Our global adversaries and competitors, including Russia, have used cyber operations to interfere in foreign elections, launch disinformation campaigns and even cripple neighbouring states—all the while maintaining deniability and avoiding actions that cross the line into acts of war.
The SolarWinds attack is the most high-profile of recent times, causing unprecedented disruption and embarrassment. Major technology companies were hacked and high levels of the US government accessed. It is unlikely that we will ever know what the hackers were able to steal. And while the west accuses Russia of this attack, the Russian government simply laughs it off.
As a leading democracy, the UK has been right to push internationally for a truly multilateral approach to cyber, from technical standards to rules of responsible behaviour. Unfortunately, this drive risked being derailed during the launch of the Integrated Review of Security, Defence, Development and Foreign Policy, when the government made a divisive hint that a cyber-attack could potentially fall within the realm of nuclear deterrence, pointedly reserving “the right to review” the old assurances about a strict restriction to “weapons of mass destruction” if the evolution of “emerging technologies that could have a comparable threat, makes it necessary.”
Such a view of cyber conflict, rooted in outdated Cold War analogies, is a mistake that the defence secretary should correct. The government needs to make clear that cyber-attacks are not infrequent but repeated, catastrophic and conducted by multiple unaligned parties. Policymakers should instead draw on strategic lessons from counterterrorism for both defensive and offensive cyber security.
The official Cyber Security Breaches Survey 2021 found four in 10 businesses have reported having cyber security breaches or attacks in the last 12 months, while the National Cyber Security Centre (NCSC) defended the UK from 723 cyber incidents in 2020.
We need a ruthless focus on risk, detection, intelligence advantage, public vigilance and close co-operation with the private sector.
The 2016 Cyber Security Strategy rightly put government at the centre of the UK’s cyber response, while the NCSC has led the way in highlighting cyber risks and security responses for civil society. In contrast, even the most basic questions I’m asking about the new National Cyber Force, its governance, staffing and strategic relationship to the NCSC are met by a blank refusal to answer, for national security reasons. It is counterproductive for the MoD to crouch in its own cyber bunker, instead of leading the drive for cyber capabilities that can secure the UK homeland and deter and defeat our adversaries.
The government’s new cyber strategy is set for publication this year, and one key test will be the degree to which the MoD recognises the central role it must play in the UK’s resilience, as well as our country’s defence. It cannot stand apart from the growing consensus that cyber security requires a “whole society approach.”
Those in Whitehall could do worse than look to Wales, where the National Digital Exploitation Centre is the anchor facility for ResilientWorks on the former Ebbw Vale steelworks site. This is a £20m partnership between defence tech firm Thales, the Labour Welsh government and the University of South Wales, showing that close public-private collaboration is key in providing the cyber security vital for modern society to function.