Revised scope of UK security strategy reflects digitised society
The omission of the word ‘security’ from the title of the UK government’s new National Cyber Strategy is a telling one, reflecting our increasingly digitised society, say Maximillian Brook and Arunoshi Singh of the ISF
The omission of the word “security” from the title of the UK’s National Cyber Strategy 2022 is a subtle but key indication of its broadened scope. As “digital” begins to touch almost every aspect of our lives, the initiatives and changes introduced by the UK’s latest strategy reflects this transformation.
The 2022 update has some notable differences compared to its predecessor. While the 2016-2021 strategy touched on some of the strategic opportunities that cyber offers, it focused primarily on the traditional aspects of security through the three objectives of defend, deter and develop. By comparison, the 2022 strategy has a three-year outlook but is much more expansive in its purview, covering five pillars: the cyber ecosystem, cyber resilience (focusing on risk), technology advantages, global leadership and countering threats.
Overall, the strategy represents a realignment of the UK’s cyber space ambitions to account for the wider geopolitical context, drawing on the UK’s vision to be a global player in a post-Brexit era – as set out in Global Britain in a competitive age: integrated review of security, defence, development and foreign policy. Synergies between the Integrated Review and the National Cyber Strategy are apparent.
The Integrated Review emphasised the importance of leveraging cyber power to achieve national goals, taking a “whole-of-society approach” and full deployment of cyber capabilities. These tenets are evident throughout the new Cyber Strategy, which has been purposely designed to realise the UK’s vision to be a “responsible, democratic cyber power” by 2030.
The new strategy looks to empower the UK to become a more prominent force in the development and control of cyber space through national activities, global governance, cross-border policy engagement, and offensive cyber. As recently demonstrated, state power is no longer defined by aggression in the traditional physical domain, but now extends into cyber space. Having both strong cyber defences, as well as an ability to use cyber in an offensive manner, is integral to modern warfare.
Shifting responsibilities
Despite the high-level international aims within the strategy, its success rests on an attitude and perception change across society, spanning government, organisation and the general population. The strategy frames cyber security not just as an issue of concern for the private sector, but also as an area of economic and social opportunity, especially as digital transformation takes hold.
Now that technological advancements pervade all aspects of life and the digital economy flourishes, cyber security is no longer the sole domain of IT and information security professionals. Instead, cyber security is the collective responsibility of all if we are to effectively protect data, deter adversaries and create a more secure cyber space.
To this end, the strategy champions early intervention by endorsing a raft of initiatives to strengthen cyber skills. It dedicates significant attention to upskilling citizens at all levels of education to prepare for the changing future of the cyber ecosystem in the UK. Reskilling is already taking place in the current workforce, but it is crucial to ingrain these skills in younger generations so they can protect themselves online.
The strategy recognises that the economic gains and societal benefits of security education, training and awareness can only be unlocked by investing in the necessary resources.
Flexibility in planning
Globally, the levels of uncertainty are high and will remain so for some time to come. As a result, the flex and foresight needed for the strategy to account for unforeseen developments, and achieve its stated aims, will be challenged.
The move away from a five-year plan is demonstrative of the speed of transformation in which cyber space is evolving, with three-year objectives for 2025 and visions set for 2030 accommodating this.
Despite unknown challenges of multiple futures, the strategy adequately covers its two core aims: to strengthen cyber critical technologies and to limit reliance on technologies from regimes with conflicting values to the UK. By aligning wider political objectives with cyber space and championing societal responsibility, the UK should be able to achieve this if the level of dedication and resources outlined in the report is adhered to.
Maximillian Brook and Arunoshi Singh are research analysts at the Information Security Forum (ISF)
Read more about the UK National Cyber Strategy
- The UK punches above its weight when it comes to wielding cyber power around the world, but challenges to this status are clear. The National Cyber Strategy has a clear role to play in maintaining and enhancing this status, writes Paddy Francis of Airbus Cybersecurity.
- The National Cyber Strategy is full of fine words, says Petra Wenham, but as the old expression goes, fine words butter no parsnips, and it misses the mark in one very important way.
- The UK’s new National Cyber Strategy is clear in its ambitions, but to fulfil them, we must double down on appropriate skills development, says ISACA director Mike Hughes.
- Announced in December 2021, the second iteration of the UK government’s National Cyber Strategy broadened its focus to build a ‘whole-of-society’ security posture.
- As the government laid out its new Cyber Security Strategy, Computer Weekly spoke to Saj Huq, Plexal cyber security lead and CCO, about his work building the UK’s future cyber ecosystem.