Perspectives on the Next UK National Cyber Strategy

At this year’s CyberUK conference, the Chancellor of the Duchy of Lancaster announced that the UK government would publish a new National Cyber Strategy before the end of 2025. As part of an ongoing research project on UK cyber strategy, the RUSI Cyber and Tech research group brought together six experts from industry and civil society to offer their perspectives on the key issues and interventions the UK government should consider.

Saying Goodbye to ‘Cyber Power’

Conrad Prince

A cyber strategy refresh is an opportunity to rethink how the 2022 strategy framed the challenge. The last strategy embodied the then government’s attachment to the concept of ‘cyber power’. The term, with its militaristic overtones and slightly bombastic feel, divides opinion and has sometimes been a distraction, diverting focus from the fundamental need for the UK to get better at cyber resilience.

The 2022 strategy became a ‘national cyber strategy’, not just about cyber security but trying to integrate thinking on both cyber security and offensive cyber. In practice though, they are largely quite different issues. Cyber security is a complex, highly challenging and wide-reaching resilience issue for the UK. Offensive cyber is a bespoke operational capability. It has some narrow relevance to cyber security but can be deployed against a wide range of threats the UK faces, well beyond disrupting hostile cyber actors. It needs its own separate strategic framing, as has already started.

So, it would be good to see the strategy refresh refocusing on cyber security and resilience alone, moving on from ‘cyber power’ and allowing the separate issue of the UK’s offensive cyber strategy to be handled in other ways.

Creating a Strategic Framework to Link Together UK Government Codes of Practice, Guidance and Standards

Carla Baker

The UK Government has come a long way since the publication of the first Cyber Security Strategy in 2010. This journey has included the establishment of the National Cyber Security Centre and National Cyber Force, a strong focus on developing cyber skills and capabilities, and integrating data and cyber responsibilities within the Department of Science, Innovation & Technology (DSIT).

This evolution has seen a proliferation of cyber security guidance, certifications and frameworks. Recent years have seen the introduction of the App Security Code of Practice, the Code of Practice for Consumer IoT Security, the Code of Practice for the Cyber Security of AI, the Software Security Code of Practice and the Telecommunications Vendor Security Assessment. Beyond product-specific requirements, organisations are also encouraged to adopt certifications like Cyber Essentials, while defence suppliers face the new Defence Cyber Certification. Furthermore, industry also needs to consider the NCSC Cyber Assessment Framework, and the NCSC Principles Based Assurance framework, alongside forthcoming requirements in the Cyber Security & Resilience Bill and proposed ransomware incident reporting requirement.

While these efforts are positive, they arguably represent a patchwork of advice, rather than a cohesive strategy, and result in overlapping requirements. For example, the AI and software codes both address secure deployment, maintenance and vulnerability management.

To address this fragmentation, the government should develop an overarching framework that clearly links existing codes, certification and frameworks. This framework should provide a clear ‘user journey’, guiding vendors and users on achieving different levels of assurance, from baseline security to higher standards. It would also benefit from a dedicated section on international alignment and collaboration, helping organisations navigate EU requirements such as the EU Cyber Resilience Act and US schemes such as the Secure by Design Pledge. Furthermore, if the government develops further product specific guidance, then it must consider developing a more modular approach. For example, the Software Security Code of Practice should function as the fundamental security baseline, with additional, specific requirements for AI or enterprise IoT built upon it. This would simplify adherence for industry, reduce redundancies, and ultimately contribute towards a more efficient and effective national security posture.

A New Cyber Threat Model for the UK

Nikita Shah

The UK has long-relied upon a threat model that has become out-of-touch with the cyber threat landscape. This model comprises neat categories of different threat actors in cyberspace: state actors; cyber criminals; cyber hacktivists; and ‘cyber terrorists’. Yet, this approach has become outdated and siloed, placing actors into tightly-defined buckets that hold up poorly against adversaries’ actual behaviour. The last 5-10 years of cyber attacks have shown that the landscape is much messier than this model allows, with significant crossovers between different types of threat actors – especially state and criminal - including their methods, motivations, and technical capabilities. These crossovers have only become even more prominent with the emergence of recent geopolitical conflicts; a surge of hacktivists affiliated with different states has further blurred these lines.

Under a new National Cyber Strategy, the UK has the potential to make a significant – though uncostly – shift, by developing a more nuanced threat model. This should address three factors:

1) Articulating crossovers between threat actors, including the different degrees of affiliation with state entities.

2) Recognising the role of enabling technologies that lower the barrier to entry for malicious cyber actors, including commercially-available capabilities, or AI.

3) Reflecting adversary doctrine amongst states such as Russia, China, and Iran, which do not separate out cyber from information operations.

Enhancing the National Crime Agency’s role in Countering Cyber Threats

Joe Devanny

The UK’s next National Cyber Strategy should tell us how the government intends, with little prospect of significant uplift in resources, to improve its efforts to counter cybercrime.

It is notable that the National Crime Agency’s most senior official for countering threats is the former Commander of the National Cyber Force. This illustrates the priority of countering serious organised crime and the complementarity of approaches and perspectives across the UK’s intelligence and security community.

The national effort to counter cybercrime must be patient, strategic, informed by deep expertise, and enabled by close collaboration (within government, with industry, and with international partners). Given the nature of the threats and the bleak public expenditure situation, it is likely that the NCA and other relevant actors will continue to want more resources than they have been given. But it is worth thinking about how to do more with existing resources.

For example, there is one National Crime Agency, but there are 12 regional organised crime units, each with their own cyber unit. A dozen regional cyber units is obviously better than aligning cyber units with the 45 territorial police services in the UK. But it is still arguably too many.

The next National Cyber Strategy should propose to merge these units into the NCA, as part of a wider uplift in its capacity to counter cyber threats.

Putting Secure by Design Front and Centre

Jen Ellis and Daniel Cuthbert

The next iteration of the National Cyber Strategy must emphasise the critical role of the technology industry in reducing cyber risk through Secure-by-Design/Default (SbD) principles. The latest Verizon Data Breach Investigations Report (DBIR) highlights that vulnerabilities in technology products are now the leading attack vector. This reflects growing reliance on complex, rapidly shipped technologies, and underscores the need for proactive security practices by manufacturers.

The UK Government (HMG) has long recognised this, taking a modular approach to security Codes of Practice tailored to specific technologies and users. In 2018, it published its first such code for the security of Consumer IoT. This evolved into an European Telecommunications Standards Institute (ETSI) standard, was adopted by nations around the world, and underpinned the Product Security and Telecommunications Infrastructure Act 2022. HMG has since delivered codes for apps, software, and AI, with additional codes for enterprise IoT and operational technology planned.

HMG’s continued diligence and leadership on this issue is to be commended. Yet, recent efforts appear to lack the urgency and visibility once present. The EU and US both made louder strides on this topic, though the latter now appears to be deprioritised, creating a potential leadership vacuum. The UK has an opportunity to reassert global leadership. To do so, it must reinvest in its modular vision, drive momentum, and significantly enhance public engagement, accountability, and clarity of purpose.

These elements must be embedded in any revision of the UK’s National Cyber Strategy.

© RUSI, 2025.

The views expressed in this Commentary are the authors', and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.