What the Integrated Review Means for the UK's Cyber Strategy

The government’s Integrated Review (IR) of Security, Defence, Development and Foreign Policy touches on a sweeping range of issues, from climate change to the nuclear deterrent, quantum computing to biodiversity. 

Among other things, the IR gives us a strong feel for the government’s likely future approach to cyber security, which is particularly significant given that we should see the launch of a new national cyber strategy later this year. The 2016 cyber security strategy drove a significant change in the UK’s approach to cyber. The 2021 version may struggle to match that impact, but it needs to set a strong agenda if it is to meet the aspirations of the IR and maintain the UK’s global influence on cyber.

The 2016 strategy was ground-breaking in its shift to a much more interventionist role for the UK government – exemplified by the creation of the National Cyber Security Centre (NCSC) – and for taking an impressively broad and holistic approach. While some of today’s cyber challenges are familiar from five years ago, the world has moved on in a number of important ways, not least with the growing concerns about the globalisation of technology and the role of China.  

The IR sets out five key themes that are likely to form the structure of the next cyber strategy. Setting aside some questions about tone and scope (of which more later), this is a well-considered set of headings. But with the exception of the central and welcome focus on technology, the content at this stage is mostly fairly generic and aspirational. This may be fine for the time being, but the strategy will need to deliver on the detail. There is also a sense of ‘more of the same’, rather than any bold new approach.

The technology component of the IR is by far the richest and most developed. An ambition to be a world leader in new technology is at the heart of it. That aspiration is closely coupled with cyber security, which acts both as an enabler for this agenda as well as being dependent on its success. The IR sets a bold strategy for the UK in technology, with a range of measures aimed at significantly boosting the country’s capability and managing the risks that come from globalised supply chains. 

It sets out an ‘own-collaborate-access’ model for the development and acquisition of critical technologies, where the UK either leads the development, collaborates with like-minded states or acquires the technology from elsewhere. This is coupled with a risk mitigation approach to the use of non-allied technology, where necessary. There is plenty in the work the NCSC did in the context of 5G to draw on here, even if it was somewhat drowned out by the noise of the debate at that time.

The IR acknowledges the criticality of cyber resilience, brought into sharp focus by incidents like the Russia-linked SolarWinds operation, which have highlighted the significant continuing cyber vulnerabilities of public and private sector organisations alike. But it lacks much by way of new measures to move the dial. There is a welcome nod to a ‘whole-of-society’ approach, bringing together government, the private sector and citizens in an integrated way, underpinned by new legislation (and regulation) where necessary. This is important, as the new cyber strategy needs to be a partnership with the private sector, not something done to it.

There is a pledge to further strengthen the UK cyber ecosystem, and another welcome acknowledgement of the need for a ‘whole-of-nation’ approach. The 2016 strategy saw a strong emphasis on skills, research, innovation and growth. There is now plenty of experience to learn from, including being clear about those areas where government can genuinely add value and those where it should step back and let the private sector get on with it. But again, it is unclear from the IR whether there is a new ‘big idea’ in the offing.  

The IR speaks to the international dimension of cyber, particularly around advocacy for a free, open, peaceful and secure cyberspace. There are encouraging words about the UK’s role in promoting this concept, at a time when the alternative vision of the internet as a tool for repression and state power can seem all too attractive to many countries. 

The emphasis is on shaping international technical standards, developing regulatory frameworks and establishing rules of responsible behaviour – although, as elsewhere, such statements remain largely aspirational. And, naturally enough, the growing UK emphasis on the use of offensive cyber has the potential to raise certain tensions with this narrative. 

The final cyber theme relates to detecting and responding to cyber attacks on the UK. Here, the aspiration to ‘build seamless systems to detect and act with industry on cyber threat information at scale and pace’ is worth noting. There is no further information, but this seems quite an ambitious objective. It will be interesting to see how it plays out in the forthcoming strategy.

It is no surprise, though, that the main focus in this theme is the use of offensive cyber by the new National Cyber Force (NCF), just as the government’s press release about cyber and the IR was mostly about the NCF and the plan for it to be headquartered in the North. It is entirely right that the UK has an offensive cyber capability: it must not allow the internet to be an uncontested space for its adversaries. But it seems that the temptation to talk up offensive cyber continues to be hard for some to resist. That said, it is positive that the IR emphasises that the UK will rely on the full spectrum of levers – ‘our diplomatic, military, intelligence, economic, legal and strategic communications tools, and the new NCF’ – in response to cyber attacks. It will be good to see the UK doctrine developed further.

There are a couple of aspects of the IR that raise some other questions. The document represents a further example of the UK government’s growing fondness for the term ‘cyber power’. It appears over 20 times, along with the latest iteration of the government’s own definition of the concept. Cyber power is not new. The leading US strategist Joseph Nye wrote an influential paper on it for Harvard’s Belfer Center in 2010, and Belfer continues to do work on the theme. It crops up as a term of art in various places, usually with subtly differing definitions.

But there is little consensus on the value of it as a concept. Thomas Rid memorably concluded that ‘the notion of “cyberpower”, properly defined, is so shaky and slippery as to be useless’ (Thomas Rid, Cyber War Will Not Take Place, p. 24). Meanwhile, Ciaran Martin, founding CEO of the NCSC, has sought to define the term as something entirely separate to cyber security, essentially limiting the meaning to the use of offensive cyber. 

The IR attempts to soften the rather militaristic tone of the phrase by sometimes coupling it with the words ‘responsible and democratic’. This is an important nuance. But in any event, the case for building the UK approach around this notion remains unproven.

The other point to note is the announcement that the new national strategy will be ‘comprehensive … taking a whole-of-cyber approach’. In other words, a ‘cyber’ strategy rather than a ‘cyber security’ strategy. Being comprehensive always sounds sensible, and from an internal government point of view, an approach that looks at the development of cyber capabilities in the round makes sense. There is no point in the NCF and NCSC developing duplicative skills and training programmes, for example, and there are valuable operational synergies in maintaining close co-ordination between those looking at attack and defence. 

But the key strategic cyber issue for the UK remains its cyber security, and offensive cyber has only a narrow and specialist role to play in that. The implication that a more ‘comprehensive’ strategy somehow represents a significant new development feels misplaced. 

Whatever the shape of the new strategy, a final key question is when we will see it. The timing of the forthcoming spending review, when budgets will be set for the next few years, is key. Given the whole-of-society response to cyber that we need, it is to be hoped that the cyber strategy will be published before the spending review, so that it can influence the funding process as part of a well-informed national debate.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.