Leading the cyber and electromagnetic domain
General Jim Hockenhull explained how Strategic Command leads the cyber domain for Defence during a speech at the Royal United Services Institute.
Good evening. My name is Jim and I work at Strategic Command.
I have now served in Defence for a very long time, and throughout this time we have experienced many challenges and threats. But we are now in the most dangerous time I can remember in any point of my career. That’s not to say that war is either inevitable or imminent. But I think we’re in a different period now.
If we’re in that different period, then things are going to have to change. One of those things is how we think about national security. We need to broaden the circle. Instead of us thinking about defence, and then having an industry partner, working with ideas from academia, trying to establish how we work with international partners, we need to broaden that boundary when we think about national security.
It’s particularly true in the areas that I’m responsible for in Strategic Command. And it’s particularly true in the cyber and electromagnetic domain.
To be successful in that domain, I need the help of industry, I need the help of academia, I need the help of international partners. We can’t do that in a traditional, transactional, contractual set of relationships.
I truly believe that if things are changing in the world, and it is getting more dangerous and darker, our responsibility is to respond to that and adapt.
I hope that in the cyber and electromagnetic domain, we can show leadership in this, and we can move more quickly. We have an opportunity to move more quickly than in some of the more traditional domains, by virtue of the speed of innovation in the digital world.
For the cyber and electromagnetic domain, there’s something about its ubiquity. It is simultaneously new and not new. ‘Cyber’ has become a word which is thrown around with abandon by lots of different people, but the work across the electromagnetic spectrum has been going on for as long as we’ve been exploiting radio waves or communications.
This ubiquity can make it even more difficult to work out how we’re going to operate in this space.
What is also difficult is our traditional way of thinking about boundaries. With cyber, we need to burn down the idea of thinking about the existence of those boundaries. I mentioned the boundaries between defence and industry or academia, or our relationships with international partners.
But we need to burn down the idea of lines on maps in the cyber domain.
We need to burn down the idea of home and away. There is no home and away in the cyber domain. It is a single, encompassing domain.
We need to burn down the idea that cyber is somehow completely separate from air, land, maritime and space. Because it’s not. It’s a different type of domain.
When I think about the cyber and electromagnetic domain, I’m not thinking about it as another pillar to try and compete with the traditional domains. I think about what cyber capabilities are out there and how we drive that across the whole force. And how we integrate that into the force.
My most important role in Strategic Command is to drive integration in defence. I hope I can use the cyber and electromagnetic domain as the vehicle to show how some of that integration benefits not just our national security as a whole, but how we’re able to do that in partnership with the frontline commands and the services, how we’re able to do that in partnership with government partners, with allies and international partners, and making sure that industry and academia are in that partnership as well.
People often think that cyber is virtual and difficult to understand. In the room, we’ve got the leaders of our cyber operations, both offensive and defensive. The people that they command are the most engaged personnel in UK defence with our adversaries and our competitors on a daily basis. More so than any other part of defence, much of which is preparing and exercising for conflict, or supporting and conducting operations.
But our cyber operators are on the frontline with our adversaries every single day. And every single night. And every single weekend.
This is a 24/7, 365 days a year operation.
We shouldn’t think of the cyber domain as this sort of virtual thing that’s just out there and that people don’t quite understand. This is an area where we are in combat, in conflict, in competition with our adversaries.
The scale of what we’re talking about, in terms of the UK defence enterprise, which needs to be both protected and enabled, is just enormous.
230,000 users, half a million devices, 1,300 global sites, and over 30 concurrent operations. We need to provide a cyber and electromagnetic wrapper to support, and to enable, and to enable exploitation, across all those areas.
But it’s more than that. In the public, when thinking about cyber we think about data and communications. In a military setting, cyber also affects every platform, every sensor, every weapon system, every radio. This leads to vulnerability but also opportunity. This is a ubiquitous domain, that if we get right, we can provide the compound effect to defence in a way which I think is transformative.
We could, and we will, recapitalise various parts of defence to make it more lethal, to make it more precise and more productive. We must and should do that. But I believe the cyber and electromagnetic domain has the opportunity to provide some of that transformative power to defence.
The cyber and electromagnetic domain can make us more lethal, can make us more productive, can make us more precise, can make us more resilient in how we do our business. But it needs the right investment, it needs the right focus, and it needs to do it with a range of partnerships, including with the other domains.
We need to be sufficiently resilient to generate freedom of action and freedom of manoeuvre. If we can do that, we are going to superpower our other domains.
There are a whole load of lessons that come from Ukraine. If you screw up your eyes tightly enough, you can learn any lesson you want from Ukraine. And lots of people have. It is possible that there may be a little bit of confirmation bias going on, where people are looking for the evidence to support their thesis about why they need more of this, or less of that, or why their particular view of the world is reinforced by what we have seen in Ukraine.
There are some that say that cyber was the dog that didn’t bark in the context of the conflict in Ukraine. I think people that say that haven’t looked hard enough, and they haven’t seen the evidence.
There is evidence that what took place in December, January and February pre-conflict was a sustained cyber-attack on Ukraine. The fact that the Ukrainians had done a lot of work to make sure they improve their resilience, and the fact that some big companies helped the Ukrainians significantly in those early days, gave them a degree of resilience. But the cyber effort against them was significant.
And it hasn’t stopped. Even into last December, there was a massive attack on Kyivstar, the mobile network. Not necessarily to have impact on Ukraine’s war effort, but to have a cognitive effect on the population, to shock the population about what could be done to things that they would routinely expect to be available to them.
When we zoom out on this sort of activity – cyber attacking critical national infrastructure – we can see it is having a cognitive effect on the population, in the same way that bombing power stations does.
As we zoom out further, we can see that Ukraine has become the centre of electronic warfare across the globe.
When I used to look at the challenge of Kaliningrad and the network of sensors and electronic defences that were based around Kaliningrad, this is nothing compared to what Russia has deployed on its frontline in Ukraine. There was research done by RUSI published last summer, talking about 10,000 drones a month failing to operate effectively and potentially being destroyed as a consequence of the challenge of operating in that densely packed electronic environment.
We can see from some of those operations and the fact that there is such a predominance of Russian electronic warfare equipment, approximating one significant piece for every 10 kilometres of frontline. We should recognise it is a different scale of challenge.
In the UK, we moved away from electronic warfare through 20 years of campaigning in Iraq and Afghanistan. There were some niche elements of electronic warfare that we deployed, but this is a different scale and a different type of challenge.
Without effective protection, uncrewed systems become worthless and it’s not just uncrewed systems. It’s also missiles and rockets and guided munitions which are being prevented from having the effect that they would expect. This provides an opportunity to enhance your own force protection, and it’s also a way of trying to generate an advantage on the battlefield.
Last year, the National Cyber Force’s ‘Responsible Cyber Power in Practice’ publication really maximised its view on two things.
One is the cognitive effect on the population and on the military personnel on the battlefield.
There is also the idea that we’re generating advantage by integrating activity in the cyber and electromagnetic domain with other activities. Cyber alone is rarely decisive. There are some stories that can be told of cyber-attacks which have been launched and have had impact, but I struggle to see ones that have had decisive impact. This is where we’ve got to be really smart about how we integrate the cyber and electromagnetic domain with others.
Part of our challenge is that we tend to do our cyber and electromagnetic work in compartments or under the cloak of high degrees of secrecy. How do we make sure we burn that down to provide greater integration? How do we provide military commanders assurance that the capabilities that are offered to them are going to be there, at the right place, at the right time for them to be integrated into their plans?
If we don’t provide that level of assurance, then cyber and electromagnetic activity will always be added at the last moment and will never be fully exploited or integrated.
Part of my mission in Strategic Command is to provide that integration across Defence. It’s not just about kit, it’s about how we think, it’s about how we operate, it’s about how we fight. That’s where the engagement, particularly with the academic community, is valuable and why events such as this, thinking about the future of warfare and what it means, are helpful in making us examine the challenges.
The National Cyber force has provided much of the focus on cyber for the last few years. I had the pleasure of being one of the architects of the National Cyber force, and now as one of the two overseers and sponsors together with Director GCHQ, I hold it particularly dearly. But what have we got to do with the National Cyber Force is to make sure that we generate that significant impact. And it is having a significant impact. It is doing that across its mission set.
It’s supporting military operations, but it’s also having impact across the spectrum, whether it be counterterrorism, countering cybercrime, countering other crime, countering online child exploitation. It is a remarkable organisation that’s having an impact already. What we’ve got to do, though, is make sure that the impact of those activities is sufficiently integrated to generate a compound effect.
The area where I’ve got the greatest concern around the cyber and electromagnetic domain is in people and skills. There is a national, if not a global, shortage of the types of skills that we need for people to have in the cyber and electromagnetic domain.
It’s not just that there’s a national shortage of people with the right skills. We also need people to be attracted to come and work in the Civil Service or as crown servants, and in the military. It’s a subset of a group, which is already too small, that we need to come and work with us.
Notwithstanding the nature of the threat that we face today, the first battle of the next war is the battle for talent, particularly the battle for digital talent. I would assess at the moment that we are losing that battle. And we have got to change if we’re going to realise any of the opportunities that I’ve spoken about today.
Whenever I face a set of problems where something is not going right, I immediately think what can I do to change that? We are attempting to intervene. We need to change the model of how we manage our personnel that work in the cyber and electromagnetic domain.
My expectation is that the majority of people who are going to join are probably going to be with us for a shorter period of time than a traditional military career. We should structure ourselves around that shorter period.
I want to intervene early, I want to sponsor sixth form students who are studying mostly STEM subjects, but not necessarily only STEM. I want to sponsor them to come into the military, to the Civil Service, and into wider national security. I want to give them the opportunity to have an in-service degree through an apprenticeship scheme with a high-quality university. I want to give them amazing opportunities, in terms of working in national security, working in defensive cyber, working in electronic warfare, working in offensive cyber.
I would expect the vast majority of them to be leaving the service by the age of 25. I then hope that they’re going to come out into industry, I hope they become a resource that industry wants to receive. They’ll have skills, they’ll have experience, they’ll have the right life skills, the right approach to work, to then come out and boost our tech industry.
What I would want them to do then is be in the reserves, I’d also want them to come back and serve at a later point. I want them to be able to come back at a higher rank, to come back and add value.
Rather than returning back where they were, I think the cyber and electromagnetic domain can be treated differently. It’s very difficult to imagine recruiting someone to be an armoured brigade commander who’s previously been running a business outside, but I absolutely can see someone who’s going to be commander or a fundamental element of our senior echelon in the cyber and electromagnetic domain, who has been able to gain experience in the wider economy. We need to break down our model of how we manage these people.
When they join, I’d like them to do their cyber training first. I’d then like to put some sort of sorting hat on them to choose whether they join the Army, Royal Navy, RAF or Civil Service. Rather than necessarily define them at their point of entry. I want to pay them based on their skills, not on the grade or their rank, and I want to change the way in which we manage that workforce.
I’d like the industry people that are in the room to stand alongside me in front of sixth formers and talk to them about how there is a different path into the high-tech industry in the UK. That different path doesn’t necessarily assume going to university and loading up with potentially a large set of student loans, which they then have to pay back. That different path is to come and work in national security. That motivation of being able to get out of bed on the basis that you’re defending your country and helping it prosper.
And of course, that defending the nation and helping it prosper – back to my opening remarks – is a boundary that I want to move. It is not just the armed forces that’s the mission for, it’s a partnership mission for all of us as we go forward.
For the future, the pace of what we do is going to accelerate. I think we often overestimate change in the long term, whilst underestimating how quickly things change in the short term.
The pace of change, I can only see accelerating. I see some of it happening in Ukraine. We see an awful lot of that happening in wider society and wider industry. We know that we’ve got to go much faster.
Bureaucracies such as militaries and public sectors find change difficult, therefore we’ve got to find some different ways of working particularly in the cyber and electromagnetic domain. This is an area where if we don’t change at pace, we are going to fail.
The cyber and electromagnetic domain does not have a silver bullet, or a big red button, which is going to solve all our challenges and problems. If you want the Army, Royal Navy, Royal Air Force, and our space capability to be as effective as possible and capable of winning the fights we may be involved in in the future, then you have to have a resilient and effective cyber and electromagnetic domain.
If you want freedom of manoeuvre and freedom of action then it is absolutely critical.
If we fail to get it right, then many of the risks that are out there are going to be realised upon us. This is about seizing opportunities. It’s easy to make some remarks around this, delivery is much more difficult. We have to do this together because if we don’t then the sorts of threats which are out there are going to be so much more difficult to confront.