Source: Getty
commentary

The UK’s Cyber Strategy Is No Longer Just About Security

The latest report signals a far more assertive approach to cyberspace.

Published on December 17, 2021

On December 15, 2021, the UK issued a new National Cyber Strategy, significantly expanding the report’s scope from previous versions. This fourth installment shifts the emphasis from “cybersecurity” to “cyber power” as an “ever more vital lever of national power and a source of strategic advantage.” The most telling insights center on what prompted this shift and what it reveals about the evolution of the UK as a cyber power—and about cyberspace more broadly. 

The central message of the previous strategy, published in 2016, was that market forces were insufficient to promote cybersecurity, necessitating a more proactive role for government. This time around, the focus is on cyberspace as a central arena of the emerging global competition between democratic and autocratic powers, with profound implications for the political, social, and economic development of the UK and the world. Infused with the language of competition and national power, the document elevates the cyber domain from a security concern for technology specialists to a wide-ranging theme of grand strategy—one that will no longer be a “whole-of-government” initiative but will expand into a “whole-of-society” effort.

The strategy—with notably more assertive language than that of previous iterations—focuses heavily on fracturing visions for governance of the internet. It rejects the spread of “digital authoritarianism” and explicitly calls out China and Russia as “systemic competitors” threatening the internet “as a shared space that supports the exchange of knowledge and goods between open societies.” The policy aims that flow from this assertion include a new emphasis on developing a domestic industrial base in areas where “reliance on non-allied sources of supply poses unacceptable security risks” and a commitment to “a more activist international leadership role to promote our interests and values in cyberspace.” The implication is that the UK is preparing for some degree of technological decoupling from China, accompanied by deepening divides in cyber diplomacy.

Another implication is a greater focus on deterrence as a strategic tool. While the 2016 document asserted that the principles of deterrence that apply to the physical world also apply to cyberspace, the new document is more circumspect in its evaluation. It notes that the UK has worked with allies to “raise the cost” of “state-sponsored hostile activity,” yet this approach “does not yet seem to have fundamentally altered the risk calculus for attackers.”

The language indicates that cyberspace is a relatively new realm of interstate competition, and doctrines for the use of policy tools, such as public attribution, are still emerging. Even closely allied Western states have adopted markedly different approaches to naming and shaming attackers, and the Chinese response to accusations of hacking is that the whole exercise lacks legitimacy and is destabilizing. Against this backdrop, the latest strategy is notably candid in pointing to ongoing experimenting and learning on the use of attribution and deterrence. But signaling intentions can be much harder to achieve in cyberspace, and there are significant risks that an action can be misunderstood or create unintended effects. Intensifying strategic competition means that ever more is at stake in cyberspace, so the effects of this learning process on stability and security should assessed continually.

This need for assessment is most clear in offensive cyber operations, which offer “flexible, scalable, and de-escalatory measures” delivered principally by the UK’s National Cyber Force, the report notes. While flexibility and scalability are inherent qualities, “de-escalatory” is subject to some debate. Offensive cyber operations can “avoid the need to put individuals at risk of physical harm,” yet these operations might inadvertently escalate a situation. Most notably, defenders may have difficulty distinguishing whether an intrusion is designed for reconnaissance and pre-positioning (known in cyber policy circles as operational preparation of the environment) or for immediate attack. Not unlike other novel capabilities throughout history, offensive cyber operations have advanced ahead of governments’ understanding of how to harness them for measured effects. The strategy suggests that the UK and its allies are at this point of evolution, and they should engage with the international community of scholars and invest in research to evaluate the potential effects in the full spectrum of conflict scenarios.

With its latest strategy, the UK has signaled a more assertive approach to promoting its national interests and shared values in cyberspace. The report positions cyberspace at the center of a growing confrontation between democracy and authoritarianism, while indicating that technical capabilities are outstripping countries’ understanding of how to harness cyber tools effectively. That is a dangerous combination. If the next strategy is to reflect on a less volatile environment, investments in capacity building, diplomacy, research, and multidisciplinary collaboration will be just as significant as the technology itself.

Carnegie India does not take institutional positions on public policy issues; the views represented herein are those of the author(s) and do not necessarily reflect the views of Carnegie India, its staff, or its trustees.