The completion of the UK’s Integrated Review of Security, Defence, Development and Foreign Policy will be delayed. But key decisions about the country’s cyber strategy must be taken soon.
The recent Treasury announcement that the upcoming spending review will cover only one year, rather than take a more strategic look at the next three years, is unsurprising given our coronavirus-induced economic turmoil. The implications for the Integrated Review remain unclear.
One area under review where strategic decisions are needed is cyber. Our current National Cyber Security Strategy, set in 2016, covers a period which ends next year. That strategy was groundbreaking, and an inspiration for many other countries. Accompanied by £1.9 billion of funding for transformational activities, it was an all too rare example of a national cyber strategy underpinned by the money to implement it.
The ambitious 2016 strategy, and what has flowed from it, have been pivotal to establishing the UK’s world leading position on cyber. To maintain that position, it is essential that the UK’s new strategy is equally transformational.
The context is clear: our fundamental dependence on the internet and digital technology across the economy and society, accelerated by the pandemic; complex global technology supply chains which raise questions about security and sovereign capability; technology as a geopolitical issue, not least in relation to China; growing cyber capability among hostile actors, both states and criminals; the increasing normalisation of offensive cyber as a tool to project national influence.
Against that background, here are five principles that policymakers may wish to bear in mind when developing the next strategy for the UK.
Prosperity and Economic Security Should Be at the Heart of the Strategy
The economic impact of the ongoing pandemic is self-evident and likely to be long-lasting. Cyber security has a critical role in defending our economy from harm, and offers opportunities to enhance our prosperity that have not yet been fully exploited.
This means that finding ways to significantly raise the cyber security standards of those sectors critical to our economic security needs to be a priority. There needs to be a clear view of key areas, a strong focus on what is required to build an innovative, digitally-enabled, data-driven economy, and an understanding of where the threats to that come from. This may need a more robust grip on critical national infrastructure issues from the centre of government.
Security needs to be strengthened by carrot and stick – collaboration, regulation and corporate governance will be key elements. The strategy should set out the future vision for the current portfolio of standards, guidance, incentives, corporate governance and regulation. There needs to be a robust approach to cyber regulation, expanding it where necessary and encouraging regulators to develop the right skills to exercise their cyber responsibilities. In parallel, corporate governance frameworks need to reflect cyber security requirements more robustly.
At the same time, the strategy needs to take a fresh look at critical areas for building our national cyber capacity including research and development, skills, innovation, growth of new cyber companies and exports. In doing this the government needs to be clear-eyed about where it can add value and where it should get out of the way and enable the private sector to do the job.
There Needs To Be a Whole of Society Response.
If the 2011 strategy was overly dependent on market forces to drive improvement in cyber standards, the 2016 strategy was much more about government stepping in to fix things. The new strategy needs to be about a whole-of-society response. To some extent we are reaching the limits of government intervention, and the practical reality is that we need government, private sector, academia and citizens to make a collective effort to raise our game.
The new strategy must be genuinely co-created with key stakeholders outside government. It must feel like something done with them, not to them. This requires new structures to achieve the right engagement.
It should be explicit about the responsibilities of the private sector, the government’s expectations and its own offer. Government should leverage the influence of a wider group of stakeholders that can shape and enforce secure behaviours, including investors, auditors, cyber insurers and those involved in procurement. Overall, this needs to feel like a collective national response.
There Should Be a Coherent and Assertive International Approach Driven by UK National Interests.
The government has put a lot of effort into its international approach to cyber but has sometimes struggled to establish coherence between different activities, and consistently link them to a common view of the UK national interests.
The UK still has a world leading brand when it comes to cyber security. We need to leverage this more assertively. We need to be clear about what serves our national interest and direct our international efforts accordingly, including, for example, around capacity building. We can place cyber at the centre of engagement with other countries on security, resilience, technology and prosperity, and use our world-leading expertise and experience to position the UK as a global thought leader, including in international bodies that will be crucial to the future shape of the internet.
This needs to be reinforced by a professional and credible international network of cyber experts, and by strong, active engagement from the National Cyber Security Centre (NCSC). The NCSC is the jewel in the crown of UK cyber and need to be central to our international agenda.
Deterring hostile state cyber actors is a continuing challenge. Further developing our own offensive cyber capability may be part of the answer (though it may rarely make sense to respond to a hostile cyber act in a binary cyber way). As we develop our offensive capabilities there needs to be an informed debate around the licence to operate, and a recognition that these capabilities are not just about military operations.
We Need a Compelling Risk Management Approach to the Globalisation of Technology
Well before the pandemic, we were wrestling with security issues around our global supply chains; our dependency on other countries, particularly China, for key technology and other goods; the lack of sovereign capability in critical areas; and the challenges of foreign direct investment, especially from China.
The debate over Huawei and 5G just started to bring these issues into focus, and the pandemic has turned a new spotlight on them. But there are no easy answers. Established principles of maintaining good cyber security, diverse supply chains and resilient design apply in many technology areas. But at times they may be easier said than done.
There has rightly been a strong emphasis on building security into the design of new technology, but with so much technology developed beyond our reach and influence the reality is that much of it will be insecure by default. Debates around creating new sovereign technology in critical areas will need to be rooted in the art of the possible and will require a substantive and wide-reaching industrial strategy to have a hope of becoming reality. We need new partnerships between government, academia and the private sector to develop innovative technology, and must be prepared to take more risk in backing new ideas.
Cyber Should Be Embedded across Policymaking.
This is not the time to declare victory on cyber – it needs a sustained focus. The NCSC must be resourced sufficiently, including to enable it to engage effectively both with the private sector and internationally. An investment programme, centrally managed, is still required. And a focus for policy and strategy in the centre.
But it is essential that cyber does not exist in a stovepipe. More than ever, it must be integrated with wider policymaking across government. The 5G debate has shown that cyber issues are part of a much wider set of questions about our future relationship with technology, and the strategic political relationships between the East and West. It should be at the core of thinking about industrial strategy, skills and innovation. This needs policymakers across government who are confident with technology issues.
There needs to be sustained engagement on multi-disciplinary technology issues beyond the walls of government. A truly whole-of-society response to cyber needs a more sustained effort to bind in the private sector, academia, the third sector and wider society. Neither government, nor market forces, can achieve what we need by themselves.
The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.
Conrad Prince CB
Distinguished Fellow and Senior Cyber Adviser