The Integrated Review of Security, Defence, Development and Foreign Policy (the Integrated Review) makes clear that the UK’s ambition is to be a leading, democratic cyber power in an increasingly contested domain. Sustaining a competitive edge in cyber, through advancements in science and technology, and the skills needed to use them, is fundamental to achieving strategic advantage.
In an increasingly digitised world, cyber has become an indispensable means of protecting the UK’s security and prosperity. A fully integrated ‘whole-of-cyber’ approach to this domain is therefore essential.
The concepts proposed in this article will be applicable to a range of thematic areas that the government is investing in, be they counter terrorism, countering child sexual exploitation and abuse or the pivot towards new national threats. This is because no single department, agency or team can effectively leverage all the resources and knowledge required to deal with the multi-faceted and complex problem-sets which these threats present.
The Integrated Review describes the development of a comprehensive cyber strategy, the formation of the National Cyber Force and a new ‘ministerial small group’ to coordinate activities. These are all welcome and will bring much needed coherence to a misunderstood and rapidly changing scene. However, there is a real risk that existing silos will be reinforced without genuine integration across government, industry and academia at all levels of decision-making and execution.
For this to deliver real value for taxpayers, it must be a resourced and energised priority, not just a thin veneer of co-working that masks internecine fighting or friction. Fundamentally, contributions and new ideas must be considered on merit with avoidance of any ‘not invented here’ mentality from traditional players.
The priority must be to increasingly unify and align its whole-of-cyber approach, while building on existing partnerships with appropriate investment, to enable the UK to operate collectively, decisively, and sustainably.
The UK can go further in its approach to cyber strategy and policy
The UK’s effectiveness as a cyber power needs to be more than the sum of each department’s local strategies, however good they may be individually. Nor will infrequent releases of ‘grand narratives’ keep pace with real-world events.
Coordinating and developing our cyber capabilities within a continuously evolving landscape will require constant engagement, adaptiveness, and an ability to bring diverse groups together, drawing on expertise from across the cyber ecosystem. It will require a collective mindset across government, that is open to change and new ideas, identifies lessons based on experience and is willing to incorporate them into the way the systems and processes operate. Without this, there is a risk that out-dated ways of working will stifle the unique opportunity that is presented.
The formation of a ministerial group to cohere cyber decision-making across government is an encouraging start and should provide the necessary leadership and oversight. In addition to this, the UK should invest in integration by supporting the ministerial group with an implementation group, at the pan-government level. This would bring experts from government, industry and academia together to make real the ‘whole-of-cyber’ approach that will inform ministerial decision-making and put cyber at the heart of Government endorsed activity.
Cyber spans traditional capabilities, so integration is key
Cyber, as a capability and operating domain, cannot yet be viewed in the same way as Maritime, Land and Air which have established organisational homes, capability investment and leadership cadres which intimately understand the opportunities and threats associated with their employment.
It must be understood that excellence is not within the grasp of any single government department, irrespective of how it is funded or organised. To deal with this reality, inter-departmental boundaries need to be seamlessly crossed without the friction of self-interest. The strategic, operational and tactical levers of power need to be integrated across government for the good of the nation. This will require senior leaders that understand how cyber capabilities can be used and integrated to maximise strategic and operational effect, that have access to the right data at the right time, and that can decide where risk can be mitigated or accepted in order to pursue national interests at pace.
It will also require empowered leaders to be appointed, trusted and resourced, to deliver their contribution to HMG without being shackled to the bureaucracy and protracted governance of all contributing organisations. These leaders could be the exemplar of how to deliver effectively across government, based on an understanding of the end-to-end processes that deliver effect and strong relationships with all the organisations that will provide funding, requirements, personnel or capabilities.
Cyber investment must develop and sustain skills
The Integrated Review proposes significant investment in science and technology; a vast proportion of this will need to be directed towards cyber for the UK to achieve its ambitions. The public and private sector will need to work together to invest in, and develop, a sustainable cyber ecosystem with the UK as a global hub for cyber skills. Talent is consistently in short supply, so all parties will need to collaborate to develop a scalable pipeline of cyber-skilled people to support the growth required.
Investing in non-graduate development, additional investment into cyber training programmes such as NCSC Cyber First, and increased emphasis on cyber skills as part of the national curriculum will help build and sustain our cyber ecosystem. Use of innovative aptitude and attitude assessment will broaden the pool of potential recruits beyond the traditional sources, that are already being exhausted.
Investment in AI will help relieve highly-skilled talent from repetitive tasks and act as a force multiplier – it has the potential to push the human up the decision-making chain and increase output immeasurably. People with the right skills, and judgement, will always remain the most valuable commodity, and there is the potential for cyber effects to play an increasingly decisive role as part of the UK’s strategic levers of power.
Cyberspace will be critical to future frontiers, and the threats are wide-ranging and complex. However, comprehensive and continuous engagement across government, academia and industry will help unify our approach and capabilities. Built on sustainable foundations, the UK has an opportunity to capitalise on its position of strength, operate collectively, shape cyberspace to ensure it reflects our values and compete with our adversaries where required.
The cyber related proposals in the Integrated Review are welcome – and they are just the start of a challenging, and essential, journey that is likely to be the test-case for other complex areas of pan-departmental activity that will require real collaboration to realise their ambition.