National Cyber Strategy will enhance UK’s cyber power status

The 2022 UK National Cyber Strategy succeeds the previous 2016-2022 Cyber Security Strategy, which was published following the formation of the National Cyber Security Centre (NCSC) in 2016 with funding for the five-year period. The new strategy, published on 15 December, builds on this legacy, covering the next three years to 2025.

However, while the NCSC plays a central role, the strategy brings together other parts of government, including the Ministry of Defence, the intelligence agencies (including Government Communications Headquarters), the Foreign Office, the National Crime Agency and other government departments – along with operators of critical national infrastructure (CNI), industry and academia.

The strategy also takes a “whole society approach” and aims to strengthen cooperation between international partners and “increase collective action”. I believe these are important elements in order to increase the UK’s strength as a cyber power.

In setting the context for this strategy, cyber power is addressed on page 20, with the footnotes on that page referring to three cyber power indices. The UK rates highly, coming behind only the US in two indices, and the US and China in the third, with only the US and the UK having consistently high rankings, but with Russia, France, Canada and Australia also featuring.

Although these indices use different methodologies and are to some extent subjective, it does show that the UK is ahead of its peers and competing with the US and China – which are much larger both in terms of population and gross domestic product. Linked to this are some of the challenges identified for the UK, such as the lack of skilled cyber professionals, the size of the UK industrial base in IT and cyber, and the ability to invest on the same scale as the US and China.

International collaboration, not only with the US, but also with other European and Five Eyes (Australia, Canada, New Zealand, the UK and the US) allies helps to offset this and provides a powerful collective capability, but other aspects of the strategy that fall under the whole societal approach are also key. This includes the promotion of cyber security research and education, as well as the creation and support of cyber startups.

Collaboration with academia through the creation of Cyber Research Institutes, awarding universities the status of Academic Centres of Excellence in Cyber Security Research (ACE-CSR) and Cyber Security Education (ACE-CSE) – along with the certification of cyber security bachelors and masters degrees and the creation of the cyber security apprenticeship – have strengthened the UK’s academic research capability. It has also increased the flow of cyber security graduates into the workforce.

Underpinning the increase of the cyber workforce, the creation of CyberFirst has promoted cyber security in schools to increase the flow of future graduates and has also increased awareness in a large swathe of the younger population who are now starting to come into the workforce. Initiatives to foster startups are also starting to increase the UK’s industrial capability, although there is still a long way to go.

This is only part of the whole societal approach. At one time, national security was seen as something for government and would have been focused on government. However, cyber security now affects all of us in our daily lives at home as well as at work, travelling, or going out for the evening.

Traditionally, CNI would have been thought of as power generation and distribution, water supply, and so on. But it now has to include telecoms providing internet and telephony, finance and food supply chains. Also, cyber crime impacts just as much on citizens and businesses as on government, with increases in ransomware.

Protection of industry and this expanded field of CNI operators is essential for society as a whole – as we can see from recent events and incidents over the past few years, distributed denial of service (DDoS) attacks on countries’ financial systems that can leave citizens unable to withdraw cash and unable to use credit or debit cards. There have also been attacks on power generation and associated systems and government agencies.

Such attacks in times of unrest would typically be designed to disrupt normal society and demoralise citizens as well as weaken military capability, possibly in advance of, or during, a parallel military action (such as was seen in Ukraine). Society as a whole is being attacked in such scenarios and therefore society as a whole needs to be able to defend itself.

The UK is better placed than many to repel cyber attacks, partly because of the whole societal approach, but there is more to be done. A strong offensive cyber capability, coupled with only weak defences to protect against disruption to daily life, does not make a cyber power.

Much has already been done to strengthen the UK’s cyber defences through collaboration with industry and the introduction of the Active Cyber Defence programme protecting government departments and agencies as well as helping to protect us all from phishing and other cyber attacks. Collaboration with allies has also been strengthened with more intelligence-sharing and collaborative attribution of attacks taking place.

The new strategy aims to build on this to the benefit of society as a whole. Part of this is not just defensive, but also economic, because improving the UK’s cyber ecosystem and skills and increasing resilience makes the UK a good place to invest for all businesses, not only those in cyber security. This is also supported by the ambition for “a more secure, prosperous and open international order”, which will allow us all to make the most of cyber space and the digital world.