A new research report by Dr Gareth Mott for RUSI examines whether the UK should consider authorising private sector firms to conduct tightly scoped, time-limited disruptive cyber operations against serious organised cybercriminals, under formal state oversight and legal indemnity.
The paper notes that the UK faces a persistent and escalating cyber threat landscape, particularly from ransomware groups, and that on a per capita basis the UK experiences a disproportionately high number of ransomware attacks relative to peer countries.
There may be a case for supplementing responsible UK cyber statecraft with private sector support through time-limited and supervised deputisation of suitable and mission-aligned firms.
Key Findings
Ransomware represents a critical and persistent national security threat. The scale and severity of attacks justify consideration of unconventional responses.
Current policing capacity has structural and resource limitations. Capability and capacity levels are often based on available budget rather than demand.
The risk of a catastrophic attack is credible and growing. The UK Joint Committee on the National Security Strategy concluded there is a high risk the government will face a catastrophic ransomware attack.
The report does not advocate immediate adoption of a ‘letters of marque’ model but provides a structured assessment of potential benefits, legal barriers and geopolitical risks. It assesses the UK debate within international developments, including legislative proposals in the United States and Singapore’s existing statutory mechanism for cyber deputisation.
