Cyber and the Strategic Defence Review: All Pervasive But Light on Details

The Strategic Defence Review (SDR) recognises that cyber and the electromagnetic spectrum (CyberEM) are integral for UK defence. Operations in all domains rely on cyber security and access to spectrum. CyberEM is the ‘enabling domain that integrates all others’ and it is ‘the only domain contested by adversaries every day’. Acute cyber security concerns drive the need to retire legacy systems. And the SDR’s emphatic recommendation of a digital ‘targeting web’ further highlights the different ways in which cyber expertise will shape the future of defence.

Notwithstanding all this, it is fair to say that the SDR is somewhat light on details. I write this in full awareness of the challenge of producing such a complex document, covering such a large number of topics and doing so as an exercise in public communication. The SDR is intended for a variety of different readerships, some of which will be hyper-attuned to particular issues, others not. It is a general-purpose document: it covers a lot of ground, and this necessitates concision. Different readers will take away different things from the SDR’s treatment of cyber, but the starting point for appraisal must be to look at what the SDR says and what it does not.

Cyber Progress Waypoints

In my submission to the SDR’s evidence phase last year, I made three main points: (1) that the SDR was an opportunity to think carefully about the lessons of setting up and operating the National Cyber Force (NCF); (2) that the SDR should improve the way that defence as a whole deals with cyber issues coherently, from offence to defence, to workforce and dealing with allies and partners; and (3) that the SDR should reflect on the success of existing lines of strategic communication about Responsible (and Democratic) Cyber Power (RDCP).

Of these, the SDR mostly focuses on (2), making a big recommendation to establish a Cyber and Electromagnetic Command (CyberEM Command) under Strategic Command. This should not be surprising. The review is avowedly a defence review, so it is appropriate to focus principally on issues that defence owns. The NCF, as a collaboration with the intelligence community, is not fully owned by defence. A focus on tidying up and better ‘cohering’ the defence-specific aspects of cyber is, therefore, a natural turn for the SDR.

The SDR explicitly states that the new CyberEM Command will not conduct offensive cyber operations, instead streamlining the way in which the rest of UK defence interacts with and tasks the NCF. This is entirely sensible, but it leaves open the question of how best to use the NCF – and offensive cyber operations in general – in future. The SDR isn’t completely silent on this – it alludes particularly to the potential of further integration of artificial intelligence into cyber operations – but this is not an issue that receives systematic or elaborate treatment. Arguably, the SDR does what can reasonably be expected of it here, as elsewhere: it highlights the importance of the issue, but ultimately must leave it to the government to follow up. (Wider criticism of the SDR based on perceived lack of political will, implementation challenges, and the curious approach to communications about precisely how much, and by when, the UK will spend on defence, are mis-directed: these are issues for the government and not for the SDR team.)

Alternatives for Offensive Cyber Operations

There are, of course, plenty of other avenues for the UK government to use to address the question of the role of offensive cyber operations in national strategy – not least the anticipated renewal later this year of the National Cyber Strategy, as well as less public processes for developing this thinking. It is, however, nonetheless slightly disappointing that the SDR did not have more to say about it. The same is true about the UK’s experiment with RDCP as an umbrella concept or trope of strategic communication about how the UK acts in cyberspace.

Given the institutional equities at stake in this beyond defence – for example, in the Foreign, Commonwealth and Development Office (FCDO) – it might simply be that this issue will be addressed further in the aforementioned next iteration of the national cyber strategy. This is one of the obvious, anticipated consequences of choosing to pursue a narrow defence review: cyber is wider than defence, so there were always going to be issues that were difficult to pursue within the SDR’s remit – something the SDR’s terms of reference recognised at the outset.

Which brings us back to the SDR’s actual cyber focus, namely on improving the coherence of the wider defence cyber effort. The new CyberEM Command aims to ensure that existing disparate cyber ‘pockets of excellence’ avoid achieving ‘less than the sum of their parts.’ The SDR invokes the ‘whole force’ concept throughout and it is obvious that this concept clearly applies to the challenges of effective cyber defence. Getting the best out of the defence partnership with industry, and out of the cyber reserve, will continue to be a key effort for UK cyber defence. As the SDR highlights explicitly, there is greater cyber expertise in the civilian sector, so this must be a top priority for the new CyberEM Command.

The SDR recommends that defence should be more ‘proactive’ in cyberspace – and it nods in the direction of both cyber ‘persistence’ and retaining the ‘initiative’, which are now staple concepts for thinking about the domain, courtesy of the work of three influential US scholars. We can all make educated guesses about what this means for future cyber operations. A reinvigorated approach to ‘domain coherence’ in cyberspace requires more than improved resilience and security within the perimeter. It will also include active cyber defence and counter-cyber operations, broadly construed.

Expansion Points

Given what the SDR said elsewhere about the importance of allies and partners, it might have been interesting to elaborate further on, for example, the potential for UK ‘hunt forward’ operations, but for whatever reason the SDR passes over this and other details about how this effort could be taken forward. The SDR says that CyberEM Command will lead on liaising with allies and partners, but – as the Review briefly notes in the NATO context – the totality of international cyber defence cooperation will clearly comprise of more than liaison activities.

The SDR also touches on the need to think coherently about the relationship between cyber operations, electromagnetic warfare, and information operations, and on the need to enable Defence Intelligence to make a better cyber-related contribution. It argues that the new CyberEM Command should improve the coherence of the defence contribution to this wider national effort.

Overall, the SDR offers a series of incremental recommendations to further improve the coherence and integration of the defence elements of the wider national cyber effort. Its recommendations flow from an analysis of an intensifying threat environment and a wider sentiment that the UK needs to counter these threats with more urgency, more pro-actively, and with more sustained commitment over the next decade. This leads readers of the SDR to ponder what comes next, as the government interprets and implements the Review’s cyber-related elements.

© Joe Devanny, 2025, published by RUSI with permission of the author.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.