The British government has published its Integrated Review into defence and security policy – and though you'll like it if you're in the UK infosec industry, threats of nuking North Korea in revenge for WannaCry are very wide of the mark.
While the Cyber-Integrated Cyber-Review of Cyber-Security, Cyber-Defence, Cyber-Development and Cyber-Foreign Cyber-Policy was cyber-short on cyber-concrete cyber-promises, it did use the word "cyber" 114 times.
Yet in terms of "things that will flow from this" the Integrated Review (IR) mentioned only the National Cyber Security Centre and the nascent National Cyber Force, both already in existence. The IR was long on ambition but clothed in the impenetrable language of defence and management consultancy. A sample of it reads as follows:
We will adopt a comprehensive cyber strategy to maintain the UK's competitive edge in this rapidly evolving domain. We will build a resilient and prosperous digital UK, and make much more integrated, creative and routine use of the UK's full spectrum of levers – including the National Cyber Force's offensive cyber tools – to detect, disrupt and deter our adversaries.
Under the heading "responsible, democratic cyber power" the government promised to "use cyber capabilities to influence events in the real world," including more use of "offensive cyber" – and, eye-catchingly for the UK infosec sector, UK.gov plans to build "an advantage in critical cyber technologies."
Try to avoid thinking of the internet as a flashy new battlefield, warns former NCSC chiefREAD MORE
Offensive cyber is what ordinary people call "state-backed hacking". Two years ago the then Foreign Secretary, Jeremy Hunt, said in a major speech: "If cyber interference were to become commonplace, the danger is that authoritarian states would damage public confidence in the very fabric of democracy."
One would hope that policymakers have been paying attention to the former head of NCSC, Ciaran Martin, who publicly warned in late 2020 that all this warlike talk neither contributes to international peace nor helps anyone understand what the hell UK.gov actually intends on doing.
Hunt's far-sighted speech, taken together with the Integrated Review, could be seen today as a warning that British foreign policy for the 2020s will contribute further to international instability – especially after the Ministry of Defence spun a temporary increase in nuclear missile warheads as meaning that the UK would nuke state-backed attackers.*
Cyberup campaign: 80% of infosec pros fear they might fall foul of UK's outdated Computer Misuse ActREAD MORE
Britain's so-called "whole of nation approach" to cyber policy and capabilities in the post-Brexit world will, so we're told, rest on UK.gov "supporting a UK research base that can compete with allies and adversaries" and nurturing an industry capable of delivering "innovative and effective cyber security products" – something that may warm even the hearts of the occasionally jaded infosec industry.
Yet the creation of a bigger infosec industry that successfully competes on a commercial footing with products and services from the US and infosec powerhouse Israel is years away; individual British SMEs employ fine and talented people but the only truly global infosec company the UK has ever produced is Sophos. It's a crowded marketplace out there too, with thousands of companies competing for business.
It's not only the infosec industry that's mentioned in the review; the government wants "to take the lead in the technologies vital to cyber power, such as microprocessors, secure systems design, quantum technologies and new forms of data transmission."
Quantum (as in cryptography) seems to be one of those marketing buzzwords that crept into the report; the tech is about 15 years away from becoming reality.
While there won't be any sleepless nights in Silicon Valley or Shenzhen after political leaders in those places read about Britain's wider tech ambitions, the review's contents bode well for companies looking to base R&D departments in the UK – perhaps building on the international reputations of Cambridge and Manchester.
Indeed, the latter is receiving specific attention; the National Cyber Force will be based in the city, as UK.gov briefed the press on Sunday. Manchester University has close links to spy agency GCHQ and a significant amount of the British infosec industry is already based there.
Mop-topped Prime Minister Boris Johnson said in a statement: "Cyber power is revolutionising the way we live our lives and fight our wars, just as air power did 100 years ago. We need to build up our cyber capability so we can grasp the opportunities it presents while ensuring those who seek to use its powers to attack us and our way of life are thwarted at every turn."
The review did not, however, mention anything about changes to the law to allow British firms to compete on an equal footing with overseas infosec companies, particularly in the areas of threat intelligence and research. Industry has tried making noises about this in the past but they have largely fallen on deaf ears in Westminster.
Kevin Bocek, VP security strategy and threat intelligence at US machine identity firm Venafi, opined that the review was a good thing for his business and urged UK.gov to send more cash its way, saying: "So far there has been too much emphasis on trying to change people's behavior in cyberspace but attackers have moved on to target the machines that make autonomous, millisecond decisions. Attacks on machines and the machine identities that uniquely define them is the new battleground that the government will rapidly need to defend." ®
* The review claimed, implausibly, that Britain could nuke nations that attack its digital infrastructure, raising the spectre of Trident missiles raining on Pyongyang in the aftermath of some future WannaCry-style worm.
"Britain could use nuclear weapons against a state that threatens to inflict a devastating cyber or biological attack," reported The Times, along with several other national newspapers, following clandestine government briefings (and a string of identical "exclusives") the night before the review was formally published.