Conrad Prince served as the Director General for Operations and Deputy Director of GCHQ from 2008 – 2015. In those roles he led GCHQ’s intelligence operations and was responsible for the development of the UK’s national offensive cyber capability. He is also a speaker at the upcoming Cipher Brief Cybersecurity Summit.
EXPERT PERSPECTIVE — This is a critical year for UK cyber security policy. The government’s ground-breaking 2016 National Cyber Security Strategy reaches its end in 2021, and the expectations are that a new strategy will be published later this year.
This forms part of a wider reset of the UK’s foreign, security and defence strategy, to be set out in the forthcoming ‘integrated review’, delayed from last year because of the pandemic, but now due to be revealed very soon. As the Boris Johnson government seeks to move into a post-Covid, post-Brexit world, this review will be a critical part of setting the agenda for a new ‘Global Britain’.
The 2016 cyber strategy represented a fundamental shift in approach by the UK, heralding a move to a much more interventionist strategy. The previous approach made a number of assumptions around the positive effect that market forces would have on raising national cyber security standards. In essence, companies that adopted improved cyber security practices were expected to attract more business, both from consumers and other companies, and this would inevitably drive a general improvement in standards across the board. As a result, government could for the most part, limit its role to the sort of national security and law enforcement functions that can only be delivered by the state.
In fact, cyber security did not become a significant market differentiator, and this hoped-for rise in standards did not happen. This led to the much bolder 2016 approach, which saw government leaning in across multiple areas of national life with a broad set of interventions. This was underpinned by £1.9 Billion funding for transformative cyber initiatives, managed through a single central implementation programme.
The new UK approach has won praise and has been widely influential. Critically, it has been based around a single holistic national strategy which the government has stuck to consistently. It has been underpinned by significant new investment which has been managed through a robust delivery programme controlled from the centre, with a high degree of cross-government co-ordination.
Key features have included the creation of the highly-regarded National Cyber Security Centre, which resolved duplication and ended the lack of clarity about who led on cyber across a number of organisations. This has given the UK a clear single government voice on cyber. Alongside this, the strategy saw the development of innovative new techniques to tackle high-volume cyber crime threats at scale, and investment in UK cyber capacity through research and development, support for the developing UK cyber industry, and national skills development (with a particular emphasis on school children).
Five years on from the publication of the current strategy, some of the challenges policy makers face around cyber security remain depressingly familiar, but in other respects, the debate has moved on significantly. Increasingly, strategic cyber issues are morphing into much broader questions of technology strategy, industrial policy and geopolitics, not least as technology has taken a central part in the underlying tension between China and the West.
The Cipher Brief hosts private briefings with the world’s most experienced national and global security experts.
Perhaps the most fundamental question relates to the globalisation of technology supply chains and the potential for the West to lose its place as the centre of gravity for technology supply and development. Partly this is about how to address the implications of the predominance of China in the manufacturing and supply of technology components vital to our critical national infrastructure (CNI). But equally important is how the West maintains an edge in critical new technologies and develops sovereign capabilities in the most important ones.
The UK government has expressed strong ambitions in the technology arena and is keen to position the UK as a leading tech player. This is likely to figure prominently in the integrated review. In critical areas such as quantum, there are a number of serious UK players. The challenge is how to scale, and what role government should play in that process. Understanding which are the critical technologies for the future where a sovereign capability is required will be key. Then, there needs to be a focus on finding ways to support UK academic research and specialist tech companies to develop a viable industry base.
This might mean government needs to take a stronger role in funding research and development, and be prepared to take more risk. But government funding for this is always going to be limited and it is more likely that private sector investment has the critical role to play. Risk appetite is a key question. From government’s perspective, another part of the answer may be becoming a much more user-friendly customer of first resort for leading-edge tech start-ups – current government procurement processes are notoriously ill-suited to this sector.
Even then though, it is questionable as to how far the UK as a lone player can develop the kind of future-facing sovereign technology base that will be needed to challenge growing Chinese dominance. There is likely to be a focus on building new global technology partnerships, such as the so-called D10 – the G7 plus India, Korea and Australia. But this is little more than a concept at this stage and it is not yet clear how well it will translate into practice in a tough, commercially competitive world.
Alongside the focus on new technology, there is also a need to address security and diversity in the existing global supply chain. It is simply not realistic to imagine Chinese technology can be excluded en masse, nor that Chinese technology represents the sole threat – the Russian SolarWinds attack demonstrated that point pretty compellingly.
Risk management has to play a key part. In the context of 5G, the UK articulated some sound risk management principles – the need for a diverse supply chain, for resilience to be built into infrastructure design, and for the application of strong cyber security standards. These are widely transferable to other parts of the CNI.
Join The Cipher Brief March 23-25 for a three-day Virtual Cybersecurity Summit featuring leaders from the public and private sectors, including Microsoft President Brad Smith, FireEye CEO Kevin Mandia, and a host of other public and private sector experts. The Summit is being co-hosted by Cipher Brief CEO & Publisher Suzanne Kelly and former NSA Deputy Director Rick Ledgett. Attendance is free and registration is required. Sign up today.
The UK may also look to take further measures to try to ensure new technology has security built in from the start. This could include introducing more regulation to underpin secure by design principles, as well as greater efforts to ensure that international technology standards bodies prioritise security standards in their work. Success in all of this will require strong partnerships with the private sector, and with allies internationally.
Underlying much of this is of course, is politics around China. While we feel a long way from Prime Minister David Cameron’s 2015 vision for a new ‘golden era’ in China-UK relations, the relationship remains a complex one. The UK government will want to find a way to work with China where necessary, while avoiding strategic dependence on China and robustly calling out their transgressions. This is not going to be an easy road to travel.
Addressing these issues will require the UK to work ever more closely with a diverse set of partners internationally. And in this post-Brexit world, we may well see the UK aspiring to regain some ground in its international leadership on cyber issues. Back in 2011, Lord Hague, the then Foreign Secretary and a strong advocate for cyber, masterminded the London Cyber Conference – a ground-breaking international event focused on collaboration on cyber security. But since that period, the UK, while regularly cited as one of the top five cyber nations globally, has perhaps not quite delivered the global leadership on cyber its position warrants. It would be good to see a revitalised approach.
If the globalisation of technology is one of the most existential issues the new cyber strategy will have to grapple with, improving cyber resilience across the CNI remains an essential but unglamorous and stubbornly difficult nut to crack. The UK government has done a lot of work both to try to understand the extent of vulnerabilities in the CNI and work with key sectors to provide advice and help raise standards. But the dial needs to move further.
In some sectors – finance in particular – regulation has been central, and we are likely to see this extended into other sectors. Telecoms is already an area of focus. But for this to work, regulation needs to be informed enough to provide more than just generic tick-box requirements and the regulatory bodies need to equip themselves with the expertise they need to do their job. Opportunities to use corporate governance mechanisms more generally to increase the focus on cyber security are also likely to be explored.
A final challenge is around responding to hostile cyber activity, and the wider role of offensive cyber as operationalised in the UK’s new National Cyber Force. Off the back of SolarWinds and other recent attacks, it seems hard to argue that any of the West’s attempts at deterrence – whether through sanctions, indictments, or US Cyber Command’s doctrine of ‘defend forward’ and ‘persistent engagement’ – have had a material deterrent effect on the most serious hostile actors.
The UK has increased its use of measures such as public attribution of cyber attacks and is likely to want to step up a more coherent and targeted approach in response to hostile action, including working with allies. Measuring the effectiveness of this though remains a challenge. Arguably, the new factor is the National Cyber Force, a combined offensive cyber capability primarily consisting of the national SIGINT and cyber agency GCHQ and the Ministry of Defence, which was finally unveiled late last year. This builds on the UK’s experience of delivering offensive cyber operations over a number of years (though very little has been said about this in the public domain) but likely with a substantial uplift in funding and personnel.
Unlike the Cyber Command 2018 command vision, which set out a clear doctrine for much more active application of offensive cyber operations, there has not yet been a definitive public statement of the UK’s approach. But the indications are that there will be a focus on using offensive cyber at a tactical level to disrupt the ability of hostile actors to operate on-line, including cyber criminals and other non-state actors. It will be interesting to see how this approach develops and how much weight the UK places on offensive cyber, both for countering cyber threats and as a tool of state power more widely.
As the UK enters new territory in relation to its foreign, defence and security strategy, cyber has a critical role to play both in maintaining security and projecting influence as the country seeks to forge a new place in the world. The 2016 strategy set a high benchmark in terms of the UK’s holistic approach, but things have changed since then. It will be essential for the UK to present a compelling renewed vision for cyber if it is to maintain and build on the strong position it currently holds.
Join Cipher Brief Expert Conrad Prince along with experts like Microsoft President Brad Smith, FireEye CEO Kevin Mandia, former Director of GCHQ Ciaran Martin, former NSA Deputy Director Rick Ledgett, former NSA Deputy Director Chris Inglis and other cybersecurity public and private sector leaders March 23-25th during The Cipher Brief’s Cybersecurity Summit. Registration is free.
Read more expert-driven national security insights, analysis and perspective in The Cipher Brief