The U.K. as a Responsible Cyber Power: Brilliant Branding or Empty Bluster?

James Shires, Max Smeets
Tuesday, November 23, 2021, 8:01 AM

In March, the U.K. government published its Integrated Review of Security, Defence, Development and Foreign Policy, setting out the U.K.’s position as a “responsible democratic cyber power.” This is unique and useful for a few key reasons.

U.K. Prime Minister Boris Johnson gives a statement outside 10 Downing Street on April 27, 2020. (

Published by The Lawfare Institute
in Cooperation With

The current U.K. Conservative government has an impressive record on one particular thing: punchy but highly malleable slogans. These range from “get Brexit done” to “levelling up,” not to mention the many COVID-19 mantras emblazoned on lecterns over the past two years. Now, the government is trying a similar tactic in foreign policy and international cybersecurity. 

In March, the government published its Integrated Review of Security, Defence, Development and Foreign Policy, setting out the U.K.’s position as a “responsible democratic cyber power.” Although it is fresh out of the oven (rather than “oven-ready”), this new combination of responsibility and cyber power already deserves a place among Boris Johnson’s more well-known linguistic escape acts.

The language of “responsibility” comes from decades-long cybersecurity negotiations at the United Nations, where the U.K. has been at the forefront of efforts to agree to norms of “responsible state behaviour” in cyberspace. 

“Cyber power,” by contrast, has a less diplomatic origin. Originally used to capture the impact of hacking tools on international politics, the term has come to the fore in Western attempts to assuage concerns of a rising China and disruptive cyber operations by Iran, Russia and North Korea. In recent (U.S.- and UK-based) think tank reports on cyber power, the U.S. and the U.K. are ranked at or near the top for their respective cyber power capacities.

This new combined term—“responsible democratic cyber power”—is useful for three reasons.

First, the U.K. distinguishes itself from less responsible cyber powers; Russia and North Korea have conducted several cyber operations that, according to the U.K., were “reckless” in their disregard for the risks of unintentional propagation, including infecting the U.K.’s National Health Service. Israeli companies have sold hacking tools used to target the family members of Gulf rulers, as well as journalists and dissidents. By saying it is a responsible cyber power, the U.K. signals that it conducts cyber operations in accordance with the law, embedded within a strong ethical framework.

Second, this term helps the U.K. avoid mistakes made by the United States. When the U.S. Cyber Command unveiled its vision of “persistent engagement” and the Department of Defense introduced its strategy of “defend forward” in 2018, aiming to achieve “superiority in cyberspace” through operating “seamlessly, globally and continuously” against adversaries, critics argued this approach was potentially escalatory, insufficiently careful of allied networks and diplomatic relationships, and without an overall aim beyond a cyber “forever war.” In response to the criticism, its proponents were put on the defensive, emphasizing that the new strategy should not be understood as “aggressive” but merely as “active.” In contrast, it is hard to argue the U.K. should not be a responsible cyber power. 

Third, the U.K. hopes the term will act as a kind of self-fulfilling prophecy, keeping an anxious “global Britain” firmly in the top tier of cyber actors. The U.K.’s new National Cyber Force is intended to “transform the UK’s cyber capabilities to disrupt adversaries and keep the UK safe”—but will do so more responsibly than its counterparts. A paper published by King’s College stresses how “transparency about offensive cyber [operations] will demonstrate responsible state behaviour and help build enduring norms that reduce cyber conflict, not increase it.” In February 2019, Jeremy Fleming, director of Government Communications Headquarters, reminded an audience at London’s International Institute for Strategic Studies that “responsibility applies as much to the projection of a nation’s cyber capabilities as it does to cyber defence.” Last month, Fleming added that, “from an international law perspective and certainly from our domestic law perspective[,]” the National Cyber Force can go after ransomware gangs.

In this way, the term signals that the U.K. is keen to carve out its own niche in the cyber power space. It wants to be more active, although bureaucratic competition and institutional inertia make this challenging. The new slogan represents self-motivation as well as international benchmarking. The U.K. wants not just to be a responsible state, like many of the countries participating in the U.N. negotiations; it wants to be a cyber power

The final part of the U.K.’s coinage is that responsible cyber power is also democratic. This is more honest than the indirect description of the U.S., the U.K., the Five Eyes intelligence alliance and the EU as “like-minded” in international cybersecurity negotiations. After President Biden’s call for an alliance of democracies, the U.K. is now following suit, separating itself from its more authoritarian military allies. As the recent submarine spat demonstrates, however, the group of countries above are all democratic, though not necessarily like-minded.

The U.K. government aims to further clarify what it actually means to be a responsible, democratic, cyber power in the future—a delaying tactic also evident in the government’s policies on everything from Brexit to social care. Mary Haigh, chief information security officer for BAE Systems, argues that one of the most challenging aspects of building responsible cyber power is the need for “a skilled workforce, not just of software coders and computer scientists, but containing truly broad skillsets, from communications to marketing and from geopolitics to human behavioural scientists.” From the multilayered maneuvering evident in the U.K. government’s new cyber branding, it appears that at least marketing is already covered.

James Shires is an assistant professor in cybersecurity governance at the University of Leiden. He is the author of 'The Politics of cybersecurity in the Middle East,' (2021).
Max Smeets is a senior researcher at the Center for Security Studies (CSS) at ETH Zurich, director of the European Cyber Conflict Research Initiative, and author of “No Shortcuts: Why States Struggle to Develop a Military Cyber-Force”, published with Oxford University Press and Hurst in May 2022.

Subscribe to Lawfare