The United Kingdom’s New Vision of Cyber Power

What is the future for cyber power? Offensive cyber in an increasingly Hobbesian cyberspace? Or multilateral influence and diplomacy built on top of domestic resilience? The United Kingdom is now awaiting its fourth generation of the National Cyber Security Strategy, due in late 2021, and its arrival will come at a time of arguably unprecedented challenge. Since the last national strategy, the U.S.-Chinese accord to limit cyber espionage against corporate entities has collapsed, the world has endured the global ransomware attacks of 2017 in WannaCry and Not-Petya, and very recently new lows in global compromise have been set by the SolarWinds and Microsoft Exchange incidents.

In this situation of ever-escalating scale and volume of cyber compromises, among the numerous other national security challenges faced by the United Kingdom, the nation’s Integrated Review of Security, Defence, Development and Foreign Policy arrived in March 2021. The review laid out new positions on a great many other areas of U.K. national security and foreign policy concern — notable among them was the increase to the nation’s nuclear stockpile, which garnered the most media attention in the United Kingdom, as well as the much-focused-on “tilt” to the Indo-Pacific region. Cyber issues, however, can only be described as intimately interweaved throughout the future vision of U.K. national security and foreign policy.

The Integrated Review places the United Kingdom on a correct forward path for cyber power, yet there remains much detail to be worked out to bring the vision to reality in the next National Cyber Security Strategy. The recommendations below are intended to frame key areas of debate ahead of the United Kingdom’s next cyber strategy, to help to generate sensible and effective policy solutions that can translate the Integrated Review’s goals into action. The most important actions will be those taken to lead international efforts that keep cyberspace open and free from the challenge of digital authoritarianism.

The Integrated Review and Cyber

The 2010 Strategic Defence and Security Review and the 2015 combined review and national security strategy were far more of a budgetary exercise than any offering of conceptual thinking about the real future direction of U.K. national security and foreign policy. Any such thinking present was of course upended by the tumultuous Brexit referendum result, which subsumed the entirety of British political bandwidth for the next half-decade. Leaving the European Union has raised the question of what Britain’s future role in world affairs will be, and the concept of Global Britain, frequently referred to by government ministers, appears to be the response.

The role of cyber security has risen to eminence and centrality so fast in strategic conversations that it is hard to remember that it is a relatively recent inclusion in such discussions. Only since 2008 has the United Kingdom developed a dedicated cyber security strategy, with the original quickly being replaced in 2011 off the back of the Strategic Defence and Security Review. The story of the 2011 and 2016 National Cyber Security Strategies was centered largely on establishing a government-encouraged but ultimately market-led approach to developing cyber resilience in 2011, to enabling more direct government intervention for resilience in 2016. The latter strategy also included the notable establishment of the National Cyber Security Centre, an offshoot of the signals intelligence agency Government Communications Headquarters, better known as GCHQ, to represent the “national technical authority” leading cyber resilience efforts.

Resilience remains crucial in the U.K. vision to achieving cyber security, but the Integrated Review signals a growth in ambition for the United Kingdom’s cyber aspirations. The document very much leans on the Harvard Kennedy School Belfer Center’s 2020 National Cyber Power Index, which has Britain as the world’s third-ranked cyber power, behind only the United States and China. This growth of ambition comes from a recognition not only that cyberspace “will be an increasingly contested domain” that means “cyber power will become increasingly important” to safeguarding U.K. interests, but also that previous strategies have developed U.K. cyber power to the point that it can do more than pursue only resilience.

The key phrase underpinning the British view is to be a “responsible and democratic cyber power.” The Integrated Review offers five primary policy directions to pursue this: influence, technological edge, a whole-of-nation cyber ecosystem, offensive cyber, and diplomacy.

First, there is a recognition that remaining a defender of the status quo is no longer sufficient to protect British interests, and that measures to “shape the international order of the future” are needed. In this vein, Britain will cement its status by being a central normative influencer in cyberspace, seeking to promote a “free, open, peaceful and secure cyberspace.” Second is the desire to maintain the United Kingdom’s competitive technological edge. This is essential to the third direction, to “strengthen the UK’s cyber ecosystem” with a whole-of-nation approach. Such simple logic belies the enormity of the policy challenge faced by the government: By no means will either desire be easily achieved, especially without significant industry participation.

Fourth, offensive cyber operations will be developed to “detect, disrupt and deter our adversaries.” The place of offensive cyber operations is the newest openly declared element in British thinking, building on the November 2020 announcement that a National Cyber Force will be created as a joint venture between GCHQ and the Ministry of Defence, but also including personnel from the Secret Intelligence Service and the Defence Science and Technology Laboratory.

Finally, there is cyber diplomacy, with the United Kingdom continuing cross-governmental dialogue to “grow the international coalition” and engage further in multilateral efforts that support a free, open, peaceful, and secure cyberspace to “evolve in a way that reflects democratic values and interests.” And herein lies, if not a contradiction, then certainly a tension to be reconciled within the Integrated Review, for it insists on the need to shape the future international order while also calling for the extension of the open international order into cyberspace, “ensuring effective accountability and oversight but opposing the overreach of state control.”

A New Take on Cyber Power

The Integrated Review is banking heavily on the role of technology and the centrality of cyber to the future vision of U.K. national security, with the concept of cyber power a driving force. But what is that concept of cyber power? The document puts forward a traditional view, that cyber power “is the ability to protect and promote national interests in and through cyberspace.” Before going further, it is instructive to consider the concept of power itself briefly.

Joseph S. Nye describes three facets of power. The first is “getting others to do what they would not otherwise do.” The second is setting the agenda to frame issues in one’s favor. And the third is shaping the preferences of others, which is “exercising power by determining others’ wants.” Nye further notes elsewhere that while power derived from information resources is nothing new, “cyberpower is.” Adapting and framing the elements that constitute cyber power to one’s interests and levers of power and influence is key to graduating mere capability into a cemented element of national power, as the Integrated Review seeks to do.

What the Integrated Review does well is to recognize that cyber has graduated from being a top-tier national security concern to an essential element of national power in its own right. Yet, the review fails to develop a mature explanation — and certainly no doctrine — for cyber power beyond its traditionalist definition: the ability to defend and advance national interests in cyberspace.

To define such a doctrine, and make the definition of cyber power operational, the next National Cyber Security Strategy should provide substance on the following areas.

1. Defining a Holistic Concept of Cyber Power for the United Kingdom

So far, arguably no nation or non-state actor has developed a completely rounded concept and capability of cyber power. Many have very niche capabilities, centered on surveillance, offensive cyber, legal frameworks, and suchlike, but even when using Belfer’s National Cyber Power Index one struggles to identify a completely holistic cyber power. Clearly, the ambition is there for the United Kingdom, but achieving that ambition is something else entirely. Given the stakes placed on the centrality of cyber to future U.K. national security, it is crucial that a concept is developed that goes beyond what offensive cyber looks like.

The temptation to fixate on offensive cyber will be big, and the British government needs to resist. A sensible conception of cyber power will prioritize influence over force, and alliances over unilateralism, especially in determining what actions not to take in pursuit of its interests.

2. Identifying What Lines Not to Cross in Reshaping the Future International Order

The status quo is no longer adequate in an increasingly competitive, multipolar geopolitics, yet the Integrated Review is not clear in articulating how much change to the international order is actually necessary. Finding the true extent of British policy desires will go far in shaping how much cyber power the United Kingdom needs to develop, and how much cyber power itself is used to shape the international system.

Reshaping the future international order requires breaking new ground. In cyberspace the United Kingdom will face this dilemma in three areas: attribution, deterrence, and offensive cyber. The decision-making structures around activities in these areas will need careful consideration. Risk appetite and anticipation of the consequences for allies and adversaries should be a central concern. The next strategy needs to articulate exactly who will carry accountability for decisions across those key areas.

Tangibly, however, the United Kingdom can also outline what actions it will not take in using its cyber power. It will be an important signal to align offensive cyber operations with existing international humanitarian law as well as the laws of armed conflict. The Tallinn Manual process has provided strong guidance on how to begin such alignment, but a clear example would be ensuring that any critical national infrastructure targeting specifically excludes healthcare targets, to help avoid situations like the United Kingdom’s own National Health Service falling victim to the 2017 WannaCry attack. Demonstrating policy restraint is as important as developing effective offensive capability, lest British actions trigger cyber escalation.

3. International Action to Safeguard Internet Governance

The traditional view of cyber power fixates on influence within and through cyberspace. But given that the future governance of cyberspace as an environment is now subject to geopolitical contest through increased Chinese challenges to internet governance — known as cyber sovereignty — British actions should be geared more to safeguarding the future of free and open cyberspace than to the pursuit of narrow points of self-interest. How far British actions diverge between the pursuit of narrow self-interest versus exercising cyber power to safeguard cyberspace for all will go far in determining how responsible and democratic the United Kingdom indeed becomes as a cyber power.

The surest route is for the next strategy to focus on international action to keep cyberspace free from digital authoritarianism and center cyber sovereignty as a core goal, arguably one that is even more important than fostering domestic cyber resilience. This means engaging internet governance mechanisms — such as the Internet Engineering Task Force, the Internet Governance Forum, and the International Telecommunications Union — through which free and open cyberspaces are managed in practice. For all the faults and complexities in those governance structures, a British diplomatic surge to represent democratic values remains the best way for the United Kingdom to influence international norms and agreements. The biggest leap forward that the United Kingdom can take in its cyber power remains influencing and shaping the international agenda through governance participation and debate.

4. Broadening the Public-Private Relationship

While the development of the cyber ecosystem is clear in logic, the Integrated Review is weaker when it comes to acknowledging the place and role of industry. U.K. policy has already well recognized the reality that cyberspace is about far more than government actions, yet there is little real direction given on how the government can develop a public-private partnership that enhances U.K. cyber power. This is a missing dimension in need of redress.

Currently, the public-private relationship is designed mostly to augment the U.K. government’s ability to respond to cyber incidents. But there is the potential for growing public-private partnerships in the search for a whole-of-nation approach to the cyber ecosystem. The next strategy should be bold enough to dedicate a chapter to ways in which public-private relationships in the United Kingdom can be enhanced beyond the already successful augmentations of government capability. Industry, not government, will be the key to retaining the nation’s technological competitiveness, which cyber power is built on and draws from.

5. Developing Cyber Soft Power

The National Cyber Force will be the arm of offensive, “hard” cyber power, but the elements of “soft” cyber power are very unclear. With the emphasis on being a responsible, democratic cyber power, the United Kingdom evidently wishes to influence far more than it wishes to force its will. Doing so will require the conscious development of cyber soft power. Any situation where the routine application of hard cyber power becomes normalized not only risks undermining the credibility of the United Kingdom’s “responsible and democratic” declaration, but will also undermine the prospects of enhancing the free and open cyberspace, pushing it instead toward an increasingly securitized, Hobbesian world where might is right.

Building on increased international action, the United Kingdom should include a development chapter for international capacity-building efforts in the next strategy, as well as a devoted fund under existing development budgets. While diplomatic efforts and increased governance efforts are natural soft-power components, the United Kingdom can easily export its cyber expertise to help nations to develop their own cyber resilience. With the desire in the United Kingdom to better align development activities to foreign policy objectives following the absorption of the Department for International Development into the Foreign and Commonwealth Office, it is a natural extension to consider cyber capacity-building efforts in this vein, which is also recognized by allied nations.

Taking A Bold Step Further

The Integrated Review is potentially a bold step for U.K. national security, one where cyber has graduated from being seen merely as a security threat to a central component of national power. Despite this accurate recognition and the broadly correct direction of travel laid out, there is much work to be done to bridge the aspirations of the document itself into capabilities, coherent actions, and behaviors that move from recognizing cyber as new element of national power to actually developing it in ways that secure both British interests and the integrity of cyberspace as a whole. Britain’s desire to cement itself as a responsible, democratic cyber power needs careful conceptual construction if it is to become more than a mere Whitehall soundbite.

Dr. Danny Steed is a research fellow at The Henry Jackson Society, a London-based think tank. Previously a lecturer at the University of Exeter, Danny has spent more than five years in both industry and the British government in operational cyber security. He is the author of two books — the latest, The Politics and Technology of Cyberspace, was released by Routledge in 2019.

Image: Christiaan Colen