Cyber security experts have given the thumbs-up to newly announced plans to strengthen both the UK’s cyber sector and its offensive and defensive capabilities, trailed earlier in the week and formally announced on 16 March in the government’s Integrated Review of Security, Defence, Development and Foreign Policy.
In the review – which covers a diverse range of areas besides cyber, including military and nuclear weapons strategy, the UK’s response to the climate emergency, and resilience for future pandemic events – the government set out a plan to enable a “whole-of-nation” or “full-spectrum” approach to cyber security.
This approach will follow a number of strands, to be detailed in greater depth in a new national cyber strategy later in 2021:
- Deepening partnerships between the public and private sectors and investing in research and skills.
- Building a “resilient and prosperous” digital nation, guaranteeing online citizen safety, empowering organisations to safely adopt new technology, investing further in the National Cyber Security Centre and addressing vulnerabilities in government networks and critical national infrastructure.
- Developing a lead in technologies that the government sees as vital to cyber power, such as advanced processors, secure systems design, quantum tech, and new forms of data transmission, all supported by “cutting-edge” policy, regulatory and legal frameworks.
- Promoting a “free, open, peaceful and secure” global internet through international partnerships that advance shared security and values through cyber resilience and joint action to uphold the rule of law.
- Detecting, disrupting and deterring cyber adversaries, both in terms of thwarting nation-state actors and cyber criminal groups, and strengthening the criminal justice system’s ability to respond to cyber attacks.
Once in a lifetime
PA Consulting’s Cate Pye described the review as a once-in-a-lifetime opportunity for the government to set out a vision for an integrated and resilient approach to the UK’s global role, particularly given the dual impact of an extreme Brexit and the Covid-19 pandemic.
“The government’s response needs to reflect the shifting pattern away from conventional risks towards the continuum of threats posed by the adverse use of technology and cyber,” she said. “This shift impacts all key stakeholders, the government, our defence forces, business and citizens.
“With greater integration between government, business and industry, we have an opportunity to be the ingenious digital ‘crown jewel’ of the world and to pave a new path of global influence.”
TechUK CEO Julian David also registered the “seismic shift” in the UK’s approach to security. He said that for TechUK and its members, the emphasis on technology as a strategic enabler was most welcome, especially given the emphasis on areas such as cyber, artificial intelligence and the space industry.
“This, together with the wholesale modernisation of UK defence capabilities and substantial uplift in UK spending on research and development, will encourage greater collaboration between government and the technology industry to deliver on the review’s ambitions,” he said.
“Looking ahead, and with the imminent publication of the Defence Command Paper and Defence and Security Industrial Strategy, TechUK and our members remain committed to working with our partners across government to deliver on ambitions of the integrated review.”
Cyber as a tool of national defence
Others have zeroed in on the confluence of cyber and national defence, particularly in the light of the establishment of the National Cyber Force (NCF), some more details of which are contained in the full text of the review.
Steve Forbes, Nominet’s government cyber security expert, said the government was right that it will be increasingly important for the UK to be able to act as “a force for good” in conducting offensive cyber operations to disrupt online aggressors.
“With so much changing since the 2015 Strategic Defence and Security Review, it is paramount that, as a society, we have a robust and cutting-edge approach to defending against high-level nation-targeted attacks,” he said. “Investment in ‘home-grown’ cyber is a wise move.
“In positioning our country as a global digital leader for the future, it will be important to devise solutions that are adaptable, as well as highly resilient and scalable; that both protect us from specific nefarious cyber activity and keep the entire UK safe online. The government’s plan to offer a full-spectrum approach to cyber defence is crucial to this. A competitive UK is a secure UK.”
Mandiant intelligence analyst Jamie Collier said that while the NCF signalled more willingness from the government to engage aggressively when needed, it was encouraging that the review’s language placed strong emphasis on the UK remaining a responsible actor in cyber space.
“This is therefore not a complete overhaul of the current playbook, but the National Cyber Force responds to a threat landscape that is growing in complexity for at least three reasons,” he said.
“First, beyond the big four of Russia, China, Iran and North Korea, other states are now developing cyber capabilities. Vietnam is one example of a country that has quickly ramped up its ability to conduct cyber operations. The UK must therefore plan ahead and anticipate the growing threat posed by emerging players.
“Second, cyber criminals are becoming increasingly professionalised and sophisticated. The issue has quickly moved from something of a nuisance to a matter of national security. This has been showcased over the past year by the prominence of ransomware operations targeting critical infrastructure and the healthcare sector amidst a global pandemic.
“Third, the UK must counter growing levels of online disinformation. These operations are now conducted by a variety of countries beyond Russia. Here, the link between disinformation and cyber security is increasingly blurry.
“For instance, disinformation operators are known to first steal sensitive documents before leaking them at a time intended to cause maximum disruption. These campaigns will also often seek to compromise and then use government social media accounts or websites as a platform to distribute their message.”
Nominet’s Forbes added that a defensive chain can only be as strong as its weakest link, so the commitment to increased collaboration between government, academia and industry, as well as international alliances, would have to be delivered upon.
“Joint efforts can provide information at a scale that individual organisations and countries could perhaps never match on their own, from identifying new threats and where education needs to take place, through to technologies that can provide a broad foundation of security,” he said.
“The more we can pull together in our cyber defence, taking advantage of collective intelligence and counter defence, the stronger we will be.”
Will the UK nuke cyber attackers?
One notable point to consider in the review is an implied threat to carry out nuclear attacks on states that conduct offensive cyber attacks against the UK, which comes alongside a commitment to increase the UK’s stockpile of nuclear weapons, which runs contra to popular sentiment and puts a dagger through Britain’s previous commitments to nuclear disarmament.
The review’s text states: “The UK will not use, or threaten to use, nuclear weapons against any non-nuclear weapon state party to the Treaty on the Non-Proliferation of Nuclear Weapons 1968 (NPT). This assurance does not apply to any state in material breach of those non-proliferation obligations. However, we reserve the right to review this assurance if the future threat of weapons of mass destruction, such as chemical and biological capabilities, or emerging technologies that could have a comparable impact, makes it necessary.”
While this may be read as a safeguard against weapons yet to be developed, inclusion of the term “emerging technologies” is certainly loose enough that it can also be read as a direct threat against nation-state-backed cyber attackers, groups such as those behind the SolarWinds attacks, Russia’s infamous Cozy Bear and Fancy Bear APTs, North Korea’s Lazarus, or Hafnium, the Chinese group that was first to exploit the Microsoft Exchange vulnerabilities.
Indeed, according to an unnamed government source cited by The Telegraph, the government does indeed mean the term emerging technologies to include “cyber, AI, encryption, and laser-directed energy weapons”. It is unclear how, or with what reason, the government considers encryption a weapon – it is not.
Defence analyst Tom Plant of the Royal United Services Institute (Rusi) told The Guardian newspaper that the statement was merely an indication that the government sees the potential for novel technologies to rival traditional weapons of mass destruction in their capabilities in the near-term future.
However, whether or not the government will call on the military to conduct a nuclear strike against a malicious cyber actor in the event of a sufficiently crippling cyber attack – presumably one targeting critical national infrastructure (CNI) – remains to be seen. Hopefully, we will never have to find out.