptitude, who want to come and fix our problems. And God we’ve got some of the coolest problems in the world to fix, and get them excited about that and bring them in to have a flourishing career in Defence.

TR: You mentioned the importance of industry being one of the major lessons from the war in Ukraine. I know this is something being focused on at NATO as well. How does the British Army plan on learning that lesson?

TCS: At every single panel here at DSEI, somebody will have said, “we need to work differently with the industry,” whether it’s in building tanks or doing cybers, or getting some whoop-ass AI into this thing. So what are we doing about that? Well, over the past four, five years, we at MoD have brought in a CIO with no government experience, no military experience, from industry. We've brought in a chief data officer with no previous government experience, all industry experience. We brought in a CISO, Christine Maxwell — we don't call her that in Defence, we have another title, but she's a CISO — no government experience, all industry, working with government, but always on the industry side.

That's just one example of how we're turning these things around. Frankly, I would be lying if I didn't say they were shocked when they came in and saw how we work with industry, how immature some of the relationships are, not in terms of the length of relationship, but how little trust there is, how little relationship building there is, and how, — I'll quote one of them — how “the contract always seems to be in the room” whereas they said in their previous career, if the contract was in the room, the relationship was broken already and you were on the way out.

TR: Is this a dramatic change of MoD’s relationship with industry?

TCS: That is the intention, but I'm always worried that it sounds like “Oh, there, we’ve done it.” We have not done it. And we're really hungry to go much, much faster. I mean, I've been on four panels in the past three days. On every one I've made the point we want to go faster, we want to go stronger. I want to be more radical.

I also just want to come back to skills. One of the things I think we changed the game on, is recognizing that everybody's going broke for [people with] skills. I haven't spoken to anybody in the broadly digital data tech world who isn't crying out for more skills: banks, energy companies, whatever. It doesn't matter how much they pay them, there are not enough skills. So what we're saying, particularly with the bursary, but this wider Digital Skills for Defence program that we've just launched, is that we're an amazing learning/development organization.

In Defence, we probably invest more time, labor and money in people's learning and development than any other organization. The British Army is the top apprenticeship organization in the whole of Europe, I think the Royal Navy is the second, and the RAF is the fourth or fifth, or maybe it's the other way around. But that means, together, we knock the apprenticeship thing out of the park. And before anybody thinks that they're low skills, some of our best people at GCHQ start as apprentices at GCHQ.

So we're making a real investment on skills, and we're doing that with industry. Most of those people … we’ll upskill them from sort of GCSE or a A-Level standard, with graduate degree apprenticeships, in-service degrees — and then they're probably going to leave after five or seven years. And if they leave, and go and join national security, or an intelligence agency, if they leave and go and join industry, even if they leave and go and be a sheep farmer in Wales and never touch digital again, it doesn't matter. We're going to deliver huge social value to the country through upskilling them. And that's a national good, and we're going to do that with industry — and industry is gagging to do that with us. I mean, they're absolutely keen to do that in partnership, and they're not worried about what the terms of it are. They just want to do that together because they recognize what a challenge it is.

TR: We have time for just one final question. Will a cyber person ever make it to the rank of lieutenant general?

TCS: Yes. The deputy head of the army, the deputy chief of the General Staff — a great friend of mine, joined the army on the same day as me — Sharon Nesmith, is a royal signals officer ... and she is a three-star. When she joined she was a cyber dude, in the way we had, so maybe we're already there.

No comments: