The U.K.’s Cybersecurity Refresh

Later this year, the U.K. is expected to announce its new cybersecurity strategy. Every iteration of U.K. cyber strategy since the first in 2009 has recognized that state and non-state actors pose significant cyber threats to individuals, the private sector, and different layers of government. The increasing number and severity of cybersecurity incidents—with the disruption to Jaguar Land Rover’s operations being one of the most recent examples—suggest that even more needs to be done to address them. As the U.K.’s previous cyber strategy acknowledged in 2022, the U.K.’s “approach to cyber deterrence does not yet seem to have fundamentally altered the risk calculus for attackers.” 

Ahead of its next strategy, U.K. policymakers should ask themselves: Is deterrence the right paradigm for the U.K. to aim for across the full spectrum of cyber threats? Greater emphasis on resilience and cybersecurity—particularly of critical infrastructure—is an important part of such a recalibration, but so too are other, more adversary-centric efforts. The final version of the U.K.’s refreshed strategy does not need to give equal weight to every aspect of cyber threats, but a holistic approach to conceiving and implementing that strategy should undergird these efforts.

It is worthwhile to reflect on the performance of previous efforts to improve domestic cybersecurity, counter foreign cyber threats, and seize opportunities to pursue the national interest in cyberspace. As a recent national audit indicated, the largest challenge facing the U.K. government is not necessarily the development of a new strategy, but the allocation of adequate resources to implement the existing strategy—with significant gaps in skills and planning to remediate outdated public-sector information technology (IT) systems.

The U.K.’s Evolving Cybersecurity Strategy

2009: A Different Era

The first U.K. cybersecurity strategy was published in 2009, toward the end of the New Labour period of government. It followed the U.K.’s first National Security Strategy (2008), a self-conscious borrowing from the United States by an Atlanticist prime minister, Gordon Brown. The 2009 cybersecurity strategy was guarded and top level, sketching out how the government saw the challenge of improving cybersecurity and the ways in which domestic and international issues were intertwined.

The 2009 strategy was circumspect about how it discussed the role of operations in national strategy—logical, given that this era preceded the public revelations about Stuxnet and those associated with Edward Snowden. This was a period in which the “Ronan Keating doctrine” arguably dictated the government’s public communications about cyber issues: “Saying it best when saying nothing at all.”

Cybersecurity was not a mainstream focus within the U.K. government. Notably, the government’s separate 2009 report on the potential economic benefits of digital technology made no mention of cybersecurity risks at all. Cybersecurity was, however, a focus of the security and intelligence agencies. It was one of the missions of the signals intelligence agency, the Government Communications Headquarters (GCHQ), but was less prominent than GCHQ’s core work on intelligence collection and analysis.

The 2009 strategy was conceived in a very different era, before the wave of ransomware incidents that have affected both public- and private-sector victims in the past decade. It therefore lacked the sense of urgency that is likely to frame the 2025 strategy’s focus on improving the cybersecurity and resilience of critical infrastructure. 

2011: Cyber Escapes Austerity

The new, Conservative-led coalition government produced its own national security strategy in 2010, followed by a second iteration in 2011. Although pursuing an “austerity” response to the global financial crisis by effecting significant public expenditure cuts, the coalition government protected (and even increased) the national budget for cybersecurity. The government recognized the rising national security importance of cybersecurity, prioritizing it and actively managing it through its new National Security Council process. It incrementally pursued more integrated offensive cyber operations and invested in cyber diplomacy. The Foreign and Commonwealth Office appointed in 2011 its first senior cyber diplomat and, the same year, organized a flagship conference in London to promote international discussion of cybersecurity. 

However, the impact of the government’s wider spending cuts, including to local government, also impacted cybersecurity. The sustained period of straitened budgets likely left large parts of the U.K. public sector less well prepared than they might have been to face escalating cybercrime threats throughout the decade.

2016: The U.K.’s Interventionist Shift

In 2016, the U.K.’s approach shifted toward more intervention to encourage stronger cybersecurity in the private sector. In particular, this led to the creation of a National Cyber Security Centre (NCSC). The NCSC was built on the foundations of lesser known precursors such as the Computer Electronic Security Group, which had long been the information assurance arm of GCHQ.

The new NCSC was furnished with a new, high profile HQ in central London and a dynamic chief executive, Ciaran Martin. The 2016 strategy, which in many other respects built on the previous iteration, emphasized the need for a more visible, better resourced approach to cybersecurity on the grounds that, without more assertive government involvement, the private sector had not sufficiently responded to the cyber threat environment.

The life cycle of the 2016 strategy also saw a turn toward “active cyber defense” in protecting core national government systems; cyber operational cooperation with the United States (signing a memorandum of understanding in 2015), including cyber operations against the Daesh/ISIL group; and the culmination of the decade-long expansion and integration of offensive cyber in the form of the National Cyber Force in 2020. Reflecting increasing concern about cyber threats—and the growing salience of cyber as an instrument of national strategy—the pace of change in the U.K.’s offensive cyber workforce recruitment targets was particularly stark, from 500 personnel in 2015 to 3,000 in 2020. (Although, as intimated by Anthropic recently in its report about disrupting malicious use of its systems to conduct autonomous cyberattacks, the potential integration of artificial intelligence into cyber forces could affect future workforce planning and operational models.)

2022: “Cyber Power” and Holistic Strategy 

Both continuity and change were visible in the next, most recent iteration of strategy (2022), which was rebranded as a “national cyber strategy” rather than a cybersecurity strategy to demonstrate that it was more ambitious, holistic, and versatile as an instrument of national power. This change had been brewing for several years, raised in prominent speeches—such as by then-GCHQ Director Jeremy Fleming—and then in the 2021 national security strategy, the Integrated Review of Security, Defence, Development, and Foreign Policy.

The big shift in this period was toward a more explicitly competitive, geopolitical framing of cyber strategy, with a particular emphasis on the strategic importance of emerging technologies. This was also arguably the zenith of “responsible, democratic cyber power” as a trope of U.K. strategy, based on the idea that liberal democracies could carefully conduct cyber operations with democratic accountability and oversight. These innovations complemented previous strategies on recurring issues such as the need to improve domestic cybersecurity and resilience. This included an ambitious substrategy for improving public-sector cybersecurity, highlighting the need to address legacy IT issues and improve the coordination of government cybersecurity.

The Road to the New Strategy

A recent audit indicated that the Conservative government’s 2022 target to harden public-sector cybersecurity by 2025 had not been met, with significant shortfalls in remediation of legacy IT and the recruitment of cybersecurity experts. In July 2024, this problem was inherited by a new Labour government under Keir Starmer. It did not seem, however, that Labour had brought a new agenda for cybersecurity into government. Labour’s muted response, for example, to a cybersecurity incident affecting the health-care sector in June 2024—during the election campaign—suggested that cybersecurity threats had not become a politicized issue. 

All previous iterations of U.K. cyber strategy (2009, 2011, 2016, and 2022) followed a year after the publication of a national security strategy (NSS). This is a logical sequence: The NSS sets overall priorities and vision, and various sectoral or regional substrategies then follow, as the U.K. equivalent of the interagency process produces new policies and lines of effort to execute the NSS. By convention, this is a quinquennial process, with a revised NSS every five years, but in practice it occurred only in 2010 and 2015. Since then, the U.K. has seen midterm course corrections of the NSS.

The conventional, quinquennial NSS update mirrors a presumption that there must be a national election at least once every five years. The key politico-strategic administrative question when Starmer entered office in July 2024 was, therefore, whether the U.K. needed a fresh strategic blueprint following the last iteration—a refresh of the Integrated Review in 2023 produced under the premiership of Rishi Sunak.

Starmer’s initial decision was that the U.K. did not need a new NSS. Under his secretary of state for defense, the new government immediately initiated a narrower Strategic Defense Review (SDR). This decision raised eyebrows at the time: Was it a good idea for the government to attempt an SDR without conducting a fresh appraisal of wider national security priorities? Ultimately, Starmer reversed his decision in February 2025, commissioning a quick NSS, timed to coincide with the publication of the SDR before the June 2025 summit meeting of NATO. 

The impression regarding cyber strategy is that Labour gave relatively little attention to it. To the extent that they had a structured approach to cybersecurity prior to the May 2025 announcement that the new strategy would be produced, this consisted in a commitment to bring forward a piece of draft legislation that had been languishing since the previous Conservative government had put it into sleep mode in 2022. 

Focusing on improved implementation of existing commitments to improve cybersecurity and resilience, including by bringing forward long-delayed legislation, could have formed a robust domestic agenda through to 2029. But, if this view was advocated within government, it ultimately lost the argument. The question then became: What overall strategic context was provided by the 2025 NSS for its subsequent sectoral substrategies, including for cybersecurity?

It is worthwhile to highlight three takeaways from the government’s approach to national security elaborated in the new NSS and SDR. First, the NSS emphasizes “radical uncertainty” and the imperative for the U.K. to spend more on defense and security. Although the NSS presents a compelling narrative about the bleak geopolitical context for U.K. strategy, the government faces skepticism. Some defense experts doubt that the government will pursue the uplift in expenditure quickly enough. Trade unions and left-populist opposition politicians have challenged Labour by arguing that the government is prioritizing defense over public services.

Second, the government committed itself to funding its modest increase in defense spending before the next election by cutting the aid budget by 40 percent. There is little clarity about how this decision was made: Was it a way to make funds available for defense spending, or had there been a prior, interagency assessment of the wider national security impact of such a significant reduction to the aid budget? This has implications for cyber strategy given the important role of cyber capacity building—and diplomacy more generally—in the U.K.’s approach. The impact of expenditure cuts to the diplomatic and foreign policy dimensions of U.K. cyber strategy should be an area of priority for legislative committees to scrutinize in hearings.

Third, while the NSS emphasizes the need for the U.K. to become more resilient, there is evidence that previous efforts to improve resilience, including cyber resilience, have suffered in implementation. For example, successive cybersecurity strategies have recognized the need to improve security and resilience, with each government adopting an incrementally more interventionist approach. But it is clear, for example from recent recommendations by legislators, that there are still shortcomings in the government’s awareness of the true scale of cyber incidents (due to non-mandatory reporting), as well as in its ability to compel improvements in the private sector, whether in software security or in the security behaviors of private companies.

Some, but not all, of these issues will be addressed by the draft cybersecurity and resilience legislation currently going through Parliament, the provisions of which—while welcome—will not come into force until at least 2027. There is a gnawing sense that the U.K.’s incremental approach to cybersecurity, more than 15 years in the making, is too slow, insufficiently ambitious, and not robust enough to meet the challenge.

Enduring Challenges for U.K. Cyber Strategy 

The U.K. government recognizes that responding to cyber threats is not for government alone. The critical national infrastructure at risk is largely owned and operated by the private sector. The software vulnerabilities that so often provide a vector of successful attack for criminals and state actors is, again, produced by the private sector. The government’s role is to work with (and where necessary compel through legislation) these other stakeholders to reduce risks, counter adversaries, and seize opportunities in cyberspace. Particularly in light of rising concern about state threats, principally from China and Russia, the refresh to U.K. strategy will come at a pivotal moment.

At the political level, U.K. cyber strategy faces two recurring problems. First, there is never enough money to do everything the government wants to do. Prioritization is therefore crucial. This is a problem that all previous iterations of cybersecurity strategy have had to face. Second, a perennial challenge of cyber strategy development is misalignment between the time frame of necessary, long-term capacity building, and the government-of-the-day’s short-term political timetable, driven by the electoral cycle. A national strategy—for cyber or anything else—will need to balance this misalignment, providing nearer-term success stories for the government to announce, consistent with keeping longer-term work on track. The wider problem remains how to ensure sustained, patient commitment to long-term priorities as ministers (and governments) come and go.

This presumes that the broad direction of national cyber strategy is politically uncontested. It might be said that this is true by default. None of the U.K.’s political parties has developed a recognizably political analysis of U.K. cyber strategy. Its lack of political salience is arguably surprising, given the magnitude of ransomware and other cybercrime affecting the U.K. Unless or until the U.K. has a future government with a more heterodox view of U.K. national interests and how to pursue them, it is unlikely to see big shifts in the direction of national cyber strategy.

One way to illustrate the relevance of this is to focus on one of the hardest challenges for government in implementing cybersecurity strategy: calibrating the extent to which it intervenes to place requirements on private companies. Over the past 15 years, successive governments have implemented cybersecurity strategies while trying to work out how best to enable, persuade, and, where necessary, compel the private sector to adopt better cybersecurity practices. The sense emerging under Starmer’s government is that stronger intervention—at least regarding a more widely drawn list of critical infrastructure—is increasingly a security imperative rather than a freedom-sapping cost. If the analysis underpinning the U.K. shift toward more intervention is correct, the question still remains: Will the new legislation—and the new strategy—go far enough and be pursued with sufficient vigor?

Shaping the Next Cybersecurity Strategy

The next iteration of cyber strategy is expected to be more streamlined and focused. However narrow the published strategy ultimately is, ongoing efforts will continue within government to ensure a coherent, strategic approach to the different sectoral elements of cyber strategy, whether that is improving security, resilience, defense, deterrence, development, diplomacy, or the contribution of “cyber” to economic growth. Government can do much of the latter without needing to publish a national strategy document enumerating all the different lines of effort that this comprises. Put simply, U.K. businesses wanting to know what the government requires of them to improve their cybersecurity don’t necessarily need to leaf through pages of exposition about the U.K.’s vision of being a “responsible, democratic cyber power” (a point made persuasively by former senior U.K. cyber official Conrad Prince).

 This is not to neglect the importance of the government articulating its vision for the next phase of international cyber strategy, explaining the impact of its aid cuts on cyber capacity building efforts, how it sees the current state of multilateral cyber diplomacy, and setting out how best to achieve the various diplomatic and developmental objectives that are part of its wider cyber strategy. One way of addressing this plurality of audiences would be to produce a plurality of documents. The Foreign, Commonwealth and Development Office might be best placed to produce an international cyber strategy (as its U.S. counterpart did under the Biden administration). The Home Office could produce a counter-cybercrime strategy, addressing issues such as whether the U.K. can and should devote significantly more resources to efforts such as the LockBit takedown, and how to impose more costs on so-called safe harbor states. And the Department for Science, Innovation and Technology could lead a domestically focused cyber resilience strategy. A coherent strategic approach does not imply the necessity of one big catch-all strategy document.

However, the Labour government will need to consider which audience is its top priority, which in this context is very likely to be the domestic audience for the government’s already clearly articulated messages about improving cybersecurity and resilience. Once it makes this decision, it should endeavor to make the document as clear, concise, and focused as possible, so that it unambiguously conveys its messages about its top priorities.

*** 

There is much to commend about a focus on improving the cybersecurity and resilience of U.K. critical infrastructure and supply chains. A sustained effort to implement known best practices would help to make the U.K. a harder target to attack, and businesses need to be better prepared to recover from successful attacks. The new strategy must continue to clarify what businesses and other stakeholders can expect from government by way of support, what government requires of them, and where government thinks other stakeholders can help the wider national effort.

But a focus on resilience should not crowd out the other important elements of cyber strategy. The Labour government should build on the National Cyber Force’s 2023 paper, further articulating how the U.K. will continue to use cyber operations for strategic advantage, and specifically to highlight both the U.K.’s ability to maintain deterrence-by-punishment, and its intent to be more proactive in continuously degrading the online operations and infrastructure of malicious actors.

There is an urgency about the current geopolitical moment, which is well captured by the NSS’s emphasis on the turbulence of “radical uncertainty.” While government cannot do everything, it has a wide array of roles to play. It is an enabler, an investor, a regulator, and the ultimate actor of last resort in defending the realm, including the digital homeland. The next iteration of strategic effort needs to ensure that government understands how to play these different roles as effectively as possible, cohering and coordinating effort within and beyond government.