Rebooting the UK's Cyber Strategy
Weak cyber security undermines UK growth and national security. A new approach to UK cyber strategy is needed.
Overview
This paper highlights the urgent need to revamp the UK's cyber strategy to address systemic vulnerabilities that threaten national security and economic growth. With cyber attacks costing UK businesses billions annually and high-profile incidents such as the Jaguar Land Rover breach exposing critical weaknesses, a more interventionist approach to cyber security is needed. ​Drawing on extensive research and expert interviews, the paper outlines six key priorities for the upcoming National Cyber Action Plan, emphasising the importance of cyber resilience and accountability. ​
Key Recommendations
- Reframe the UK's cyber strategy narrative to prioritise economic security and convey urgency in addressing cyber threats.
- Develop a new threat-response model to balance resources between state-led cyber threats and cybercrime, including the creation of a cross-government joint assessments unit.
- Increase government accountability and transparency by improving public sector cyber security and establishing clear implementation reviews for the strategy.
- Make cyber security risk foundational to corporate governance by mandating board-level accountability and transparent reporting of cyber risks. ​
- Enforce existing regulations effectively by resourcing regulatory bodies and introducing annual fees for regulated entities to support enforcement activities.
The paper calls for bold action to address market failures, enhance resilience and ensure the UK is prepared to tackle evolving cyber threats. It provides a roadmap for policymakers to protect critical infrastructure, secure economic growth and safeguard national security in an increasingly uncertain global landscape.
Register or log in to continue reading
Account creation is quick, free and gives access to all RUSI research and more
- FREE account
- One-time set-up
- Easy to manage
Introduction
It has been a difficult year for UK cyber security, and by extension, the UK economy. In September 2025, a cyber attack against Jaguar Land Rover (JLR) reportedly cost the company an estimated £1.9 billion, put thousands of jobs at risk and led the government to provide a £1.5-billion loan guarantee. The Bank of England subsequently assessed that the incident contributed to a slowdown in UK GDP growth.
Attacks of this importance are merely the visible side of a much larger problem. The Department for Science, Innovation and Technology (DSIT) recently published research estimating that malicious cyber incidents cost UK businesses £14.7 billion each year. Future economic growth without cyber resilience is therefore built on shaky ground.
Despite the clear risks to the UK's economic security, political and business leaders have failed to keep pace with the threat and address the root causes of the UK's vulnerability. In 2025, the National Cyber Security Centre (NCSC) reported that 'highly significant' cyber incidents increased by 50%. Cybercriminals continue to wreak havoc and hold UK businesses and essential services to ransom, while foreign adversaries such as Russia put critical national infrastructure (CNI) at risk and attempt to undermine the integrity of UK politics.
Cyber threats to UK national and economic security demand a response in line with the true scale of their impact. Thankfully, the UK is not starting from scratch. The 2016 UK National Cyber Security Strategy established many leading governmental institutions and capabilities, including the NCSC. The UK also has a strong cyber security industry, particularly for services. UK government cyber policy and guidance is also often innovative and respected by its international peers.
The government must now go a step further and do what previous governments have been unable or unwilling to do – improve the resilience of UK organisations by shaping the market in a more direct way.
To date, the approach of successive UK governments to building economy-wide cyber resilience has prioritised voluntary guidance and standards, regulating CNI, targeted government support and avoiding additional costs for business. This approach has fallen short of meaningfully reducing harm caused by cyber risk. There is a growing recognition in Whitehall that the longstanding cyber security and resilience challenge will not be solved by self-regulated market forces. It requires a more interventionist approach – that is, carrots and sticks. The high-profile incidents of the past 12 months have increased the urgency about cyber security and given it political salience.
WRITTEN BY
Jamie MacColl
Senior Research Fellow
Cyber and Tech
Joseph Jarnecki
Research Fellow
Cyber and Tech
- Jim McLeanMedia Relations Manager+44 (0)7917 373 069JimMc@rusi.org
Footnotes
Author interview with UK government official, online, 14 April 2025.
Author interview with UK government official, online, 29 April 2025.
As emphasised in interviews with officials from DSIT, Cabinet Office, FCDO, NCSC and the Home Office.
Author interview with UK government official, online, 29 April 2025.
Author interview with UK government official, online, 28 April 2025.
As emphasised in interviews with officials from DSIT, Cabinet Office and the NCSC.
This was also a point of discussion in several research interviews.
As emphasised in interviews with the Cabinet Office, Foreign, Commonwealth and Development Office, and Home Office. See also author interview with UK cyber security academic, online, 20 June 2025.
Author interview with UK government official, online, 28 April 2025; author interview with UK government official, online, 3 July 2025.
Author interview with UK government official, online, 3 July 2025.
This issue was raised multiple times in interviews with both government officials and private sector stakeholders.
Author interview with UK representative of global technology vendor, online, 19 June 2025; author interview with UK cyber security consultancy, online, 16 May 2025.
Author interview with UK government official, online, 1 May 2025; author interview with UK government official, online, 3 July 2025; author interview with UK government official, online, 16 June 2025.
Author interview with UK government official, online, 17 June 2025.
Author interview with UK government official, online, 29 April 2025.
Author interview with former UK government official, in-person, 3 July 2025.
Author interviews with UK government officials, online29 April, and online, 17 June 2025.
Author interview with private sector representative online, 30 June 2025.
Author interview with government official, online, 15 April 2025.