Speaking Without Escalating: Why the UK Needs Public Responsibility Signalling in Cyber Policy

In 2025, Jaguar Land Rover was struck by a crippling ransomware campaign that forced five weeks of factory shutdowns, disrupted global supply chains, and inflicted nearly £2 billion in estimated losses. While publicly visible and materially severe, the incident did not prompt a state-level attribution statement from the UK government. Instead, technical confidence about the responsible criminal actors remained within classified channels, and the broader governance discourse defaulted to silence. This episode starkly illustrates a recurring problem in contemporary UK cyber policy: harmful cyber activity can inflict profound economic and social damage without triggering a visible, credible public response under the current attribution-centric model.

In recent years, the UK and its allies have repeatedly found themselves in a familiar position. Harmful cyber activity is ongoing. Inside government, confidence about who is responsible is high. Yet public attribution is delayed, diluted or quietly abandoned altogether. Weeks pass as allies negotiate language, assess escalation risks, and debate evidentiary thresholds. Meanwhile, the activity continues largely uninterrupted. This pattern is no longer exceptional. It reflects a structural tension at the heart of UK cyber governance: public attribution has become the primary visible marker of action, even though the conditions under which attribution is possible, or desirable are increasingly rare.

This Policy Perspective argues that the UK needs a new public governance instrument to address that gap. It proposes the development of Public Responsibility Signalling (PRS) as a distinct category of cyber response, positioned below public attribution but above silence. By enabling the UK to publicly identify responsible actors without asserting state responsibility, PRS would reduce incentives for below-threshold cyber activity while preserving political and legal restraint and intelligence secrecy.

Attribution Has Become a Bottleneck

Attribution in the UK serves important purposes. It reinforces accountability, supports international norms and enables certain legal and diplomatic measures. For those reasons, the international law norms set a high bar for attributing malicious cyber activity to a state.

But attribution is not just a technical judgement; it is a legal and political act. Naming a state publicly can carry consequences ranging from diplomatic escalation to reciprocal accusations or litigation risk. It may also require the disclosure of sensitive intelligence sources and methods. For these reasons, governments often judge that public attribution, even when technically justified, is not worth the cost.

The problem arises when high threshold for attribution becomes the informal gateway to response. In practice, if attribution cannot be achieved publicly and collectively, visible action often stalls. Attribution as a tool intended as a safeguard against escalation begins to function as a constraint on governance. This dynamic is particularly ill-suited to a threat environment dominated by non-state actors, criminal ecosystems and proxy groups that deliberately operate below the threshold.

A Reality Everyone Recognises, but Few Name

In practice, the UK, internally, already acts extensively without public attribution. Defensive operations, disruption of criminal infrastructure, cooperation with private-sector providers and other cyber activities are routinely conducted on the basis of classified intelligence and are seldom publicly acknowledged. Externally, however, action in the public domain is comparatively rare. In such cases, publicly available attribution performs an important signalling function: it communicates responsibility, frames behaviour as norm-violating and enables coordinated diplomatic, legal or economic responses with partners and allies.

What is missing is not capability, but doctrinal clarity in the UK. Public cyber policy discourse continues to treat attribution as the central indicator of responsibility to domestic and international audiences, partners, even though practitioners recognise that responsibility is often exercised quietly through operational responses.

This mismatch creates three problems. First, it obscures how cyber governance actually works. Second, it narrows the range of publicly legitimate responses available to policymakers. Third, it creates incentives for adversaries to operate just below the level of egregious activity that governments assess may trigger public attribution, confident that harm can be imposed without public consequence. Attribution is increasingly being asked to do more governance work than it can realistically sustain.

Introducing Public Responsibility Signalling

Public Responsibility Signalling (PRS) is a form of public action that allows the UK to identify state actors responsible for harmful cyber activity without asserting political attribution or legal state responsibility and at the same time not staying in the status quo (Table 1).

PRS is not attribution in the legal sense. It does not claim a breach of international law, trigger state responsibility, or rely on evidentiary standards appropriate for judicial proceedings. Although many public cyber attributions likewise avoid explicit legal characterisation, PRS differs in its function. Conventional attribution seeks to identify and publicly name responsible actors. By contrast, PRS is designed to acknowledge harmful activity and enable proportionate policy response even where formal attribution, particularly to a state actor, would be politically or evidentially constrained. In this sense, it provides a public response where the alternative might otherwise be silence.

In practical terms, PRS would allow the UK to say: we assess that this activity is being carried out by these actors; it is causing harm; and we are responding accordingly, without crossing the threshold into legal attribution.

Why This Matters for Below-Threshold Activity

At present, the absence of an intermediate public response category creates a governance vacuum and cyber-attacks continue. PRS would change that calculus. Public identification, even without legal attribution, carries reputational, economic and operational consequences. It enables coordinated action by allies and the private sector, supports disruption of enabling infrastructure and signals that harmful behaviour is being tracked and contested. Crucially, it also increases the public visibility of malicious activity. Moving incidents from classified awareness into the public and media domain can generate reputational pressure, mobilise defensive action across industry and strengthen the basis for collective responses by partners.

While such visibility does not guarantee deterrence, it can raise the political and operational costs of persistent malicious activity and reduce the space for adversaries to operate without scrutiny. Most importantly, PRS raises the expected cost of operating just below the attribution threshold, reducing the strategic advantage of ambiguity.

Preserving Law, Secrecy and Restraint

A common concern is that acting publicly without attribution risks eroding restraint or escalating conflict. Arguably, PRS would do the opposite. By introducing a category such as PRS, the UK could expand the range of publicly available responses to malicious cyber activity. Even where governments judge that the evidentiary or political conditions for formal attribution are not met, PRS would allow harmful activity to be acknowledged publicly rather than remaining unaddressed in the public domain. This increased visibility can generate reputational pressure, support coordinated defensive action by allies and the private sector, and signal that malicious behaviour is being monitored and contested. In this sense, the principal benefit of PRS lies less in redefining legal attribution standards and more in providing a public governance response where the alternative might otherwise be silence.

PRS also respects intelligence realities. Statements can be calibrated to avoid revealing sources and methods. In many cases, the signal itself is the policy tool; the evidentiary detail remains classified. By decoupling action from attribution, PRS reduces pressure to attribute publicly simply to justify response.

Defensive First, Not Offensive by Default: Bridging the Public–Private Gap

Although this debate often sits within discussions of offensive cyber capability, PRS is primarily a defensive governance tool. Its most immediate applications lie in enabling economic, regulatory, diplomatic, and cooperative responses to persistent harm. PRS does not expand offensive cyber powers. It structures how the UK communicates and coordinates responses that are already legally available but currently constrained by attribution politics.

PRS could also help align public and private responses. Private sector actors often experience cyber incidents first and are frequently responsible for technical investigation and disclosure. In doing so, they may have incentives to attribute incidents publicly in order to warn customers, demonstrate analytical capability, or shape threat perceptions. Governments, by contrast, face incentives to attribute more cautiously, as public attribution can carry diplomatic, legal, and strategic consequences. These asymmetries can produce a mismatch in public signalling between government and industry. A mechanism such as PRS could help bridge this gap by allowing governments to acknowledge harmful activity publicly without requiring the level of evidentiary certainty or political commitment associated with formal attribution.

A recognised PRS framework would provide a shared reference point. It would allow government to acknowledge responsibility and coordinate mitigation without over-committing legally, while giving the private sector clearer signals about when collective response is underway.

A New Norm for a Changed Environment

The UK has invested heavily in promoting responsible behaviour in cyberspace. But responsibility cannot be reduced to naming perpetrators. It also involves managing harm, reducing instability and preventing escalation over time. Public Responsibility Signalling offers a way to update cyber governance without abandoning its legal and ethical foundations. It adds a missing rung to the response ladder: one that sits between silence and attribution and that reflects how cyber conflict actually unfolds.

If the UK wants to deter below-threshold cyber activity, it must be able to act and be seen to act, below the attribution threshold. PRS provides a credible, restrained, and realistic way to do so. In cyber governance, silence should be a strategic choice, not the default outcome of legal, political and diplomatic caution. Public Responsibility Signalling gives the UK a way to speak without escalating, and to govern without pretending attribution is the only language available.

© RUSI, 2026.

The views expressed in this Cyber Effects Perspectives are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.