As the UK’s new government assesses its priorities for the forthcoming Strategic Defence Review, it would do well to reflect on the effectiveness of cyber power as an organising concept for cyber policy.
In 2021, the Integrated Review of Security, Defence, Development and Foreign Policy presented the UK’s ‘responsible, democratic’ view on cyber power that set out a strategic narrative and organising concept for future cyber policy. Amid the reassessment of priorities by the new government under its Strategic Defence Review, the concept and practice of cyber power must also be evaluated for its effectiveness.
The Labour administration inherits a well-developed suite of strategic levers of cyber power, including institutions in the National Cyber Security Centre (NCSC) and the National Cyber Force (NCF) in addition to deep expertise across government. This commentary takes stock of the UK position on cyber power as a strategic narrative and organising concept, the challenges of promoting responsible and democratic use, and what this might mean for the new government.
Responsible, Democratic Cyber Power
The pursuit of cyber power as a strategic concept emerged in 2019 in direct response to the growing threats facing the UK and the need to develop a new organising concept for government to geopolitically address these. Spearheaded by ex-Director of GCHQ Jeremy Fleming, cyber power was understood to be practised across three axes:
- Enhancing cyber security to protect the ‘digital homeland’.
- Enabling trust for a licence to operate through developing legal, ethical and regulatory regimes.
- Having the capabilities to ‘disrupt, deny or degrade’ adversaries in cyberspace.
This was noteworthy in its break from the prior strategic view and organisation around cyber security. Compared to the 2016 National Cyber Security Strategy, with its vision for the UK as ‘secure and resilient to cyber threats, prosperous and confident in the digital world’, the 2022 National Cyber Strategy clearly promoted the projection of UK power internationally. This shift overturned more than a decade of government organisation to fully integrate the use of offensive cyber operations, to position the UK as a science and tech ‘superpower’ and to strengthen and develop international engagement within the UK’s practice.
Responsible, democratic cyber power was crafted to demonstrate the UK’s intent to confront irresponsible behaviour and its commitment to a rules-based international order
Under the boisterous premiership of Boris Johnson, the projection of cyber power found a comfortable home in the post-Brexit ‘Global Britain’ narrative. It was, however, deemed essential by Fleming and others that the UK was able to distinguish itself from the irresponsible cyber activities of states such as Iran, North Korea and Russia. Crucial adjectives were added to cyber power to address this: responsible and democratic. Together, ‘responsible, democratic cyber power’ provided scope to project power abroad to support ‘Global Britain’. The intention was to demonstrate the UK’s commitment to using cyber power responsibly by following international law and parameters for offensive cyber operations, as well as democratically within clear lines of accountability and oversight.
Essential for a responsible and democratic perspective on cyber power was to accommodate the avowal of the NCF in 2020. The NCF was empowered to conduct offensive cyber operations under a joint military and intelligence institutional framework with a wide scope to engage with adversary states and support the National Crime Agency against cybercrime. To promote the UK’s view, the subsequent 2023 publication of Responsible Cyber Power in Practice outlined what accountable, precise and calibrated offensive cyber operations meant.
Sceptics wondered whether cyber power was more than a simple rebranding exercise. Yet, what resulted was significant policy attention and detail. Whether this was in the well-established cyber policy department at the Foreign, Commonwealth and Development Office (FCDO) or in the concentration of cyber policy knowledge and practice in the Department for Science, Innovation and Technology, the UK government used cyber power as an organising concept to reprioritise the UK’s actions both domestically and internationally.
Cyber power created space for the UK to position itself as a capable actor in a more volatile and geopolitically fragmented world. Yet, within this strategic narrative and organising concept, there have been challenges that the Labour government should now consider in the forthcoming Strategic Defence Review as well as in a new National Cyber Strategy, likely in 2026.
Selling Responsible Cyber Power?
Responsible, democratic cyber power was crafted to demonstrate the UK’s intent to confront irresponsible behaviour and its commitment to a rules-based international order. The challenge was how to communicate and demonstrate this. As a report by the FCDO articulated, the UK struggled to do so with ‘middle-ground’ states. This reflected concerns about the militarisation of cyberspace, questions of sovereignty, and how states with fewer cyber capabilities would fare in a world of cyber power. This was amplified within the Global South, where the UK sought most clearly to persuade countries that the rules-based order was the best route in cyberspace.
Through the FCDO, the UK has sought to alleviate the initial concerns around cyber power, drawing upon significant prior relationships based on its cyber diplomacy and cyber capacity-building work. Unlike cyber power, responsible state behaviour in cyberspace has a longer and more accepted lineage, as it is commonly recognised at international fora such as the UN. It is perhaps unsurprising then that the UK has continued to use this language when engaging in these fora rather than relying on cyber power.
For the new foreign secretary, David Lammy, who has promised to work more collaboratively with the Global South, moving away from the language of cyber power may be tempting. In a 2023 publication, Britain Reconnected, Lammy writes with clear purpose that ‘Global Britain was an empty slogan, which… smacks of post-imperial hubris’. Cyber power in UK strategy was born within the milieu of Global Britain; it is unequivocally an elitist rendering of national power. For selling the UK’s strategic narrative on cyber policy, cyber power will continue to struggle, even if it had significant purchase as an organising concept for government.
A Democratic Cyber Power?
As much as the framing of responsible, democratic cyber power was made with an eye on geopolitics for an international audience, the government recognised that the projection of cyber power relies on the UK being domestically resilient and having the capacities to do so. This draws upon a longer history of the frame of the ‘whole of society’, which prioritises the building of societal resilience in defence, health and elsewhere. Here, the UK government acknowledged that a broader suite of actors must be consulted and involved to develop technologies, build expert communities, and craft better policies to project UK power. The whole-of-society frame has been lauded as an essential move to improve UK capability. However, while it has introduced new and important perspectives, it has also promoted an elite perspective, with a limited number of well-connected individuals setting out priorities for UK society. This was, and is, a whole-of-society model from the top down.
While a well-intended democratic impulse runs through the UK’s interpretation of cyber power, it is technocratically limited to examining mechanisms for accountability and oversight. This raises two key challenges for the Labour administration. First, does the limited democratic view from the whole-of-society frame aid the UK’s cyber resilience and ability to act strategically? And second, does cyber power meaningfully help people in UK communities whose support is critical in underpinning the capacity for cyber power?
Viewing cyber power through multiple lenses, rather than one overly dominated by geopolitical ambitions, may assist in building longer-term support for UK actions in cyberspace
As much as cyber power is strategically focused on today’s fragmented geopolitical environment, its failure could lie in the everyday and seemingly banal aspects that characterise to UK society. A more participatory and democratic view may challenge government to look more closely at issues that citizens experience, such as rising online fraud, to maintain their trust and support for the UK’s cyber power ambitions. For example, as much as advisory boards may bring essential views into government, they are limited in their perspective. Cyber power that engages with a broader cross-section of society and its concerns – whether in communities, through civic society programmes or other means – offers important opportunities to reposition and reinforce the UK’s geopolitical stance. Viewing cyber power through multiple lenses, rather than one overly dominated by geopolitical ambitions, may also assist in building longer-term support for UK actions in cyberspace. For the forthcoming Strategic Defence Review, it must be recognised that a defence view on cyber power should not come to overly dominate cyber policy, but should instead seek to strike a careful balance between societal trade-offs.
A Competent Base
Despite the challenges of cyber power, the UK’s responsible and democratic position has positively advocated for an alternative vision compared to authoritarian practice. The Labour administration should reflect on cyber power in addressing geopolitical challenges as part of its Strategic Defence Review. Yet, both as a strategic narrative and organising concept, cyber power contains latent tensions for cyber policy – whether that is in how strategic narratives can overshadow a bottom-up whole-of-society perspective on prioritisation, or in how selling the UK’s vision for the future of cyberspace to allies, middle-ground states and the Global South is difficult to square with the language of power.
Regardless of Labour’s changes to cyber policy, the organising of government spurred by cyber power as a strategic narrative will continue to reverberate and build on past success. There is now an opportunity for cyber policy to reflect on the meaning of responsible and democratic more thoroughly and deeply – and on whether it continues to benefit the UK more broadly.
The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.
Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.
WRITTEN BY
Andrew Dwyer
- Jack BellMedia Relations Manager+44 (0)7917 373 069JackB@rusi.org