Conrad Prince served as the Director General for Operations and Deputy Director of GCHQ from 2008 – 2015. In those roles he led GCHQ’s intelligence operations and was responsible for the development of the UK’s national offensive cyber capability. He is also a speaker at the upcoming Cipher Brief Cybersecurity Summit.
EXPERT PERSPECTIVE — This is a critical year for UK cyber security policy. The government’s ground-breaking 2016 National Cyber Security Strategy reaches its end in 2021, and the expectations are that a new strategy will be published later this year.
This forms part of a wider reset of the UK’s foreign, security and defence strategy, to be set out in the forthcoming ‘integrated review’, delayed from last year because of the pandemic, but now due to be revealed very soon. As the Boris Johnson government seeks to move into a post-Covid, post-Brexit world, this review will be a critical part of setting the agenda for a new ‘Global Britain’.
The 2016 cyber strategy represented a fundamental shift in approach by the UK, heralding a move to a much more interventionist strategy. The previous approach made a number of assumptions around the positive effect that market forces would have on raising national cyber security standards. In essence, companies that adopted improved cyber security practices were expected to attract more business, both from consumers and other companies, and this would inevitably drive a general improvement in standards across the board. As a result, government could for the most part, limit its role to the sort of national security and law enforcement functions that can only be delivered by the state.
In fact, cyber security did not become a significant market differentiator, and this hoped-for rise in standards did not happen. This led to the much bolder 2016 approach, which saw government leaning in across multiple areas of national life with a broad set of interventions. This was underpinned by £1.9 Billion funding for transformative cyber initiatives, managed through a single central implementation programme.
The new UK approach has won praise and has been widely influential. Critically, it has been based around a single holistic national strategy which the government has stuck to consistently. It has been underpinned by significant new investment which has been managed through a robust delivery programme controlled from the centre, with a high degree of cross-government co-ordination.
Key features have included the creation of the highly-regarded National Cyber Security Centre, which resolved duplication and ended the lack of clarity about who led on cyber across a number of organisations. This has given the UK a clear single government voice on cyber. Alongside this, the strategy saw the development of innovative new techniques to tackle high-volume cyber crime threats at scale, and investment in UK cyber capacity through research and development, support for the developing UK cyber industry, and national skills development (with a particular emphasis on school children).
Five years on from the publication of the current strategy, some of the challenges policy makers face around cyber security remain depressingly familiar, but in other respects, the debate has moved on significantly. Increasingly, strategic cyber issues are morphing into much broader questions of technology strategy, industrial policy and geopolitics, not least as technology has taken a central part in the underlying tension between China and the West.
Keep reading...Show less
