The United Kingdom’s 2022 National Cyber Strategy: British Continued Commitment to an Open Digital World. Larger World Strategy, and Active Cyber Defense

By Terry Burruss, Senior Content Advisor
Billington CyberSecurity

“A world in which open societies and economies can flourish is the best guarantor of our future prosperity, sovereignty, and security.”

—UK 2022 National Cyber Strategy Goal

Released this week, the comprehensive United Kingdom’s (UK) 2022 National Cyber Strategy sets a clear tone to the country’s future approach to responsibly embracing the emerging digital world and its increasing complexity. It deftly ties this strategy to Britain’s larger economic and defense goals, leverages great work already implemented to shore up the nation’s cyber defense, and clearly articulates the country’s commitment to promoting its interests while internationally promoting open and increasing use of this new digital world.

The Strategy outlines a mutually enforcing Five Pillar Approach to meeting the UK’s vision by 2030 being a leading responsible and democratic cyber power, able to protect and promote Britain’s interests in cyberspace in supporting its national goals. The five pillars are:

  • Pillar 1: Strengthening the UK cyber ecosystem, investing in our people and skills and deepening the partnership between government, academia, and industry
  • Pillar 2: Building a resilient and prosperous digital UK, reducing cyber risks so businesses can maximize the economic benefits of digital technology and citizens are secure online and confident that their data is protected
  • Pillar 3: Taking the lead in the technologies vital to cyber power, building our industrial capability and developing frameworks to secure future technologies
  • Pillar 4: Advancing UK global leadership and influence for a more secure, prosperous and open international order, working with government and industry partners and sharing the expertise that underpins UK cyber power
  • Pillar 5: Detecting, disrupting, and deterring our adversaries to enhance UK security in and through cyberspace, making more integrated, creative and routine use of the UK’s full spectrum of levers

The document provides excellent context to help the reader see the need for this kind of strategy and their role in it. It defines key terms such as “cyberspace” and “Cyber Power” to provide a foundation by which to understand its strategy and frame its goals. It broadly highlights key responsibilities for all the UK’s various players to include those of British citizens, academia, private sector, state and local governments, and National Government elements to include key instruments of national power such as the NCSC, new National Cyber Force and National Crime Agency to strengthen its point that cyber is a team sport. It describes the emerging cyber threat to include recent cyber incidents—and the drivers of change, for example the rapid need for digital connectively in the wake of the COVID pandemic—that foster the need for even greater focus on meeting this strategy as we head into the future.

The document deftly connects its goals to the larger social, economic, and defense UK strategy. It articulates how its cyber investments are tied into the country’s overall commitment to Science and Technology R&D. It boldly reinforces its approach to limit the country’s reliance on what it calls “individual suppliers or technologies which are developed under reigns that do not share our values;” a direct indication of how it will view technical purchases from countries such as China and Russia in the future. Lastly, it articulates a UK commitment to push for both open technology standards and an international code of cyber conduct to keep cyber decisions from becoming individual country controls.

The document also highlights how this strategy is built upon ongoing or already established work to improve the nation’s cyber defenses. It highlights some already running innovative programs such as the launching of two youth cyber education programs—CyberFirst and CyberDiscovery. Both efforts are geared towards providing British kids with hands on cyber competitions and hackathons. It showcases the UK’s Active Cyber Defense (ACD) program—a collective effort designed to alert and thwart known threats—to identify and dismantle 2.3 malicious cyber campaigns in 2020. It also showcases new legislation such as the UK’s Network and Information System Regulations that require designated organizations to take measures to better ensure IT security; legislation that is currently being considered in the US.

While building on previous work, the Strategy also presses for new efforts that will re-enforce previous work while taking on the added challenge of an increasingly complex world. The Strategy highlights new efforts necessary to deal with increasing the trust of the nation’s digital supply chain as well as new efforts to protect operational networks that support its critical infrastructure. It highlights a larger commitment to a national approach to involve a whole of society effort; work which includes the establishment of a National Cyber Advisory Board; an effort that matches the Board established by the US May Cybersecurity Executive Order.

The all-inclusive strategy includes a strategy of how its offensive deterrence programs will fit into its larger cyber defense agenda. Deterrence will include offensive cyber actions, greater law enforcement efforts to thwart the growing rise of cybercrime and increase intelligence sharing from the British intelligence system. Defensively, the effort reflects many of the same goals and actions affiliated with the Biden Administration’s Cybersecurity Executive Order issued in May. There is a keen focus on increased application of technology and data policy, enhance efforts to hold Government entities responsible for protecting their systems, and a huge effort to increase collaboration between the national government, local government, and the private sector.

This is a must read for all cybersecurity professionals—both public and private—who want to see how a peer and partner country is addressing its country’s needs, to get additional ideas that might help our own country’s cybersecurity efforts, and who are looking for ways to strengthen cross-Atlantic partnerships in this arena. On a side note, the Strategy includes powerful glossary and footnote sections that contain a wealth of good background vocabulary definitions and documentation that will bolster any cybersecurity professional’s context and expertise. For example, Footnote number two provides an excellent overview of where the UK is currently with its cyber labor market and where it needs to be.