The UK Government’s New Cyber Strategy: A Whole of Society Response
The new cyber strategy contains a number of shifts in emphasis, centring on the idea of a whole of society response to cyber challenges.
The UK government’s new national cyber strategy was launched on Wednesday, five years on from the influential 2016 strategy that, among other things, created the flagship National Cyber Security Centre (NCSC). Cyber is a more pressing issue than ever, and front-and-centre in the new era of great power competition. So, what does the new strategy have to say about the UK’s direction over the next few years?
The last five years have seen some significant developments. Despite attempts to dissuade states like Russia and China from using cyber operations to steal secrets, attack opponents and undermine confidence in democratic processes, their recent sophisticated large-scale cyber espionage operations suggest there has been little deterrent effect. Meanwhile, cybercrime is bigger business than ever, with an ongoing global ransomware epidemic seeing the operations of a growing number of businesses and critical public services temporarily grind to a halt.
And more strategically, issues like the question of Huawei’s role in the UK’s 5G infrastructure have shone a light on our increasing dependence on Chinese technology and the security challenges that brings, especially when countries like China are actively seeking to shape the very future of the internet in a way that runs counter to the democratic values of the UK and its allies.
So, the time is right for the UK to reset its approach to cyber. The 2016 cyber strategy represented a significant shift to a much more interventionist approach by the government, across the whole spectrum from detecting and responding to cyber threats, through to building cyber skills, encouraging innovation and helping to grow the UK cyber commercial sector.
The new strategy shows a high degree of continuity with that approach, which makes sense. But it also contains a number of shifts in focus. It is now described as a more comprehensive cyber strategy, taking what is sometimes described as a ‘whole of cyber’ approach. There is a focus on a ‘whole of society’ response. And the strategy continues the theme of the Integrated Review by framing the issue in the language of ‘cyber power’.
Those who like the cyber power language will welcome this, while those who do not are unlikely to be persuaded. But the bottom line is that the UK needs to be highly effective at cyber and all the things that underpin it, however that is labelled.
More interesting is the emphasis on a comprehensive, cross-cutting whole of cyber approach. This is about much more than the strategy covering both cyber security and offensive cyber (something the 2016 strategy did as well, to an extent). It is better to think of it as a recognition that the issues involved in cyber security are so broad and cut across so many different policy areas that they need to be hardwired into mainstream policymaking of all kinds, including, for example, education strategy, industrial policy, work on regulations and incentives, and foreign policy. It also recognises that multiple different levers, both within and outside government, must be brought to bear to find solutions.
It is in the very nature of the internet and cyber that most of the ability to effect change lies outside the hands of government
This is not something that can just – or even primarily – be addressed by the NCSC and a small number of specialist policymakers, however expert and capable. To see the government recognising this upfront and giving it such emphasis is encouraging.
Even more so is the recognition that the cyber response needs a whole of society effort. It is in the very nature of the internet and cyber that most of the ability to effect change lies outside the hands of government. The private sector owns and operates cyberspace and the technology that works with it; as citizens we live our lives in it; and our increasingly cyber-dependent critical national infrastructure resides almost entirely outside of government hands. So, any suggestion that the solution to our cyber security challenges lies entirely in the hands of government would be unrealistic.
Clearly, government has a fundamental role to play. But it is never going to be able to achieve the necessary results alone. The government’s 2021 strategy acknowledges this more clearly than before and starts to explore what it means, both in terms of roles and responsibilities, and for partnerships between government, private sector and citizen.
This is a welcome shift in emphasis. There is a risk, though, that some will still feel the strategy is being done to them and not with them. And a whole of society response cannot just mean government telling the private sector and the citizen what to do. Along with the focus on their responsibilities, there needs to be a real sense of government and civil society engaging together jointly to develop strategy and interventions that will address cyber security challenges. The strategy talks about a new national dialogue on cyber, supported by a new senior National Cyber Advisory Board bringing together government and civil society. These are encouraging indicators, and there should be plenty of opportunities next year to flesh out this critical part of the agenda.
The strategy takes an impressively strategic and wide-ranging approach to cyber. And it is very clear about the cyber challenges still facing the UK. It points to gaps in our national cyber resilience, the failure of cyber deterrence, significant skills shortages, the fact the UK does not have a leading position in key technology areas, and the overall reduction in internet freedom globally.
The bulk of the 130-page document sets out the UK’s response. It is framed very logically into five pillars that address different aspects of the challenge. Each will require more careful analysis than is possible here.
Building on the Integrated Review, one pillar focuses on taking the lead in key technologies. The strategy lays out a clear checklist of the most important technologies to cyber and commits greater effort in government to analysis and understanding of the issues around them. There is a focus on ways to develop a stronger UK ecosystem in critical areas including microprocessors, operational technology and cryptography. And some substantive initiatives are set out.
The strategy has a strong focus on the UK’s global leadership in cyber, setting some ambitious objectives for the UK to raise its game in this area and do more to champion its vision of an internet that enshrines democratic values, including in the international bodies that set future technology standards. This feels a much more purposeful and central part of the 2021 strategy than was the case in 2016.
There is a strong focus on the UK’s global leadership in cyber, setting some ambitious objectives for the UK to raise its game in this area
The approach to the critical area of cyber resilience emphasises the fundamental need to gain a better understanding of the vulnerabilities in our critical national infrastructure (CNI). The strategy perhaps feels more substantive on measures to improve cyber resilience within government than the wider CNI. On the latter, there are references to new approaches on regulation and incentives, but we will need to wait for more details. Beyond that, there is a broadening of focus on resilience to include the wider public sector, small organisations and the citizen. This includes an expansion of the NCSC’s Active Cyber Defence programme and other measures to make the internet automatically safer.
The plans to strengthen the UK’s cyber ecosystem – covering areas including national skills and developing a commercial cyber and technology base – point to the government taking more of a convening and enabling role rather than trying to fix all the problems itself. This makes sense, although given the scale of the skills gap, questions may be raised about whether there is enough set out here to make a material difference.
Finally, there is a pillar focusing on countering threats. Given the scale and nature of the threats we are facing, and the limited impact many current responses seem to have, this section perhaps raises more questions than answers. There are references to potential actions by the National Cyber Force, and some discussion of the role of law enforcement – but nothing to suggest any particularly radical new approach to tackling cybercrime, for example.
There is much to admire in the new cyber strategy: it firmly places cyber in a much broader context; recognises the need to mainstream cyber across policymaking; acknowledges the vital need for a whole of society response to cyber issues; and sets out an ambitious agenda for promoting the UK’s vision of the future of the internet internationally.
There is a wealth of material underpinning these themes, though some of it remains aspirational, without much by way of tangible detail. And it is not always immediately apparent how, taken together, the multiple various initiatives will deliver the significant impacts that are needed, especially on some of the tougher challenges – or how that will be measured. There may also be concerns about the sheer capacity in government to deliver such a wide set of initiatives – though the strategy is accompanied by an impressive level of funding, described as far exceeding that associated with the 2016 strategy.
But these challenges are tough, and if this strategy lacks the kind of headline-grabbing big deliverable of 2016, that may be a reflection of the fact that we are starting to see the limits of what significant new ideas can be developed that are achievable within the political, financial and bureaucratic art of the possible. The answer probably lies in relentless implementation of a wide range of interventions across the board, with a stronger emphasis on the role that all of society has to play.
So, the new strategy represents a welcome statement of intent for UK leadership in cyber. Next year offers the opportunity to build out more of the detailed thinking underpinning this. Crucially, this needs to be developed in collaboration with the private sector and wider civil society, if the aspiration for a whole of society response is truly to be achieved.
The views expressed in this Commentary are the author’s, and do not represent those of RUSI or any other institution.
Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.
Watch a recording of the related event
WRITTEN BY
Conrad Prince CB
Distinguished Fellow and Senior Cyber Adviser