The risk of Russian cyber retaliation in response to Western sanctions over Ukraine is just one pressing reason why the UK’s new national cyber strategy is so important.
Russia, Ukraine and cyber
It is too early to draw any definitive conclusions about cyber in relation to Russia’s invasion of Ukraine. Events are yet to play out fully and much remains in the realm of speculation. There are a few points that stand out though. It seems clear that while Russia conducted some offensive cyber operations against Ukraine in the run up to the invasion, there was no dramatic disruption of Ukrainian critical infrastructure through sophisticated cyber attacks, as some may have expected.
On the face of it, this might seem odd, given Russia’s track record of launching serious offensive cyber operations against Ukraine, including the totemic disruption of Ukrainian power supplies in 2015. But in practice the operations we have seen – an apparently successful disruption of some Ukrainian communications capability, some destructive attacks targeting Ukrainian government systems, some cyber-enabled disinformation operations – are fairly typical of what offensive cyber looks like in practice in this sort of context.
In any event, things in Ukraine have not gone Russia’s way and Western nations have aligned to impose costs on Russia in response to the invasion in a way that Putin may not have envisaged. The UK is generally seen to have been in the forefront of this response.
There is clearly a risk, as leaders including President Biden have emphasised, that Russia will seek to retaliate against the West and may use cyber as one means to do so. We can only speculate as to what this may look like. The possibility of some, probably not widespread, disruption of aspects of critical infrastructure cannot be ruled out.
There is nothing in this to indicate anything new in relation to possible terrorist use of cyber for destructive effect, the likelihood of which appears to remain low. But there is a credible possibility that Russian cyber crime groups, whose links to the state remain blurred, may be inspired by the Western response to the Ukraine situation to launch damaging ransomware and other attacks against UK interests, which could have a real impact on critical services. Any such criminal operations could be encouraged or enabled by the Russian state, or even potentially conducted by groups entirely on their own initiative.
A new cyber strategy for the UK
Against this background, having the best national approach to cyber security is more important than ever. And this is a pivotal time for the UK’s approach. The Government launched its new National Cyber Strategy towards the end of last year, at a time when hopes remained of defusing the Ukraine situation peacefully. But the risk we face now of Russian cyber retaliation reinforces the centrality of cyber resilience to the national security of the UK, and the need for the UK to have a credible strategy for responding to global cyber threats. This is what the new strategy seeks to set out.
The UK’s 2016 national cyber security strategy, combined with its £1.9 billion of new funding and a comprehensive implementation plan, was ground-breaking. That strategy changed the UK’s direction of travel on cyber security, with a much more interventionist and activist approach from government, symbolised by the high-profile creation of the National Cyber Security Centre (NCSC). The 2016 strategy came to a close in 2021 and Government has been working for several years on pulling together the revised approach.
The new strategy’s launch, in mid-December 2021, was extremely low key and received very little coverage. In part this may have been because it lacked a big ‘announceable’ on the scale of 2016’s NCSC. In many ways it is a continuity strategy, with no radical shift in approach. Nonetheless, it will set the direction for UK cyber security over the coming years and given the unstable environment and the risks we face, this makes it a rather significant document.
The UK ambition for cyber
The Government’s ambition around cyber remains strong. It now characterises this around the concept of the UK as a ‘cyber power’. A term with no common definition and plenty of detractors, it is broadly defined here as being ‘the ability to protect and promote national interests in and through cyberspace’. The strategy’s vision is that by 2030 the UK ‘will continue to be a leading responsible and democratic cyber power’, including by being more secure and resilient, more innovative, more influential internationally and by becoming ‘a Science and Tech Superpower’.
The new strategy succeeds in putting cyber in a much broader and more strategic context, in particular against the backdrop of the globalisation of technology, the challenges in securing technology supply chains increasingly dominated by China and the risk that the future shape of the internet becomes one that matches the Chinese vision of a balkanised internet used by the nation state for control of the population, suppression of free speech and mass surveillance.
It is probably fair to say that the strategy is better at highlighting these challenges than providing convincing substantive proposals to address them. But these are difficult strategic problems and it is good to see the UK grappling with them and seeking to occupy a leading role in addressing them.
Resilience is key
At a more practical level, the strategy seeks to fix key issues around the UK’s cyber resilience, and our ability to disrupt and deter those who seek to use cyber to do us harm. It is refreshingly honest in admitting that ‘serious gaps remain’ in UK cyber resilience, across the critical national infrastructure (CNI). The strategy heralds a new effort to understand those gaps better and presents some fairly substantive proposals for how to address them in the public sector. These are further developed in a separate Government Cyber Security Strategy, published in January.
This focus on the public sector, and turning it into a cyber exemplar, mirrors the approach of President Biden, who has announced a significant raft of initiatives to improve cyber security in the federal government. To some extent this may reflect the fact that, with the vast majority of the CNI sitting in the private sector, the levers that governments like the US and UK have to improve CNI resilience beyond the public sector are actually quite limited.
As regards that, the new UK strategy hints at a growing focus on regulation, stating that ‘we require…regulated operators of CNI to raise their standards and manage their risk more proactively. We expect large businesses…to be more accountable for protecting their systems, services and customers’.
Work continues in government on cyber regulation and incentives, and it remains to be seen how this will play out. Good regulation can have a powerful effect in raising standards, but poor regulation can create perverse incentives and push investment in the wrong direction. And it is much easier for large corporates to absorb the burden than it is for start-ups and small and medium enterprises.
A second fundamental area of cyber security is how we deal with the challenge of cyber crime and deter hostile states from using cyber against us (according to the Government, the UK is the third most targeted nation for hostile cyber activity, after the US and Ukraine). Yet this is an area where the new strategy is quite sketchy.
A certain amount is made of the new National Cyber Force (NCF), and the ability to use offensive cyber operations to disrupt hostile actors. But this is just one aspect of the NCF’s mission, and offensive cyber is unlikely to be strategic game changer. There is some discussion of the role of law enforcement, but nothing that feels transformational. The UK Government has likewise had relatively little to say on the global ransomware epidemic and how to address it. Overall this feels an area where some new thinking and new approaches are required.
There is plenty of other material in the strategy, including on the importance of secure by design to build cyber security into new technology, the need to be clear about what cutting edge technology the UK needs to have access to and how to encourage the development of sovereign capability. And there is a positive new emphasis on the UK’s role internationally. In addressing these topics the strategy ranges between broadly aspirational statements and some quite specific new initiatives.
A whole of society solution
Underpinning all this is another new approach set out in the strategy – that of the need for a ‘whole of society’ response to the UK’s cyber challenges. This is a very welcome development. It represents a recognition by government that it cannot address the challenges we face on its own, but that it needs a new partnership with the private sector, academia and wider civil society, in whose hands the answers to many of these issues lie.
In the past many outside government have felt that cyber strategy was something done to them, not with them. The new strategy seems to acknowledge this. Among other things, it talks about creating a new National Cyber Advisory Board to enable a new strategic dialogue on cyber. There needs to be a lot more to this than an occasional stage-managed meeting. But it is a good sign that Government is acknowledging that dealing with the cyber issues we face today needs a new level of collaboration across public and private sectors.