Deputising UK Counter-Cybercrime Operations

This RUSI Insights paper assesses the role that ‘deputised’ cyber operations could play in advancing UK cyber statecraft objectives. At present, the serious and organised cybercrime threat to the UK persists, while constrained public resources limit response options. ‘Deputised’ cyber operations refer to activity that would typically be conducted by law enforcement or intelligence agencies but is instead delegated to private companies in a time-limited and narrowly scoped manner. This evokes ‘letters of marque’ issued to privateers in the 18th and early 19th centuries that allowed individuals or groups to act on behalf of nation-state authorities. This paper explores the possibility of adopting a comparable and modern-day version to counter cybercrime that has an impact on the UK.

The rationale behind deputised activity would be to increase the scale of the UK’s ability to track and intervene against serious and organised cybercriminals that have an impact on UK society. With the appropriate approval (which could be ministerial) – and under supervision from a suitable state agency – a private company, in theory, could conduct or support activity that disrupts active or imminent cybercriminal threats to the UK. Crucially, powers would be temporary. In turn, ad hoc permission would permit non-state actors to conduct intelligence gathering and/or disruptive activities against known or suspected cybercriminal infrastructure. Acting as a ‘deputy’, the private firm would receive domestic legal indemnity for intrusion activity that takes place within the scope and timeframe of the authorisation, such as under UK criminal law. In practice, a hypothetical ‘letter of marque’ would permit the private firm to work under a time-limited contract or certificate on behalf of the UK state, either pro-bono, at-cost or for-profit.

Deputisation through a letter-of-marque approach is a distinct subset of wider debates and proposals regarding prospective private sector involvement in offensive cyber activity. It would sit roughly in the ‘grey space’ of a spectrum of offensive cyber activities. Importantly, deputisation would not involve offensive cyber activity against state targets or infrastructure; it would instead be strictly limited to perceived non-state targets, such as criminals. In the pursuit of this, deputised operations could, however, involve more intrusive activity than traditional active cyber defence. To distinguish deputised counter-cybercrime activity from wider debates surrounding offensive cyber, this paper refers to ‘disruptive’ operations rather than ‘offensive’ operations of a geopolitical and/or campaign-based nature.

There could be a range of scenarios in which deputisation could be hypothetically applicable. These may be opportunistic in nature. For instance, an incident response firm providing forensic and remediation services to a client hit by ransomware could identify vulnerabilities in the command-and-control infrastructure operated by the criminals. A CTI (cyber threat intelligence) firm could similarly identify vulnerabilities. However, in the context of the current legal landscape, a UK-based firm would – in theory – not be permitted to intrude on machines that they do not own, intrinsically limiting their ability to intervene.

This paper assesses the context, as well as the hypothetical benefits and pitfalls of such deputisation in the context of UK cyber statecraft. Although there may be correlations to wider debates surrounding ‘hack back’ and ‘cyber vigilantism’, deputisation is not the same as blanket permissibility for private disruptive cyber operations.

Although this paper does not advocate for British cyber deputisation, it explores how such measures could enable the UK to increase its cyber power capacity in a responsible manner against the backdrop of constrained resources. The paper includes an assessment of the UK-specific context (including the threat and the current response) and an exploration of the deputisation debate to date, including precedents, debates and legal considerations. The analysis in this paper draws on actual and existing cyber threats to the UK, academic debates on deputisation and international comparisons. Of relevance are states which either have an existing deputisation mechanism in their statute (such as Singapore) or whose legislators have considered such mechanisms (such as the US). The assessment is also set against the backdrop of overt and/or tacit models of deputisation that have been adopted by other states, including Russia and the People’s Republic of China. Such adversarial behaviour presents a dilemma and a prompt to debate the merits of deputising cyber operations. Irrespective of whether the UK adopts this approach, deputisation is arguably increasingly normalised by adversaries as a tool of cyber statecraft counter to UK interests.

Methodology

This paper is part of a project on theoretical and conceptual Cyber Statecraft in an Era of Systemic Competition, funded by the UK Defence Science and Technology Laboratory through the Engineering and Physical Sciences Research Council, in partnership with the Research Institute for Sociotechnical Cyber Security between October 2023 and February 2026. The paper was part of a joint project between RUSI, King’s College London and the University of Bath. The project includes a RUSI-led workstream on the role of the private sector in cyber statecraft, and draws on academic literature, news reports and national and international laws to inform this debate.

Increasing and Persistent Cyber Threats

Cyber threats to the UK are significant and persistent. They emanate from a range of actors, including criminals, commercial entities and state-linked agencies. This paper focuses on how UK deputised cyber activity could identify, halt or counter malicious criminal cyber activity. British commercial enterprises are heavily targeted by cybercriminals who are seeking to monetise cyberattacks through extortion or fraud. On a per capita basis, the UK experiences a disproportionately high number of ransomware attacks relative to peer countries.

Currently, victimised organisations are unable to proactively disrupt and disarm the organised criminals; the only permitted engagement is to enter into negotiations and make a payment. Commercial entities in the UK are not (currently) prohibited from making an extortion payment to cybercriminals, unless it is likely that the payment would be going to a sanctioned individual. Moreover, private sector hackback – hacking the computing device of the hacker – that is agnostic to the source of the cyber threat would create the risk of a deputised private actor attacking a foreign state. Zach West, who advocated for cyber deputisation more than a decade ago in the Syracuse Law Review, cautioned that an international incident could result from a scenario where a deputised US firm hacked a foreign government’s IT systems. Still, as West noted, the point of the deputisation model is that the host government can mitigate this risk by reviewing, authorising, overseeing and, if necessary, halting the deputised activity.

Ransomware attacks have impacted private and public sector entities in the UK, representing, in the words of the Security Minister, ‘an immediate and urgent threat to our nation’s security and economy’. Examples of societally disruptive incidents include attacks against Hackney Council (2020), Redcar and Cleveland Council (2020), KP Snacks (2022), Royal Mail (2023), Capita (2023), Synnovis (2024), Jaguar Land Rover (JLR) (2025), Marks & Spencer (2025) and Harrods (2025). Not all ransomware incidents are publicly known or reported; for instance, where a targeted firm has contained an incident and paid the attackers in exchange for discretion, the incident goes unreported. However, it is clear from these examples that the UK’s critical national infrastructure (CNI) and core British brands are demonstrably at risk of disruptive cyber breaches that can interrupt supply chains, disrupt core health services and cause societal disruption. As the UK’s National Crime Agency notes, ‘ransomware remains the greatest cyber serious and organised crime threat to the UK and its use threatens CNI and poses a risk to national security’. The impact to UK residents, organisations and society is not only financial, but also includes negative consequences, including psychological harms, physiological harms, and tarnished trust. This can include loss of trust in the government’s ability to support victims of crime and penalise perpetrators.

The remote cross-border source of the attacks – and the ability to obfuscate the source – are key characteristics that impede investigation and punishment efforts. Historically, serious organised cybercrime, such as ransomware, has been seen to primarily come from perpetrators in Russia and other former Soviet republics. In 2024,TRM Labs estimated that Russian-speaking ransomware groups accounted for 69% of all ransomware proceeds. Russia has been viewed as a ‘safe haven’ for organised cybercriminals, and the Russian government has arguably tolerated their activity ‘so long as offenders focus on targets beyond Russia and do not contradict or undermine the Kremlin’s interests’. However, Russian-speaking criminals do not have a monopoly on serious organised cybercrime and there are indicators that Westerners fluent in the English language (and accents) are increasingly involved in successful attacks. The Marks & Spencer, Co-op, Harrods and JLR ransomware incidents have been attributed to the English-speaking ‘Scattered Spider’, ‘Lapsus$’ and/or ‘ShinyHunters’ collectives.

The threat trend is therefore indicative of a persistent and arguably escalating threat to the UK. The success of organised cybercriminal groups has led to a proliferation of perpetrators (for instance, through the ‘ransomware as a service’ model). Ransomware is a particularly relevant threat in relation to the deputisation debate because of the severity of its societal impact, and that it typically entails the deployment of non-state command infrastructure that could be disrupted.

Current UK Measures Against Serious Organised Cybercrime

The UK government has taken a range of concerted actions against serious organised cybercrime. The government response includes a range of activities, including the promotion of voluntary resilience measures for organisations, imposition of regulatory and legislative requirements, provision of rationed incident response support and disruption of cybercriminal activity through operations and enforcement.

Current UK Government Approaches to Tackling Cybercrime

The UK has publicly outlined its ambitions to coordinate and improve public sector cybersecurity through its ambitious Government Cybersecurity Strategy (2022). The broader National Cyber Strategy (2022) also covers the public sector, alongside the private sector and wider society. Additionally, given that most UK cybercrime impacts the private sector, the UK government has promoted organisational cybersecurity resilience by establishing certifications (for instance, Cyber Essentials) and promoting guidance for incident prevention and resilience.

The UK government has engaged in diplomatic activity on ransomware at an international level, including as a leading participant in the Counter Ransomware Initiative (CRI). Domestically, the government has proposed legislation on ransomware, which may include mandatory reporting of incidents, a ban on public sector ransom payments and a check-and-go system for ransom payments (as the ransomware victim would need to seek authorisation from a newly-created bespoke authorisation centre to request the government’s authorisation to pay a demanded or negotiated ransom). These measures aim to disincentivise the payment of ransoms, cutting off perpetrators from revenue. However, concerns have been raised that they place additional, disproportionate pressures on victims.

It should be noted that cybercrime incident response is currently privatised. Most victims of serious organised cybercrime do not receive significant support (such as remediation of IT) from the UK government. Remediation support from relevant UK public sector entities (such as the NCSC [National Cyber Security Centre]) is limited to a small number of significant incidents, although a greater number of incidents may involve the NCSC, the NCA (National Crime Agency) and/or police being present for situation update calls. Generally, ransomware victims need to conduct remediation themselves, or source third-party incident response. Organisations can acquire cyber insurance to cover the costs of business interruption and remediation.

This status quo is arguably a pragmatic approach in a context of strained public resources. Organisations should have responsibility for their own cybersecurity, and overly generous support can create moral hazard. It is of note, however, that the UK government recently created a precedent of selective financial support when it outlined funding for supply chain firms that were affected by fallout from the JLR ransomware incident.

UK authorities – including the NCA, the Metropolitan Police and regional cybercrime units – have conducted arrests, undertaken infrastructure takedowns and applied sanctions against individuals associated with cybercrime networks. This reflects a ‘disruption strategy’ that is an ‘integral part of the NCA’s broader shift of “focus[ing] upstream, overseas and online”, degrading the most harmful organised criminal groups … tackling the threat at source, and combating their use of technology’.

UK authorities have also collaborated with international partners to disrupt multinational organised cybercrime groups. For example, under Operation Destabilise, the NCA led an international investigation to disrupt a multibillion dollar Russian money laundering operation linked to drugs, ransomware and espionage, ‘resulting in 84 arrests’. UK agencies continue to demonstrate leadership in pursuing and supporting global operations to counter cybercrime.

How Current Responses may be Insufficient to Countering Cybercrime

Nevertheless, the UK could do more to support victims and punish perpetrators. The scale of response has not met the threat, although this should not detract from the significant endeavours highlighted above. The UK is not alone in this regard; most states do not appreciate the scale of response required against cybercrime. To be sure, there are limitations to what can reasonably be achieved in a context of constrained resources. A 2023 HM Inspectorate of Constabulary and Fire & Rescue Services’ independent assessment described how funding had ‘encouraged police forces to develop their ability to respond to cyber-dependent crime’, but that ‘the levels of capability and capacity are often based on the available budget rather than an understanding of the demand’.

Notwithstanding the challenges presented by the unique characteristics of cybercrime, the status quo in UK cyber statecraft is arguably intolerable in the current global context. Malicious actors have been able to exploit the disjuncture between the bordered Westphalian order of states and the ‘borderless’ nature of internet technologies. Additionally, accepting the unacceptable creates a precedent of permissiveness. And while the significant cyberattacks in the UK have not yet reached the threshold of a Category 1 cyber incident, there is a distinct risk that such an attack could occur.

In December 2023, the UK Joint Committee on the National Security Strategy published a report on ransomware, which concluded that ‘there is a high risk that the government will face a catastrophic ransomware attack … and that its planning will be found lacking … [therefore] it is vital that ransomware becomes a more pressing political priority, and that more resources are devoted to tackling this pernicious threat to the UK’s national security’. There is arguably an opportunity to break inertia and consider riskier political decision-making to pre-empt and/or respond to potential crisis circumstances. Here, the Covid-19 pandemic is instructive. Research has highlighted the importance of developing coherent government strategies to pre-empt and resolve cyber crises, drawing lessons from inadequate pandemic preparedness prior to Covid-19. It is in this light that deputisation of disruptive cyber activities should be considered as a potential supplement to UK cyber statecraft.

Building on longstanding convention of public–private partnership (PPP) in cybersecurity, the UK’s Government Cyber Security Strategy emphasises that ‘it is crucial that critical cyber security challenges are tackled collaboratively. Government will therefore continue to develop its partnerships with private sector organisations’. The National Cyber Strategy from the same year outlined how the UK government ‘will deliver a much closer partnership between government, businesses and organisations to drive up collective understanding of the risk, guide prioritisation and establish the case for action’. This partnership drive has traditionally focused on resilience-building rather than statecraft. The Labour government has continued to promote this approach. Unveiling the Cyber Security and Resilience Bill in November 2025, the Technology Secretary Liz Kendall stated that ‘cybersecurity is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending a clear message: the UK is no easy target’. Still, although the purpose of the legislation is to enhance CNI resilience, one of the means to achieve this is to impose additional regulations (and costs) onto the British private sector entities that are in-scope.