The UK government launched its 2022 Cyber Security Strategy on 15 December 2021, outlining its ambitious plans to improve the resilience of UK institutions and businesses while protecting the country’s interests in cyberspace. The strategy signals a more involved approach by the government, which previously relied heavily on the private sector for leadership. The government’s stated commitment to a ‘whole of society’ approach sounds really good on paper, but what exactly does it really mean?

The 2016 UK Cyber Security Strategy was largely focused on deeper involvement by the government across a broad range of activities, including building cyber offensive capabilities, skills development across key sectors, enhancing coordination and incident response (including the creation of the National Cyber Security Center), promoting innovation, and incubating the UK cyber commercial sector. The 2022 strategy seeks to sustain and build upon the progress from 2016, but taking a ‘cyber ecosystem’ approach that integrates a broader range of stakeholder groups across society in developing cyber risk responses. Think of it as an acknowledgment that cyber security issues are so broad, complex and interlinked that they need to be knitted into the very fabric of national policymaking, including education strategy, regulatory/legal reform, foreign policy, and industrial policy, among others.

The government has come to terms with the fact that it doesn’t have the resources or the depth of skills to tackle all the UK’s cyber-related problems on its own and that private-sector leadership won’t necessarily achieve the desired outcomes. The 2022 Cyber Security Strategy signals the government’s intention to carve out key roles—coordinator, convener, and enabler—in the UK’s cyber ecosystem. The 2016 National Cyber Security Strategy received heavy criticism from the Public Accounts Committee, which maintained there was a lack of evidence and no solid business case to justify the £1.9 billion funding it received—making it nearly impossible to measure success. The ‘whole of society’ approach outlined in the 2022 document illustrates a deeper understanding of cyber issues and brings together the full range of cyber activities domestically and internationally into a seemingly cohesive vision with more measurable outcomes and outputs.

In essence, the new cyber strategy is seeking to significantly augment the nation’s defensive and offensive capabilities in response to growing attacks from cybercriminals and nation-state actors. That being said, I also believe the government wants this wide-ranging strategy to help in bridging the gap with the European Union, which is a recognised global leader in the digital sphere, and particularly with regards to cyber security. Firstly, there’s a clear shift from being a defender of the status quo to actively shaping the international order of the future, with Britain seeking to become a leading influencer of global cyber norms as opposed to a follower. The second dimension is around sustaining the United Kingdom’s competitive technological edge. The third dimension seeks to “strengthen the UK’s cyber ecosystem” with a nationwide multistakeholder approach. Fourth, offensive cyber operations will be developed to detect, disrupt and deter the nation’s adversaries, more specifically through the newly announced National Cyber Force, which will be a joint venture between GCHQ and the Ministry of Defence, but also including personnel from the Secret Intelligence Service and the Defence Science and Technology Laboratory. The final piece of the puzzle is cyber diplomacy, with the United Kingdom poised to expand multilateral efforts towards building an international coalition in support of open, accessible, human-centric, and secure cyberspace that reflects the UK’s democratic values and interests (this is particularly important given the upcoming negotiations on the UN Treaty on Cyber Security). It attempts to elevate cyber from simply being a security threat to a central element of national power. There’s no doubt about this realisation, and while the new cyber strategy appears to be a well-articulated plan, it is a gargantuan effort to translate the document into world-class capabilities, coherent actions, and behaviours that secure both British interests and the stability and resilience of cyberspace as a whole.

The document seems to be a little light on what’s needed in terms of national legislation that directly and indirectly improves cybersecurity, specifically around regulatory reform for cybersecurity, cybercrime-specific legislation and related legislation. For example, the Computer Misuse Act is most definitely in need of an update to address gaps in combating existing and emerging cybercrimes. Other areas of importance are data protection, online child protection, critical infrastructure protection, and intellectual property.

The new strategy is closely aligned with the conclusions in the government’s Integrated Review of Security, Defence, Development and Foreign Policy. It seeks to establish the UK as a leading global cyber power; one that has built strong alliances with like-minded countries to foster a new global order underpinned by the rule of international law, norms for responsible online behaviour, and the stability and resilience of cyberspace.

There is clear focus on increasing diversity in the cyber workforce. The key to developing a career in cyber is less about having a technical background and more about the willingness and desire to learn how technology works and how cyber risks are effectively managed. There are a growing number of fields in cybersecurity that do not focus on solving technical problems, but instead address more human-centric problems. These demand softer skills, for example, security awareness and education, project governance, privacy & data protection, security communications, technical writing, or cyber law and ethics. The strategy acknowledges this and seeks to “harness the talent and skills of the whole population.”

The strategy didn’t substantively address privacy, and I believe there are a couple of reasons for this. Privacy and cyber security are very different—privacy is about the safeguarding of information tied to identity and cyber security focuses on safeguarding data and systems from unauthorised access. Secondly, privacy is predominantly in the domain of human rights. Many would argue that its scope is not as multi-dimensional or as globally impactful as that of cybersecurity. Finally, a number of the UK’s objectives and counter measures for combating cybercrime may be viewed by some as diametrically opposed to upholding individual privacy rights.