What the UK’s Cyber Power strategy means for private sector cybersecurity

The UK government is putting cybersecurity at the core of an overarching national security and international policy strategy that aims to enhance the country’s competitiveness in an increasingly digital world. The goal is for the UK to become a “cyber power.”

“Cyber power is the ability to protect and promote national interests in and through cyberspace: to realise the benefits that cyberspace offers to our citizens and economy, to work with partners towards a cyberspace that reflects our values, and to use cyber capabilities to influence events in the real world,” read a recently released report, Global Britain in a Competitive Age: the Integrated Review of Security, Defence, Development and Foreign Policy.

Cybersecurity is the foundation of such a cyber power, the paper continued, and has been a key area of focus in the UK government’s defence strategy to date.

Government’s competitive, comprehensive cyber plan

“However, to cement our competitive edge, we will now adopt a comprehensive cyber strategy, taking a ‘whole-of-cyber’ approach that considers the full range of our capabilities and gives greater weight to building advantage in critical cyber technologies, as well as to international action to influence the future of cyberspace,” the government explained. “We will need to keep adapting, innovating and investing to maintain and extend the UK’s competitive edge as a responsible, democratic cyber power.”

To that end, the UK government intends to adopt a new, comprehensive cyber strategy (to be released later this year) with the formation of a ministerial small group to cohere cyber decision-making across government.

The cyber strategy will focus on five priority actions that will spearhead the government’s approach until 2030:

• Strengthen the UK’s cyber ecosystem
• Build a resilient and prosperous digital UK
• Take the lead in the technologies vital to cyber power
• Promote a free, open, peaceful, and secure cyberspace
• Detect, disrupt, and deter adversaries

Cybersecurity industry praises government’s cyber vision

The details outlined in the paper shed significant light on the government’s ambitions for bolstering defence and strengthening the UK’s cyber capabilities at a national level which, as Lisa Ventura, cybersecurity consultant and CEO/founder of the UK Cyber Security Association, tells CSO is significant for the wider cybersecurity industry. “It is very important that the UK government has a clear and sound cyber strategy for national defence so that the cyber industry has clear objectives about what the UK government is trying to achieve in terms of bringing the cybersecurity industry together,” she says.

What’s more, Ventura continues, UK organisations are likely to experience a variety of security benefits as a result of the government’s fresh approach. She points to the first of the government’s five priorities—strengthening the UK’s cyber ecosystem—as being especially important in that respect, given that it entails the implementation of a more coherent approach to cyber skills and recruitment along with investment in integrated education and training systems to grow diverse cyber talent.

“This is particularly welcome; we still have a cyber skills gap and need more people to consider cybersecurity as a career path of choice across offensive and defensive cyber,” Ventura says. “This will benefit the cybersecurity of private organisations by having a strong talent pool of cybersecurity professionals to recruit from when it comes to combatting growing cyber threats.”

Likewise, Brian Honan, CEO of cyber and data protection consulting firm BH Consulting and former special advisor on cybersecurity to Europol, champions the UK government’s commitment to promoting a free, open, peaceful, and secure cyberspace. “This is a welcome move by the UK, as it not only potentially improves the security of the UK, but also the overall internet,” he says.

“Effective information sharing and cooperation is key to tackling all online threats, in particular from highly organised criminal gangs and hostile nation states,” Honan says. “The internet is borderless and working with other countries to help improve the overall security of the internet is the most effective way of protecting everyone. Promoting better information sharing amongst business, government agencies, and other friendly nations is the best way to deal with those who threaten the UK’s interests.”

When it comes to the prioritisation of detecting, disrupting, and deterring cyber adversaries—something that the government will do with the use of the recently established National Cyber Force—Honan again highlights the potential cybersecurity benefits to be had, citing a clear need for action against those using the internet for harm. “However, we do need to establish appropriate controls and transparency, together with checks and balances, to ensure these measures are not deliberately or accidentally abused, nor are the privacy and human rights of the majority of the innocent who use the internet sacrificed in the pursuit of the guilty few,” he says.

Finally, Ventura notes that the announcement of the government’s new cyber stance comes when the nation and many of its businesses are still adapting to a post-pandemic world and, as such, its timing could prove particularly valuable.

“The focus of cyberattacks has shifted exponentially, and with the number of cyberattacks having increased rapidly since the pandemic hit, many organisations have had to quickly ‘innovate or die’ and embrace digital transformation and the online world to survive. I think that this new strategy will go a long way to uniting the cybersecurity industry in the UK and cementing the UK as a world leader in this space,” she says.

Digital bureaucracy could hinder cybersecurity innovation

Not all industry experts have spoken so optimistically of the government’s newly outlined strategy, with concerns raised over its effectiveness and suggestions it has the potential to hinder, rather than improve, the nation’s cybersecurity posture.

“The white paper is a nice sentiment with a lot of spin, but the truth is that although the UK has outlets from tech giants, we don’t really have our own global tech billionaire superstar-in-residence such as Elon Musk, Mark Zuckerberg or Meg Whitman—and that is a problem,” warns cybersecurity thought leader, advisor, and author Raef Meeuwisse.

“Digital innovation rewards entrepreneurial individuals who offer decentralized innovations that revolutionize the world by stripping away bureaucracy and/or challenge accepted norms,” he adds. In contrast, committees are groups of people who embrace and cling to norms, and so forming committees to drive forward digital innovation is a bit like asking a bunch of teetotallers to organize a beer festival, Meeuwisse argues.

“Introducing layers of digital bureaucracy by creating committees is not going to push the UK up in the digital world; it is more likely to stifle the very thing it sets out to achieve. It’s the same thing with cybersecurity in the UK—why would anyone proven and experienced want to jump through some artificial local standards when we operate in a global market?”

Meeuwisse believes that what best incentivises digital entrepreneurs in any country is to have a true tech genius running something where small initial digital innovation grants are easy to apply for. “That upscaling of loans or funding can then be based on the tangible return contribution made by the company or individual using neutral measures such as how many full-time employees they hire or how much taxable profit they bring in,” he adds.

What’s clear is that, in response to the ongoing evolution of the digital world, the UK government is committed to delivering a new, cohesive approach to becoming a cyber power. There’s no doubting its intention is to strengthen the national approach to cybersecurity for the better, and in so doing, create a safer, more protected cyber landscape to the benefit of those who live and operate in the UK.

The question, though, is whether the ministerial-led strategy put forward will prove to be effective in achieving such goals, and as Sarb Sembhi, CTO and CISO of cybersecurity awareness provider Virtually Informed and co-vice chair of the Smart Buildings Working Group of the IoT Security Foundation, concludes: “The best way to view the document is with a ‘watch this space’ approach as each of the government departments begin to figure out how they will play their role in aligning resources to policy through to strategy.”