A Crossroads for UK Cyber Strategy

The UK’s cyber strategy has lost momentum. While in many ways the UK continues to invest in and operate as a ‘cyber power’, successive governments’ approach to national cyber resilience has struggled to keep pace with technological and political shifts and the threat posed by state and criminal actors. Many officials in the UK system recognise the nature of the challenges the country faces and the need for change. However, they have found it difficult to translate their own understanding of the problem into the kind of actions that could raise the bar for cyber security and resilience at sufficient scale.

The result is that the UK’s approach continues to largely rely on market forces to fix systemic technological and cyber security challenges. This is no longer sustainable when ransomware gangs repeatedly hold our essential services and flagship businesses to ransom.

The announcement at May’s CyberUK conference by Pat McFadden, Chancellor of the Duchy of Lancaster, that the government intends to publish a new iteration of the National Cyber Strategy before the end of 2025 is therefore welcome. However, government messaging suggests the new version will only be a ‘refresh’ of the existing 2022 strategy. This does not meet the scale of the challenge and is a wasted opportunity for Labour to cohere national cyber strategy with its missions for government. A new National Cyber Strategy should instead set out a positive, compelling vision to protects consumers, secure the technologies of future growth and fix the persistent market failures that damage national resilience.

New (But Mostly the Same) Cyber Threats to the UK

Since the publication of the current 130-page 2022 National Cyber Strategy, the UK has been confronted by shifts in the intent and capabilities of state adversaries, criminals and hacktivists. Some adversaries have, for example, shifted to a more confrontational posture. In early 2024, Microsoft uncovered a Chinese campaign prepositioning in the networks of US and Western critical national infrastructure, likely to conduct sabotage operations in the event of a confrontation or war over Taiwan. The Russia-Ukraine and Israel-Iran conflicts have also demonstrated the growing importance of cyber operations in conflict and the need to ensure military and civilian critical national infrastructure is resilient. Although the UK has largely avoided spillover cyber-attacks from these conflicts, hacktivists and criminals associated with Russian intelligence have demonstrated a willingness to punish the UK for its support of Ukraine.

Yet arguably more concerning is what has not changed – namely, that UK critical national infrastructure providers and businesses continue to be routinely compromised and disrupted by organised cybercriminals. Annual reporting on ransomware data leak sites and intelligence obtained from law enforcement operations suggests that the UK is second only to the US in terms of the number of organisations victimised by ransomware. In 2025, these attacks largely rely on the same tactics that were used when ransomware first started to explode in 2019 and 2020 – exploiting vulnerabilities or misconfigurations in poorly engineered internet-facing devices, obtaining stolen credentials and phishing employees.

Systemic Cyber Security Challenges

The vulnerability of UK organisations is driven by two longstanding challenges. The first is that not enough organisations are incentivised by market forces or compelled by regulation to meet minimum cyber security standards. As the most recent Annual Review by the National Cyber Security Centre argued, ‘too many organisations are not implementing the most basic protective measures . . . which means millions of organisations are leaving themselves open to cyber attacks that we know how to prevent’. This applies to large organisations and critical national infrastructure providers as well as millions of SMEs.

The second is that we operate in a global technology market that does not bake security into hardware and software. Technology vendors are rarely incentivised to invest in security. Through terms of use agreements, buyers, users and ultimately wider society end up bearing the risk. This is not a new observation or phenomenon. In fact, nearly a decade ago the 2016 UK National Cyber Security Strategy noted that ‘much of hardware and software originally developed to facilitate this interconnected digital environment has prioritised efficiency, cost and the convenience of the user, but has not always had security designed in from the start.’ There is a growing chorus that the current situation represents a market failure that will not be resolved without governmental and regulatory intervention.

UK Cyber Strategy and Policy Since 2022

Against this backdrop, the UK’s approach to raising national cyber security and resilience looks increasingly timid and lacking in urgency. There have been some success stories worth acknowledging, such as the National Crime Agency’s disruption of the LockBit ransomware group, the Product Security and Telecommunications Infrastructure (PSTI) Act, the Pall Mall Process to limit the proliferation of spyware and the National Cyber Security Centre’s continued global and national leadership on cyber security standards, guidance and technical assurance.

Yet proposed legislation to improve the cyber security and resilience of UK national critical national infrastructure has languished for several years. Despite the acknowledgement in the 2024 King’s Speech that the EU’s NIS2 Directive means that that existing national legislation has been ‘superseded . . . and requires urgent update to ensure our infrastructure is not comparably more vulnerable’, the slow progress of the Cyber Security and Resilience Bill since then suggests that more government intervention on cyber security and resilience is not an urgent priority.

The UK has also lost momentum on addressing failures in the technology market. The UK was an early leader in 2018 when the NCSC and the then Department for Digital, Culture, Media and Sport started to refer to secure by design and secure by default approaches to addressing foundational insecurities in digital systems and software. The 2022 PSTI Act, which mandated that manufacturers of consumer connectable devices must meet minimum security baselines to sell to UK customers, was a good example of what is possible.

Nevertheless most of what the UK has done since the publication of the current National Cyber Strategy comes across as ‘busy’ without being effective. For example, the Department for Science, Innovation and Technology (DSIT) – in conjunction with industry and NCSC input – has published a number of Codes of Practice, including for AI cyber security and software security. These Codes of Practice, much like much of the guidance that the NCSC produces and hosts, are well intentioned, rigorous and practical, but ultimately they are voluntary and at the time of writing there is little evidence that organisations or technology vendors intend to embrace them at the kind of scale required to be transformational.

The UK’s hesitancy to intervene in the market puts it at odds with close international partners. The EU recently introduced regulation mandating secure by design principles and updated the common market’s product liability regime to include software. Even the US – a country not well known for regulating big tech – has shown a desire for market intervention. The most recent US National Cybersecurity Strategy proposed implementing a software liability regime, although it is unlikely the Trump administration will follow through on this.

Shaking Up the Status Quo

The good news is that there is a growing recognition from at least some parts of the UK cyber policy ecosystem that the current approach is not sustainable. Senior officials at DSIT and, in particular, the NCSC, recognise the systemic challenges the UK faces and seem frustrated by the status quo. Its 2024 Annual Review assessed that ‘there is a growing disparity between the resilience of our infrastructure and the threat we face’. The NCSC’s Chief Technology Officer has also been outspoken on failures in the technology market. However, while officials in HMG may feel this way, there is an open question about ministers’ willingness to legislate or imposes cyber security costs on business if it’s seen as in conflict with the government’s growth agenda.

Even putting aside the mutually beneficial relationship between cyber security and growth – M&S lost £300 million in revenue from a ransomware attack – there is a progressive case for the new Labour government to adopt a new approach. Cyber security policies have benefitted from cross-party support for nearly decades. Linked to national security, it has been depoliticised and viewed as a technical, rather than a social or political problem. Despite this, there are challenges shaped by ideological preferences that now require solutions. Who should bear the cost of securing technology? Are impacts the fault of vendors, users or consumer? What role should the government have? At present there is no Labour answer to these questions, much as there was often no Conservative one during previous governments.

The Next National Cyber Strategy

While many of the interventions required will be long-term, the new version of the UK National Cyber Strategy will be an opportunity for the government to set out core priorities and develop guiding principles. At a minimum, we believe that the strategy should include or address the following issues.

First, the UK government needs to create a strong strategic narrative about what it wants to achieve and how it will get there. Put simply, the current National Cyber Strategy is too long. The breadth and length of the NCS 2022 creates uncertainty about its primary aims. While there’s a lot of content, there’s little direction. You could combine both previous UK National Cyber Security Strategies, then add the latest US National Cybersecurity Strategy, and you’d still be still 17 pages short of the 130-page 2022 version. The strategy should clearly signal three to four priorities and hammer them home to the rest of government, industry and civil society.

Second, it needs to articulate how the UK government will seek to address market failures. If it plans to continue mostly using voluntary measures, then it should articulate how it is measuring their effectiveness and what the cut-off point is before a more interventionist approach is adopted. As part of this, the strategy should also lay out clear roles and responsibilities for improving national cyber resilience – what is government responsible for and where does that responsibility end? This must also be based on deep consultation with regulators, all parts of industry (in other words, not just cyber security or technology vendors) and civil society. If the government goes down a more interventionist route – regulation needs buy-in from those being regulated.

Finally, the strategy needs to address international alignment for any future UK legislation and regulation. This is not simply about harmonisation to reduce the burden of regulation on organisations that need to comply (although that it is important). The UK is unlikely to have a meaningful impact on global technology markets without working in concert with partners. Similarly to wider questions about EU-UK alignment, the government should decide whether and how closely to mirror cyber security regulations set by the bloc.

© RUSI, 2025.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.