The UK government unveiled its long-awaited National Cyber Strategy yesterday, outlining how it plans to improve the resilience of UK institutions and businesses while protecting the country’s interests in ‘cyberspace’. The strategy signals a more interventionist stance from the government, experts told Tech Monitor, which has previously looked to the private sector for leadership. Its commitment to a ‘whole of society’ approach, meanwhile, risks overlooking the need for more diverse perspectives in the cybersecurity workforce.
UK National Cyber Strategy: a more proactive stance
The National Cyber Strategy is focused on five pillars: strengthening the UK cybersecurity ecosystem; building a resilient and prosperous digital economy; taking the lead in technologies vital to ‘cyber power’, advancing UK global leadership in cybersecurity and technology and, finally, “detecting, disrupting and deterring” the UK’s adversaries in ‘cyberspace’.
The strategy signals an increasingly interventionist approach by the UK government, says Dr Tim Stevens, head of the Cyber Security Research Group at King’s College London. “It’s very proactive,” he says. “Whereas the last strategy [published in 2016] was saying ‘look, the market won’t deliver everything here. We need to be more interventionist,’ this [strategy] has said, ‘We’re going to do something really forward-leaning and interventionist. We’re going to put our money where our mouth is.’”
This interventionist approach can be seen in the strategy’s stance on the country’s cybersecurity industry, on the cybersecurity defences of British businesses, and in its approach to geopolitical rivals.
Under the new strategy, for example, the National Cyber Security Centre will be tasked with taking “direct action to reduce cyber harms to the UK.” The National Cyber Force, a joint initiative between GCHQ, the Ministry of Defence and MI6, will be equipped to undertake ‘offensive cyber’ operations, disrupting the online communications of adversaries.
The strategy also indicates a more proactive stance in defending the UK's principles online. "We will champion an inclusive, multi-stakeholder approach to debates about the future of cyberspace and digital technology, upholding human rights in cyberspace and countering moves towards digital authoritarianism and state control," it says.
This a commitment to counter internet censorship and control by the likes of Russia and China, explains Stevens. "At one point it even calls out digital authoritarianism, which I do not recall from previous strategies, but that is what our diplomats have been doing. And this is very much about saying 'We have to push back against this.'"
"It has a very clear vision," Stevens says of the strategy. "Whether it can be achieved or not is an open question. But it is an interesting shift towards being very proactive."
A 'whole of society' approach
The National Cyber Security Strategy also pledges to take a 'whole of society' approach to cybersecurity, encompassing the private sector, the education system and more. "What happens in the boardroom or the classroom matters as much to our national cyber power as the actions of technical experts and government officials," it says.
This is an "acknowledgement that cybersecurity issues are so broad, complex and interlinked that they need to be knitted into the very fabric of national policymaking," says Niel Harper, a cybersecurity policy advisor to the World Economic Forum. "The government has come to terms with the fact that it doesn't have the resources or the depth of skills to tackle all the UK's cyber-related problems on its own."
"There's only so much the government can do," agrees James Sullivan, director of cyber research at defence think tank RUSI. "It's about channelling the rest of society to deliver the cybersecurity ... and the technological advancement we need."
This 'whole-of-society' approach includes increasing the diversity of the UK's cybersecurity workforce, the strategy acknowledges. Concrete measures to achieve this include moves to improve the "diversity of candidates taking Computer Science GCSE and equivalent qualifications in Scotland, and going onto further education such as T Levels in England and apprenticeships and higher education opportunities," it says.
However, experts note there is also need to increase the diversity of perspectives and abilities within the cybersecurity workforce. "I've heard individual civil servants talk about how we need people outside STEM to be involved in cybersecurity, but that's weakly articulated in the National Cyber Strategy," says Stevens.
RUSI's Sullivan agrees. "There are psychological elements to cybercrime. There are geopolitical cyber issues. We need a body of cyber diplomats that are able to translate complex technical information into simple language. So absolutely, we should not narrow our focus to a certain set of academics based on STEM skills. This is a much wider challenge."