Licence to Operate: Transparency and Responsibility in UK Offensive Cyber Power

Acting ‘swiftly, deliberately, and proactively to disable cyber threats’ is a main tenet of the new US Cyber Strategy. Germany is drafting legislation that could allow greater use of offensive cyber powers in peacetime. Denmark has made headlines for reopening applications to its Hacker Academy to support offensive cyber operations. In recent US military actions in Venezuela and Iran, offensive cyber capabilities have also drawn attention for their applicability alongside kinetic force.

The rapid adoption and expansion of offensive cyber powers reflect growing geopolitical uncertainty but raise questions about escalation and the risk of a ‘cyber arms race’. The responsible use of offensive cyber capabilities has therefore never been more critical for states seeking to develop offensive cyber power without undermining national or international security. Transparency and communication are key to developing offensive cyber practices that achieve effects while still protecting the security and freedom of the internet and its users.

The UK has already asserted its leadership in this regard, releasing its landmark public guide, Responsible Cyber Power in Practice (RCPiP), in 2023. Amid global instability, decision-makers should resist the urge to revert to secrecy; instead, the UK should double down on the doctrine’s ‘licence to operate’, promoting responsible offensive cyber practices at home and abroad through greater transparency and expanded public diplomacy initiatives.

Fostering Licence to Operate

RCPiP acknowledges that greater transparency is an ongoing challenge for UK offensive cyber operations – but one that must be addressed for a responsible cyber doctrine. Engaging with the public sphere gives the National Cyber Force (NCF) legitimacy – or its ‘licence to operate’ in the public mind – and demonstrates the UK’s commitment to responsible and democratic cyber operations. However, for the UK to secure this public mandate and promote responsibility, the NCF should fully embrace transparency as a strategic requirement, not just a challenge to be overcome.

Counterarguments highlight the need for secrecy in carrying out operations. Most states are opaque about offensive cyber practices out of justifiable concerns that transparency will give opponents a strategic advantage or make governments beholden to red lines. Transparency does not mean that governments must disclose every operation; rather, it is a commitment to ongoing public dialogue to foster trust and understanding with partners, allies, the private sector and the general public and to promote responsibility.

Cyber attacks can transcend borders more easily than kinetic actions and the general public is likely to feel the effects of adversarial cyber activity, with the recent attacks on Marks & Spencer and Jaguar Land Rover notable UK examples. To better achieve RCPiP’s goal of ‘cognitive effect’, thereby changing adversary behaviour, the NCF should also consider the role of transparency and the need to protect against cognitive effects at home.

Clear, consistent communication and education on offensive cyber may help improve the UK public's collective resilience to the effects of cyber attacks. Not only may this reduce the negative cognitive effects of adversary activity, but it may also help change risk assessments for UK offensive cyber operators if the general public is more accepting of the risks associated with offensive cyber power. If more emphasis is placed on licence to operate and the importance of public support as a strategic centre of gravity, the UK may have greater freedom to employ offensive cyber power to counter threats.

Countering Irresponsible Narratives

Transparency and the promotion of responsible offensive cyber narratives are also necessary to help counter the proliferation of irresponsible offensive cyber practices. Licence to operate should exclude licence to operate irresponsibly.

Russia is continuously engaging in sub-threshold operations in Europe designed to challenge allied cohesion and test NATO and European red lines. Cyber capabilities have played both supporting and primary roles, with recent destructive cyber attacks on Poland’s energy sector attributed to Russian state actors. Moscow’s use of offensive cyber power threatens to cause physical harm to non-combatants, in addition to escalating tensions throughout Europe.

China has also been linked to irresponsible cyber power use, such as the mass targeting of network edge devices by Volt Typhoon. US and Five Eyes organisations assessed that the compromises were aimed at pre-positioning attackers to eventually conduct disruptive or destructive attacks. To counter the assertion, China’s Computer Virus Emergency Response Center in turn attributed Volt Typhoon to the US, calling it a ‘false flag’ operation, an assertion that is almost certainly false.

As states seek to blur the lines between cyber and kinetic attacks, while muddying the waters of attribution and intent, transparency becomes even more essential for responsible cyber practices. A commitment to reliable communication from the UK around offensive cyber operations will help counter these narratives. This is essential to fostering trust not only with our allies and partners but also with the general public, to counter competing narratives and information operations.

A Cyber Influence Vacuum

Licence to operate also extends to public diplomacy efforts. The UK has an opportunity to promote its unique expertise and perspective on offensive cyber operations not only domestically but also worldwide. The US, often the norm-setter for states’ cybersecurity practices, has withdrawn from multiple diplomatic engagements and cyber organisations as part of the Trump administration’s ongoing rejection of soft power approaches to international affairs. A normative power gap is therefore emerging in cyberspace, which states like China and Russia may fill without counterefforts by Western states.

The UN Convention on Cybercrime, which opened for signature in October 2025, may be considered both a successor to the Budapest Convention on Cybercrime set out by the Council of Europe and a rejection of the Western-led approach to countering cybercrime. Sponsored by Russia in 2019, with support from countries including China, Iran, Belarus, Venezuela and Syria, the treaty is an example of authoritarian leadership in cyberspace, a trend that the UK should seek to counter through public diplomacy and communication on responsible offensive cyber practices.

Multistakeholder initiatives on responsible cyber power, like the Pall Mall Process, are one such approach, as are reciprocal agreements to restrict the use of certain offensive cyber techniques, following in the footsteps of agreements like the Anti-Personnel Mine Ban Convention. The UK should also consider establishing centres of excellence for domestic and international partners to enhance responsibility in offensive cyber doctrine. The UK has already demonstrated leadership in knowledge sharing and development with the NCF’s sponsorship of the Cyber Effects Network; the next step is to expand knowledge sharing to others to ensure that they develop responsibly.

Capacity Building and Deterrence

The UK should also seek to foster responsible licence to operate to support capacity building at home and abroad. Reliable engagement with the private sector may reduce duplication of effort in countering cyber adversaries while increasing support for government engagements.

Offensive cyber powers may also be considered defensive tools. Although, as RCPiP acknowledges, ‘evidence is limited for cyber operations being a primary contributor to deterrence’, capacity building – and the communication of capacity – can nevertheless serve as a deterrent. This is particularly true for cybercriminal activity. For example, out of fear of law enforcement reprisals following the 2021 Colonial Pipeline ransomware attack, the Russian-language cybercriminal forum XSS banned ransomware discussions, while many ransomware operators publicly disavowed attacks on critical infrastructure.

In light of global instability, other countries are also likely to develop offensive cyber programmes with or without Western support. Collaborating and communicating earlier is necessary to ensure that development follows internationally supported principles of responsible use. The UK should therefore take a leading role in promoting the development of responsible offensive cyber programmes worldwide.

Today, many states outsource cyber capabilities to private sector offensive actors (PSOAs), who often operate in legal grey areas with little oversight and accountability. Their operations also arguably inherently make the cyber landscape less secure: in Google’s latest zero-day review, the company for the first time attributed more zero-day exploit development to PSOAs than to traditional state-sponsored actors. The development of homegrown offensive cyber programmes, subject to robust legislation and accountable decision-making processes, may reduce the reliance on PSOAs.

Pragmatically, the UK is also in a position to be listened to by other states in the development of responsible offensive cyber programmes. The UK’s offensive cyber doctrine is, for one, more applicable to most countries than that of the US, as few countries can underpin their offensive cyber strategy with the same level of military power. The UK should therefore seize this opportunity to support other states in developing responsible offensive cyber doctrines and best practices.

The proliferation of offensive cyber capabilities poses a growing threat to security in cyberspace, underscoring the urgent need for credible cyber powers to model restraint and responsibility. The UK’s doctrine of responsible offensive cyber operations offers a vital path forward, but must be anchored in the principle of transparency, as it is the foundation of the UK’s domestic licence to operate and the source of its international credibility. In doing so, the UK can do more than improve its capabilities at home; it can help forge a more stable and responsible order in cyberspace worldwide.

© RUSI, 2026.

The views expressed in this Cyber Effects Perspectives are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.