The signature achievement of the government’s Integrated Review of Security, Defence, Foreign and Development policy was a coherent plan to base future security and prosperity on scientific and technological excellence. The plan has everything need to give it strategic credibility: funding, policy, legislative and governance changes.
But one underdeveloped part of this part of the document is cyberspace. Despite a narrative emphasis on Britain as a ‘cyber power’ there were no new policies of pounds. The only new ‘announcement’ was that there would be a national cyber strategy later this year. Intriguingly, this is to be a ‘whole of cyber’ strategy, replacing the two previous national cyber security strategies of 2011 and 2016.
This seemingly arcane bureaucratic changes matters. That’s because the strategy now incorporates not just the UK’s efforts to secure its digital homeland, but also offensive cyber – hacking others – in support of our own national security.
Cyber security and offensive cyber are very different activities. One is about making our own computer networks safe. The other is about exploiting weaknesses in others to support military operations, or counter terrorism and serious crime. These are important activities, but they don’t do much to make our digital homeland safer apart from the occasional specific operation against cyber criminals (offensive cyber has proved strikingly ineffective as a deterrent against cyber activity from hostile states). In the US, a debate has raged for years concerning whether a heavy focus on ‘offence’ has actually harmed American cyber security.
So the problem to which this ‘whole of cyber’ approach is the answer is far from obvious, whereas the risks of it are. But the decision is taken. So here are six ‘security checks’ by which we will be able to assess, when it comes out, whether the framework still works for Britain’s cyber security.
The first test is posture. A newcomer to Britain reading only the Integrated Review would be forgiven for concluding that the UK government thought of the internet as a war zone, rather than a revolutionary civilian technology driving prosperity and progress. Even the prosperity benefits of being good at cyber are presented as if they’re a by-product of Eisenhower’s infamous ‘military industrial complex’ rather than the result of British commercial innovation. Our posture can be assessed in one question: is the UK government in favour of a safer internet, or does it prioritise exploiting its insecurities to project British power? A safer Internet is in Britain’s overall interests even if it sometimes make exploiting others’ vulnerabilities harder.
The test second is focus. As President Obama’s former cyber security adviser Michael Daniel put it recently, the average American business far more likely to encounter a ransomware or other criminal attack than Russian intelligence. The same is true in the UK, and it’s true for individuals citizens too. Brilliant innovations in this field, such as automated blocking of suspicious emails and takedown of malicious sites have propelled the UK to the top of the International Telecommunications Union’s Global Cybersecurity Index. But the Integrated Review had little to say on the protection of the citizen online, focusing instead on the great power competition aspects of cyberspace. That’s understandable: the review was about Britain’s place in the world. But a specifically cyber strategy needs to reverse this imbalance.
The third and fourth tests are the bureaucratic staples of money and mandate. UK cyber security has been well funded: it may not need a huge further injection of money but the sort of cuts envisaged for some public services in the current fiscal envelope would be disastrous. And organisational mandates are crucial: cyber security may be a team sport, as is often said, but it needs a team captain. One of the reasons the National Cyber Security Centre, which I had the privilege of setting up, was established was that a senior minister complained that one briefing on a significant incident involved updates from seven agencies before Ministers got to discuss the response. But the NCSC’s mandate comes from the now expired National Cyber Security Strategy and a new one is needed. When it comes out, beware the resurrection of the mushy statements of the past about ‘working in partnership’ with a long list of agencies: a key lesson worldwide is that government cyber security needs clear institutional leadership.
A fifth test is transparency. The UK has benefitted enormously from the NCSC’s innovations in sharing and publishing information about threats and how to protect organisations and individuals online. Also beneficial has been a more outward facing approach to business, the media and wider scrutiny in Parliament, going beyond the closed doors of the Intelligence and Security Committee. A ‘whole of cyber’ approach takes in more classified equities. The risk is that cyber security is dragged back ‘behind the wire’. This would be counter-productive. In fact, the pressure should be in the other direction. What has been said meaningfully by the Government about its offensive cyber posture would fit easily into less than half of one edition of Civil Service World. If the government wants to reassure people it isn’t militarising the Internet, it needs to engage in public debate about it.
The final test is governance. There has never been a lead minister for cyber security, nor a particular need for one. Does this need to change? Perhaps. British internet policy is increasingly being set in the National Security Council, not in economic or social policy settings. The Department for Digital, Culture, Media and Sport doesn’t have a place at the NSC. And although DCMS has hugely outperformed expectations since an accident of history gave it responsibility for digital in 2011 and has built a formidable civil service team, the 2021 focus of the department politically seems to have strayed to flags, statues, the representation of imperial history in museums, and other ‘culture war’ flashpoints, rather than championing Digital Britain.
The risk is that a ‘securitised’ vision of cyberspace – agreed behind closed doors in military and intelligence circles – is presented to the NSC and becomes Britain’s digital policy. Who is there to remind the council that the primary purpose of modern technology is the peaceful promotion of enterprise and openness? And that a militarised Internet only favours authoritarians? And that the safer we make our own digital homeland, the more prosperous – and secure – we are?