21 November 2022
This article will summarise and explain the UK’s National Cyber Strategy 2022 to give readers an understanding of the cyber domain’s policy landscape. Cyber power represents a vital lever of national power and source of strategic advantage for increasing the UK’s prosperity and maintaining security. Currently, the UK is a global leader in cybersecurity, with 1400 businesses generating £8.9 billion in revenue in 2021 and supporting 46,700 skilled jobs. The UK also exports significant cybersecurity services, totalling £4.2 billion in 2020, and an element of this strategy focus on creating and growing new international markets for this sector.
The UK is well-positioned to exploit this domain for economic gro`wth and security if significant investment is sustained to maintain its competitive advantage. A ‘whole of society’ approach is now needed, with collaboration between government actors and the private, education and technology sectors to increase the industrial capacity and skills base needed to reduce the UK’s aggregate vulnerabilities. To improve the UK’s cyber defences, it must seek to develop a larger skilled workforce, greater resilience, and technical leadership. This article will conclude with some observations of the challenges for the UK government, businesses, and individual actors given the structural constraints on the supply of cybersecurity professionals and the lack of clear articulation for how expanding this supply will be funded, implemented, and resolved at the scale required.
Cybersecurity has been identified as an essential component of UK Grand Strategy, impacting domestic economic prosperity, national security, informational and technological capabilities, and diplomatic influence in an increasingly multi-polar world. The Integrated Review 2021 specified cyber power as being essential in achieving the UK’s objective of “sustaining strategic advantage through science and technology”, and underpinning other objectives of economic prosperity, security, and resilience. The National Cyber Strategy 2022 refined the UK’s cyber objective to be the “leading responsible and democratic cyber power, able to protect and promote our interests in and through cyberspace in support of national goals” (HM Government, 2021, pg.32). The need to grow the UK skills base is essential for economic prosperity to protect businesses from cybercrime, as well as wider national security threats to government, infrastructure, and public services.
The National Cyber Strategy 2022 also elevated the National Cyber Security Strategy 2016’s description of cyber from an increasing security concern for technology specialists to a core component of the UK’s economic strategy. The National Cyber Strategy 2022 stated that a “whole of society” approach is now required, with collaboration between government actors and commercial, education and technology sectors to develop a larger skilled workforce, new training methods and qualifications, greater resilience, and technical leadership. This updated strategy set out five pillars to support these ambitions;
1. Strengthening the UK’s cyber ecosystem.
2. Build cyber resilience for a prosperous digital UK.
3. Countering threats by detecting, disrupting, and deterring adversaries to enhance UK security.
4. Gain technological advantage in vital capabilities for cyber power.
5. Advance UK global leadership and influence for a secure and prosperous international order.
This pillar seeks to ensure that the UK has the right people, knowledge, and partnerships. This includes a diverse and technically skilled workforce, a vibrant research community, an internationally competitive cyber sector, and a thriving regional innovation ecosystem enabling the UK to take the lead in critical technologies, all built on stronger partnerships between government, industry, and academia.
The growth of the cyber ecosystem needs to be self-sustaining, not dependent on government interventions. The intention is to transition from the government funding a range of largely bespoke and centrally managed skills and innovation programmes, to a more sustainable, systemic and regional approach as part of wider skills, education and levelling up reforms.
Cyber security and resilience are foundational to wider UK strategic aims as a cyber power, without them the UK cannot hope to take full advantage of the transformational potential of digital technologies to support economic growth and maintain the UK’s strategic advantage in and through cyberspace. The intent is to continue building strong cyber defences, take action to secure the UK’s digital networks, information and assets at a national, local and individual levels ,and ensure they are resilient when incidents occur, such as through the Cyber Essentials Scheme.
While the focus of this chapter is on cyber resilience, it acknowledges that to be fully effective this will need to form part of a holistic, whole-of-society endeavour to improve UK resilience. The forthcoming National Resilience Strategy, a key commitment of the Integrated Review, will set out the overarching approach to national resilience.
Certain technologies will be critical in shaping the future of cyberspace, such as 5G and 6G, blockchain, semiconductors, and AI. As technology becomes an increasingly important tool of geopolitical power, competition in this arena will intensify. Countries that can establish a leading role in these technologies will be better positioned to influence the way that they are designed and deployed, more able to protect their security and economic advantage, and quicker to exploit opportunities for breakthroughs in cyber capabilities.
For the UK, pursuing strategic advantage through science and technology, and the data access it depends on, will be a precondition for achieving wider goals as a cyber power. The government has taken steps in previous strategies to stimulate research and innovation in cyber security technologies, such as through accelerator programmes for start-ups and the Academic Centres of Excellence in Cybersecurity Research, and to encourage the development of consumer devices that are ‘secure by design’. However, a more ambitious and proactive approach is required to maintain a stake in critical technologies and avoid becoming overly dependent on competitors and adversaries. Many other states invest at a scale the UK currently fails to match in Cyber, as well as other linked areas such as AI, Quantum Technologies, and Data.
A free, open, peaceful, and secure cyberspace remains critical to the UK’s collective security and prosperity, and international engagement will continue to be vital for delivering all UK cyber strategy objectives. However, to respond to an era of systemic competition, the UK now intends to take a more activist international leadership role to promote its interests and values in cyberspace. UK activity in cyberspace and its cyber expertise will also be placed at the heart of delivering the government’s broader foreign policy agenda.
The UK will seek to reinforce its core alliances, whilst working with a wider range of partners, including industry, global technical standards bodies, civil society, and academia as a problem-solving, burden-sharing nation. The UK will invest in deeper relationships with partners in Africa and the Indo-Pacific and seize opportunities for new, more agile alliances. This will form part of wider efforts from the Integrated Review to enhance the UK’s diplomatic toolkit, connecting its overseas influence to its domestic strengths, leveraging its operational and strategic communications expertise, skills programmes and economic partnerships as a global force for good. This chapters stresses that while this benefits the UK’s influence and cybersecurity sector specifically, greater economic security from cyber protection will benefit all actors globally.
The nature of the threats faced by the UK is complex, ranging from cybercriminals and fraudsters to state-backed proxies and sophisticated attacks on public infrastructure. This chapter covers threats in cyberspace (such as online activities), threats to the UK and partners through cyberspace (for example to networked UK critical national infrastructure), and threats to the functioning of underpinning international cyber infrastructure. All of these threats can impact the availability of services that people rely on, or the confidentiality or integrity of data and information that passes through those systems. The foundations of the UK’s approach to countering the threat are in promoting cyber resilience as outlined earlier in the strategy, which raises the aggregate level of cyber protection and preserves resources for deterring and responding to significant attacks. This chapter focuses on how the UK will raise the costs and risks of attacking the UK in cyberspace and how the UK will seek to achieve its full potential as a cyber power.
The National Cyber Strategy 2022 is an all-encompassing document, which sets out the UK’s intent and desired ends and ways of achieving these goals. What is lacking is real detail on the funding and implementation plans and timelines for these pillars. The strategy should be commended for recognising the exponential growth in cyber threats and the need to increase the UK’s aggregate cybersecurity, however its methods and current initiatives to increase the supply of cybersecurity experts are not encouraging. This is the centrepiece of the strategy, to grow a robust and world-leading cybersecurity sector to protect UK economic prosperity and support other states and actors globally to improve the UK’s influence and support growth. However, structural challenges in expanding short- and medium-term supply will hinder efforts to grow cybersecurity exports if there is insufficient supply to protect the UK’s own business and provide economic security.
The UK’s cybersecurity sector workforce has grown by around 50% over the last four years, yet demand still often outstrips supply with around 50% of the UK’s 1.32 million businesses reporting skills gaps in basic technical cybersecurity. There are currently around 57,000 people gaining skills through CyberFirst and Cyber Discovery programs, and 750 undergraduates are currently studying with a CyberFirst bursary, but this will not be a sufficient growth in supply. Further investment in developing a skilled workforce is needed to enable continued cybersecurity sector growth and wider UK economic security. This investment should expand existing educational schemes, while also developing early talent through increased 16-18 Technical Level qualification provision and cybersecurity apprenticeships. This expansion of technical qualifications and the new chartered cybersecurity profession will be vital in ensuring the UK’s long-term supply of appropriately skilled workers to support industry growth. Concurrent investment in the new National Cyber Advisory Board to support private and public sector cooperation will be vital in shaping the UK’s approach to ensure sufficient skilled labour supply is maintained.
Future articles in this series will summarise the UK’s cybersecurity standards and training, and articulate the structural challenges in training and qualifying sufficient skilled professionals to support businesses and central government in counteracting increasing cybersecurity challenges.