The UK has never faced greater challenges in cyber security than it does right now, and the next National Cyber Security Strategy may well be the most important the nation will ever develop. Despite the unquestionable progress of previous National Cyber Security Strategies, the problem has constantly escalated. Global losses to cyber crime continue to rise year on year, ever larger data breaches are reported with worrying regularity. And major incidents hit new heights of harms all-too-routinely, the global ransomware attacks of 2017 in WannaCry and NotPetya are testament to this, as is the SolarWinds hack in December 2020, attributed to Russian intelligence agency the SRV.
The nation’s efforts at resilience are a necessary, but not sufficient, requirement to achieving cyber security. No amount of resilience can mitigate for the range of bad actors enabled and emboldened to cause harm online. Added to routine criminality online is the march of digital authoritarianism, which directly challenges the notion of a free and open internet itself and seeks to create closed societies subject to endless digital surveillance. It is into this problem set that the Integrated Review has arrived, with a grand ambition to consolidate and grow the UK’s position as a leading global cyber power.
National cyber security and defence are however, two related but ultimately separate instances. Addressing the former must now mean going beyond national domestic resilience for the UK. The next national strategy must shape ‘the open international order of the future’ as stated in the Integrated Review by taking a leading approach to cyber diplomacy and capacity building efforts overseas. For all the debates about the value derived from the UK’s development agenda abroad, there is much to be gained by growing development activities into helping nations vulnerable to digital authoritarianism build their own cyber security capabilities.
The single biggest impact that the UK can have on global cyber security lies not in ensuring its own resilience, but in taking the lead in international cyber diplomacy to challenge digital authoritarianism, and in building agreements to curb malevolent behaviour throughout cyberspace. Achieving this means building alliances and putting flesh on the bones of the Global Britain vision by engaging allied nations to help build not only shared policies on cyber resilience, but so too for the political challenges in challenging nations hostile to the vision of a free and open internet.
Should the next National Cyber Security Strategy not recognise this opportunity facing the UK on the global stage, it will have failed to take UK cyber security efforts from its focus on resilience to matching the ambition of the Integrated Review. Simply put, the future of UK national cyber security lies in its international efforts from this point onwards.
Regarding UK defence and cyber security, it should be recognised that the Integrated Review’s vision of the nation becoming a ‘responsible, democratic cyber power’ hinges on exactly how the National Cyber Force will be used. So far in public debate on cyber the one thing that is not discussed is offensive cyber operations, this can no longer remain the case. The NCF is slated to become a sizeable part of UK defence with strong intelligence contingents from GCHQ and SIS, but what exactly will it be used for?
The obvious answer lies in ensuring the cyber security of the UK Armed Forces and their operations overseas. This would be entirely sensible, and one expects the primary focus of the NCF. Yet, the use of offensive cyber operations for more than just safeguarding military operations poses serious questions about what they might be used for, and with what consequences. Routine use of the NCF to “hack back” against criminal enterprises and even state actors risks escalation and militarising the internet in ways that the NCSC’s first director recently warned against.
Ultimately, the future of UK cyber security and defence lies in international action to safeguard cyberspace for all, and wielding our own cyber power in the NCF in ways that are genuinely responsible and democratic. With ambitions to shape the international order of the future, cyberspace will be a key battleground; our next National Cyber Security Strategy must position the UK to move beyond resilience and take on this global role.