An Accreditation Model for Private Sector Offensive Cyber Operations

In June 2024, the Russian ransomware group Qilin struck Synnovis, the pathology services provider for south London’s major NHS hospitals. The attack cancelled over 800 operations, delayed thousands of appointments and forced a national appeal for blood donors. Private threat intelligence firms identified the group within days, mapped their command-and-control infrastructure and tracked stolen patient data to the dark web. They could see exactly where the attackers were operating from. Restricted by the Computer Misuse Act, they could not lawfully disrupt it.

That pattern repeats across the industry. Private firms routinely develop the intelligence to identify, track and map hostile cyber infrastructure, but lack legal authority to act on it. Google announced a ‘disruption unit’ in 2025 to move from reactive defence to proactive disruption. Both Google and Microsoft have conducted court-authorised takedowns of hostile botnets, but by repurposing US federal civil litigation, not under any framework designed for the purpose. No comparable route exists under UK law. In one Microsoft case, the takedown also disrupted DNS resolution for millions of legitimate subdomains. Private offensive cyber activity is already happening. It is unregulated, ad hoc and available only to firms large enough to fund novel legal strategies.

A Law that Cannot Distinguish Between Attackers and Defenders

The Computer Misuse Act 1990 was written for a country where fewer than one in two hundred people were online. Its central offence, ‘unauthorised access to computer material’, makes no distinction between criminal intrusion and legitimate security research. The CyberUp Campaign, backed by NCC Group, techUK, BT and CREST, has argued since 2020 that the Act criminalises the work it should protect. Their research found that 60% of UK professionals see the CMA as a barrier to doing their jobs. Ciaran Martin, the NCSC’s founding chief executive, has said publicly that the Act has a ‘chilling effect’ on legitimate research.

Successive governments have agreed and then failed to act. Priti Patel announced a formal review in May 2021. Sir Patrick Vallance’s Pro-Innovation Review in 2023 recommended a statutory defence. Cross-party Lords amendments were rejected in 2022. Labour’s Criminal Justice Bill clauses died when Parliament dissolved. Then in January 2025, Lord Vallance (the same Patrick Vallance, now a government minister) rejected further amendments, warning they could ‘inadvertently create a loophole’. Security Minister Dan Jarvis pledged reform in December 2025. Detailed proposals are still awaited.

Even if the statutory defence passes, it would only cover defensive activities: vulnerability research, threat intelligence, responsible disclosure. Reserving offensive operations exclusively for the state was a reasonable position in 2020. The CyberUp Campaign itself explicitly excludes offensive action. But the threat has since outgrown what a statutory defence alone can address.

Beyond Statutory Defence

The NCSC’s 2025 Annual Review reported 429 incidents, of which 204 were nationally significant, more than double the previous year. The Strategic Defence Review 2025 revealed that UK military networks faced more than 90,000 sub-threshold cyber-attacks in two years. The National Cyber Force conducts daily operations but is not yet fully staffed and a King’s College London study cautioned that it cannot pursue all its missions equally well. The state cannot close this gap alone.

An Accredited Scheme for Offensive Cyber

Rather than waiting for CMA reform that may never arrive, the UK could build on infrastructure it already has. The NCSC’s CHECK scheme already authorises trusted companies to conduct sensitive cyber security work on government and critical national infrastructure systems. It requires security clearance for all practitioners, professional qualifications, company-level accreditation, mandatory reporting and random quality assurance. It manages thousands of sensitive engagements a year. The governance works.

The CHECK scheme should be replicated for an offensive cyber context. Accredited firms could be authorised to conduct tiered operations: at the lowest level, active reconnaissance of adversary infrastructure, mapping command-and-control networks, collecting intelligence on threat actor tooling. At the next level, engaging with adversary systems to gather intelligence or monitor live operations. At the highest tier, with appropriate government sign-off and post-operation review, disruption of hostile infrastructure itself. These tiers broadly correspond to stages described in the MITRE ATT&CK framework and align with the NCF’s own principles that operations should be ‘accountable, precise, and calibrated’.

More Options on the Ladder, Not More Chaos

Would licensing private firms for offensive cyber operations be destabilising? The current landscape, in which companies take down botnets through foreign civil litigation and threat intelligence firms sit on adversary infrastructure they cannot legally touch, is the chaotic scenario. An accredited scheme would convert ad hoc disruption into regulated capability, with defined rules and accountability.

It would also fill a gap the UK conspicuously needs to address. The Strategic Defence Review acknowledges that adversaries are ‘intentionally blurring the lines between nuclear, conventional, and sub-threshold threats’. Cyber operations thrive in this grey zone because of the implausible deniability they afford. As Cormac and Aldrich have argued, we now live in an era where even transparently deniable action creates useful strategic ambiguity. The point is not to conceal who acted, but to retain flexibility while limiting the risk of uncontrolled escalation.

Russia already exploits this through nominally independent hacktivist groups directed by the GRU. China operates through a marketplace of commercial contractors providing structural deniability. Iran mirrors its kinetic proxy model through IRGC-linked groups posing as independent hacktivists. The UK currently has no publicly acknowledged tier of capability between passive defence and sovereign offensive operations. That narrows the spectrum of calibrated responses available to decision-makers.

The precedent for placing such activity under formal oversight already exists. The Montreux Document established principles governing the conduct of private military and security companies. The UK–France Pall Mall Process is developing a code of practice for commercial cyber intrusion capabilities. An accredited offensive scheme would apply that logic domestically.

A Chance to Lead

No allied nation has enacted a framework for regulated private sector offensive cyber. In the United States, the Active Cyber Defense Certainty Act was introduced twice and died in committee. A 2025 ‘Letters of Marque’ proposal remains stalled, though the next US National Cyber Strategy signalled intent to involve the private sector in disrupting adversary networks, but offered no operational framework. The National Cyber Director also subsequently clarified that the document was not referring to private sector offensive cyber operations. US Cyber Command’s hunt-forward operations deploy teams to partner networks, but these remain state-led. France has explicitly opposed private sector offensive cyber.

The UK describes itself as a ‘responsible cyber power’. It has the NCF’s operational doctrine to set standards, the CHECK scheme as a proven governance template and a mature private cyber security sector with a global reputation. Building an accreditation scheme for offensive cyber would strengthen the security of the UK and its allies while positioning British firms within a regulated operational environment that no competitor market currently offers.

The alternative is what we have now: a 35-year-old law that criminalises legitimate security research, a deterrence posture that the UK’s own National Cyber Strategy admits has ‘not yet fundamentally altered the risk calculus’, and a threat landscape expanding faster than the state can respond. Incremental reform has stalled. It is time to try something bolder. An accredited offensive cyber scheme would be an industrial opportunity as much as a security one.

© RUSI, 2026.

The views expressed in this Cyber Effects Perspectives are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.