The British government has launched a £2.6bn National Cyber Strategy, intended to steer the state’s thinking on cyber attack, defence and technology for the next three years – and there’s some good news if you run a tech company.

Today’s strategy document runs between now and 2025. A major piece of political policy, it is big on ambition – and unlike many previous government statements, it sets out specific aims and objectives.

In-amongst the puffery are pledges to invest in technology research – including the use of AI in cybersecurity. The government already spends “millions” with Cambridge-based Darktrace, although the same could be said of governments elsewhere.

Closer to home, government policy on ransomware attacks has changed: from the old wishy-washy “we’d prefer you didn’t, but we see the temptation”, it has now become “law enforcement do not encourage, endorse, nor condone the payment of ransom demands”.

Future UK state-backed research and development efforts will focus on:

  • 5G and 6G “and other emerging forms of data transmission”
  • AI, including its uses in network monitoring
  • Blockchain (perhaps inevitably, given the amount of hype around it)
  • Silicon chip design, supply chains and manufacturing
  • Cryptographic authentication for identity and access management
  • IoT and smart city tech
  • Quantum tech, including “quantum sensing and post-quantum cryptography”

One aim of the new strategy is to produce “a new microprocessor design” for smartphones by 2025. The British government recently blocked Nvidia’s $40bn buyout of UK chip design house Arm because it may harm the competitiveness of Nvidia’s rivals by restricting access to Arm’s CPU IP. The BritChip will, so the strategy says, contain UK-designed security features – though it didn’t go into depth about what those might be.

Another objective is to “shape the development of global digital technical standards in the priority areas that matter most for upholding our democratic values,” doing so in a way that benefits the British government’s interests.

Offensive cyber and offensive policy

State-sponsored computer system exploits by Britain play an understated but significant part in the strategy. Its authors praised the formation of the National Cyber Force “offensive cyber activity” unit, a joint venture between spy agency MI6, domestic intel agency GCHQ and the Ministry of Defence. Other parts of government have been carrying out “covert counter campaigns” against online fraud campaigns.

Yet this, in the civil service’s view, doesn’t go far enough – with the strategy stating: “Despite all this, our approach to cyber deterrence does not yet seem to have fundamentally altered the risk calculus for attackers.” This could be viewed as paving the way for more state-backed attacks carried out by the UK.

This move could easily backfire if countries such as China, Russia or Iran are quicker to attribute them than the UK is to state what it’s doing and why, as happened during the HMS Defender incident off Russia-occupied Crimea, Ukraine, earlier this year.

The strategy promises to fight back against non-democratic countries’ attempts to gain control of bodies such as the International Telecommunications Union and other UN groups, a reference to how China’s investments in developing 5G have led to Chinese organisations having a heavy presence on standards-setting bodies.

Today’s announcement quietly glossed over the country’s previous £1.3bn strategy friom 2016, however. While the old plan saw the formation of the NCSC, its final progress report failed to say whether or not the plan had met its objectives – or whether the taxpayers’ money committed under it was spent wisely.

Andrew Elliott, the Department for Digital, Culture, Media and Sport’s deputy director for cyber security and innovation, told the press that DCMS wants to move public sector pools of infosec talent outside London, saying: “We’re looking to continue to build Cheltenham as a recognised international centre for for cybersecurity. And of course, there’s the National Cyber Force in Samlesbury.”

Initial reaction seems positive

Commentators seemed chuffed at the plan, though political messaging always needs taking with a pinch of salt.

Bharat Mistry, UK technical director at Trend Micro, gave the strategy a thumbs-up: “Having a coherent national cyber strategy will be essential if UK wants to be recognised as a science and tech superpower for scientific research, innovation, and leading edge in critical areas such as artificial intelligence.”

Similarly, Carla Baker, Palo Alto Networks’ senior director for government Affairs UK & Ireland, said the document “marks a significant step” in the government’s approach to cyber security.

“We support the ‘whole of country’ approach,” she said, “including the objectives of gaining a better understanding of the threat landscape and developing policy interventions that build resilience and secure the UK’s tech ecosystem.”

Professor Alan Woodward of the University of Surrey told The Register the document builds on the civil service’s view that sidestepping the market and using state funds is the way to enhance British national cyber security prowess.

“This particular strategy shows the lesson learned from the 5G issues involving Huawei over past two years: you cannot leave it solely to market forces or security (cyber and hence national) could be at risk,” said Woodward. “In short, in key strategic technologies, the market is broken, and our strategy in moving forward has to include maintaining an eye on developing local capabilities so that there is market choice.”

The professor added: “One other point that I thought was interesting is the way they have expanded the definition of the problem space into the user experience. Hence, this isn’t just about tweaking blue widgets to breach defences but includes scamming, disinformation, and the whole panorama of threats posed by content and its use.”

Let’s start attacking our enemies, says law enforcement

Rob Jones, director-general of the National Crime Agency’s National Economic Crime Centre, said in a canned statement that he was looking forward to British state-backed online forces attacking cyber criminals’ infrastructure.

“I am confident that the strategy will enable us to build on our successes in disrupting cyber crime networks and their infrastructure, both in the UK and overseas. Working closely with the NCSC, NCF [National Cyber Force] and other key partners, we will continue to prevent attacks and deliver important initiatives to reduce the societal impacts of this criminality on the UK.”

The NCF is the government’s tame offensive cyber unit, based at Samlesbury, Lancashire. Its purpose is to damage and disrupt computer networks belonging to the government’s enemies.

The government-backed UK Cyber Security Council has also been awarded a Royal Charter to coincide with the launch of the strategy today. Civil servants told the press they hope the UKCSC will “lead” the British cyber security profession. ®