In what has been billed as the largest security and foreign policy strategy revamp since the Cold War, the UK government has outlined new defense priorities – with at their heart, the imperative to boost the use of new technologies to safeguard the country.
Prime minister Boris Johnson unveiled the integrated review this week, which has been in the making for over a year and will be used as a guide for spending decisions in the future. Focusing on foreign policy, defense and security, the review sets goals for the UK to 2025; and underpinning many of the targets is the objective of modernizing the country's armed forces.
Up to £6.6 billion ($9.1 billion) will be dedicated to R&D funding to deliver next-generation warfare technologies, such as drones, directed energy weapons or advanced high-speed missiles. Where the government seems to be particularly ambitious, however, is in the space of cybersecurity: the review promises commitment to a new, "full-spectrum" approach to the UK's cyber capabilities, to better detect, disrupt and deter adversaries.
Technology has created new opportunities for malicious actors to operate in cyberspace, notes the review, through hacking, spreading disinformation, or carrying out organized crime online, to name a few. State and non-state agents are finding new ways to exploit digital weaknesses, increasing the risk of direct and collateral damage to the UK. "Consequently, cyber power will become increasingly important," reads the document.
The cyber threat coming from foreign states has been brought to the government's attention many times in the past. Last year, the UK chief of defense intelligence James Hockenhull warned against the rising challenge posed by Russia and China, which he argued are supercharging conventional methods of conflict while also investing heavily into cyber.
At about the same time, a report from a committee of MPs described Russia's cyberattack capabilities as an "immediate and urgent threat" to the country's national security, highlighting examples of Russian hackers intruding into the UK's critical infrastructure and orchestrating phishing attempts against government departments.
The new integrated review proposes to draw up a cyber strategy later this year, which is pitched as taking a "whole-of-cyber" approach that looks at a range of capabilities. On top of strengthening the country's cyber ecosystem and creating a safer online space, the cyber strategy will establish ways for the UK to take the lead in technologies that are vital to cyber power, such as microprocessors, quantum technologies and new forms of data transmission.
"The UK is due to publish a new National Cyber Strategy later in 2021 and some of the cyber and technology issues highlighted in the Integrated Review are a useful precursor," James Sullivan, head of cyber research at the Royal United Services Institute (RUSI) for defence and security studies, tells ZDNet. "Building cyber resilience across the whole of society is the best way to make the most of the opportunities that technology offers."
Notably, the cyber strategy will focus on actively disrupting the activities of adversaries, by imposing costs on them or denying them the ability to harm UK interests – a step up from a purely defensive approach to cybersecurity.
Central to the UK's offensive approach will be the formal establishment of the National Cyber Force (NCF), which the prime minister announced will be headquartered in the north of England in an attempt to create a "cyber corridor" across the region. This will see industry and universities in the north of the country working hand-in-hand with government experts to prevent cyberattacks.
Formed only last year, the NCF is a partnership between the Ministry of Defence (MoD) and the Government Communications Headquarters (GCHQ), which draws personnel from both organizations with experts from the Secret Intelligence Service (MI6) and the Defence Science and Technology Laboratory (DSTL). In other words, it brings key players together for the first time with a common task – to conduct targeted offensive cyber operations against terrorists, hostile states and criminal gangs.
The exact nature of the NCF's work is highly secretive. GCHQ has previously asserted that the organization, and the UK at large, is committed to using its cyber capabilities in a responsible way and in line with international law, meaning that the force's offensives are still tied to legal, ethical, and operational considerations.
It is likely that the NCF, therefore, focuses on cyber operations that can disrupt an adversary's ability to operate – rather than attacking them head-on. The government specified some of the operations that the force can carry out, which includes interfering with a mobile phone to stop a terrorist from communicating with their contacts, but also preventing cyberspace from being used for serious crimes or keeping military aircraft safe from targeting by weapons systems.
Attacks carried out by the NCF are likely to take a similar shape to those described by GCHQ director Jeremy Fleming in 2018, who explained at the time how the organization had been taking offensive action online to stop Daesh from spreading propaganda, and to hinder terrorists' ability to coordinate attacks.
According to some critics, however, some more work is needed to make sure that the NCF now finds a place among all of the government's well-established security institutions. "It is good to see an emphasis on cybersecurity holistically with what is an explicitly offensive cyber force, but this sounds more like a sales pitch for what is a significant investment of resources on something that could be unpopular," Andrew Dwyer, cybersecurity researcher at Durham University, tells ZDNet.
"It is unclear what the NCF's mission really is – it looks like a force that has yet to define what it needs or wants. There is a possibility that a move to the North could give the NCF some identity separate from its main contributors – the MoD and GCHQ – but it is likely to require far more detailed work to get it operationally ready," he continues.
As online attacks only increase in scale and number, the UK government is unlikely to loosen its focus on cybersecurity. The integrated review highlighted that the National Cyber Security Centre (NCSC), which was established in 2016, is already working at pace to help protect businesses and the public from cyberattacks; and that the cybersecurity sector in the UK currently boasts over 1,200 companies and 43,000 skilled jobs.