UK Cyber Effects Network

The UK Cyber Effects Network seeks to build and strengthen a UK community of interest that fosters informed debate around the theory and practice of offensive cyber and other cyber effects operations.

In 2023's Responsible Cyber Power in Practice, the UK set out how it will use cyber effects in a legal, ethical and responsible way. The publication of the document by the National Cyber Force (NCF) marked a significant step from the UK government in signalling more transparency regarding its approach to offensive cyber operations. In it, the NCF set out three principles for its operations — that they be accountable, precise and calibrated. In doing so, the NCF explicitly recognises it needs a 'license to operate' from the public, and that achieving this requires more openness and engagement.

This thinking opens up an opportunity for the research and practitioner community: to connect, reflect and develop further thinking on topics concerning the effects of offensive cyber operations within the UK and beyond. Offensive cyber operations are defined by 2022 UK National Cyber Strategy as 'adding, deleting or manipulating data on systems or networks to deliver a physical, virtual or cognitive effect'. At a time of heightened geopolitical competition, it is more critical than ever to reflect on when, how and under which conditions the theory and practice of such operations is evolving.

The UK Cyber Effects Network seeks to build and strengthen a community of interest focused on cyber effects issues. The Network aims to generate new thinking on the theory and practice of offensive cyber operations, and help develop the next generation of UK experts. The Network is administered by RUSI and funded by the National Cyber Force.

The Network will further these aims through three main pathways:

• Developing the next generation of researchers, policymakers and practitioners through the Cyber Effects Fellowship Programme.
• Providing intellectual contributions by publishing novel research.
• Convening experts through workshops, scenarios and other interactive activities to build a stronger knowledge base for a UK community of interest on cyber effects issues.

As part of this Cyber Effects Network, RUSI will publish an Edited Collection of Papers on offensive cyber and other cyber effects operations in spring 2026.

The collection of papers will cover some of the following themes and questions.

Concepts and doctrine

• Are offensive cyber operations escalatory? How should they be calibrated for competition, crisis and conflict?
• Is there a specific UK approach to cyber warfare? If not, should there be – and if so, what?
• What have we learned (or not learned) about the role of cyber operations in wartime from recent conflicts?
• Have there been any changes to adversaries’ concepts and doctrines for offensive cyber operations? If so, how should this influence the UK’s approach?

Legal and policy

• How can responsible cyber power be used for national advantage? Are these concepts contradictory?
• What are the legal and policy implications of non-state actors conducting cyber operations, including hacktivists and the private sector?
• What legal or policy measures would provide the public with assurance about how cyber effects operations are being delivered? If so, how can these disadvantages be overcome?
• How does just war theory apply when it comes to competition and conflict in (and through) cyberspace?
• Is the UK disadvantaged in comparison to its adversaries by its commitment to 'precision, accountability and calibration' in delivering responsible cyber operations?

Capability and technology

• What are the next generation capabilities the UK does or doesn’t need?
• What are the implications of optimising cyber effects capabilities for contingency use?
• How can the UK develop, test and sustain agile, multi-purpose cyber capabilities?
• How can industry help scale UK offensive cyber capabilities?
• What sort of frameworks should guide and bound the development and use of the next generation of offensive cyber capabilities (e.g. AI-generated or automated capabilities)?