Cyber through the lens of the 2015 Strategic Defence and Security Review

Every five years, the government reviews and evaluates its previous and current expenditure of public funds towards the strategic defence of the nation. This review then leads to the development of a new five-year plan for the defence of the realm which builds upon the gains made in the previous five-year period, but also shifts the strategy where needed to ensure it takes into consideration the challenges the nation is likely to face in the upcoming five-year period. This strategy is made clear to all in the nation in the form of the National Security Strategy and Strategic Defence and Security Review (SDSR), and a new SDSR was released in November of 2015.

Cyber in Previous SDSR rounds

 The SDSR of 2010 was the first time Her Majesty’s Government (HMG) allotted a significant amount of funding to the topic of cyber. The Cabinet Office, in the form of the Office of Cyber Security and Information Assurance (OCSIA) was given the mandate to spend ￡860 million pounds in the form of the National Cyber Security Programme (NCSP), and these funds were used by public institutions across government to tackle the issue of cyber. But since 2010, cyber in its broadest sense has grown exceptionally in scale and scope, and what was once a niche challenge for HMG has become something much greater.

The Global Context for SDSR2015

SDSR2015 was developed under very challenging and demanding global geopolitical circumstances. In 2010, the UK committed to working with Russia to promote energy and political stability globally, but since that time, Russia has chosen to define itself in an anti-Western image. Russia’s unilateral activities in Ukraine and Syria destabilised

Eastern Europe and the Middle East. Terrorism and extremism stubbornly remain a significant threat, as has been evidenced by the tragic events in Paris and most recently in Belgium. And political instability, and the resultant human mass migration, are the cause of significant concern for all nations, but especially Europe.

Cyber in SDSR2015

The word cyber is mentioned 110 times in the 96 pages of SDSR2015, so it’s fair to say that cyber as an issue is a significant focal point for this government and for the next five years (at least). Cyber even has its own section in chapter 4 of SDSR2015. But I’d suggest that cyber cuts through the defence and national security priorities of HMG in a much more holistic way than the 110 times and section E of chapter 4 gives evidence to; cyber underpins the entirety of HMG’s defence strategy for the coming five years.
 
SDSR2015 clearly stated three National Security Objectives:

• Protect our People
• Protect our Global Influence
• Promote our Prosperity

To achieve these three objectives, HMG has a set of tools that it can use; levers of power it can pull to attain a foreign or domestic outcome. Cyber isn’t a tool in its own right; cyber reinforces all of the other tools that HMG has to play with.

To “Protect our People”, the government has committed to: spend the NATO-mandated 2% of GDP on defence, modernise the MOD and intelligence agencies, respond to state-based threats, build and maintain a national deterrence capability, counter terrorism and organised crime, become a world leader in cyber security, and increase our national resilience to threats. Cyber, either offensive, defensive, or both, play a significant role in all of these commitments by reinforcing the other activities that the government undertakes to achieve them. Take the modernisation of the MOD, for example; the previously un-overlapping world of cyber and traditional defence activities are now crashing together, and the MOD will have a cyber-trained and enabled workforce able to conduct cyber activities on any future battlefield.

This is the MOD Joint Force of 2025 outlined in SDSR2015:

It would be easy to conclude that the MOD’s cyber modernisation will take shape solely in the “Joint Cyber Group” detailed under Defence Intelligence in this diagram. But the reality is that the MOD will mainstream cyber throughout the entirety of the joint forces detailed in this diagram; every tank, aircraft, ship, submarine, every soldier, every UAV, every submarine will be both a cyber sensor and effector on the battlefield of 2025. Cyber capabilities will be used for tactical, theatre and even strategic effect, and thus cyber planning, exercising, training, etc will be ingrained in the DNA of MOD’s future fighting forces.
And one has only to glance at the advanced and aggressive cyber attacks against the Ukrainian power grid in late 2015 and early 2016 to understand that ‘protecting our people’ is only possible through the robust and innovative cyber defence of the United Kingdom’s critical national infrastructure (and that of our allies).

In “Protect(ing) our Global Influence”, the government has committed to: protect assistance to fragile states and regions, expand our soft power reach,

build stronger alliances and partnerships, strengthen international order, and help overseas allies in their own national resilience. It’s clear to see that working closely with those partner nations is critical to the success of this objective, and while it might be challenging to find a common thread of national interest for the UK and these nations, cyber defence is invariably going to be a common denominator for both parties. Even with the banking crisis of 2007/2008, the UK’s financial institutions remains one of the UK’s best international exports. But SDSR2015 has made very clear that it sees cyber as one of the strategically important exports for the UK in the coming five-year period, and this export will directly contribute to the UK’s global influence.

To “Promote our Prosperity”, the government will: champion a rules-based trading environment, maximise defence, security, diplomatic and development activities, work more closely with the private sector to increase innovation, and support the UK’s defence and resilience. Yet again, cyber plays an important role in these activities. The UK has a rich tradition in excellent technical and engineering innovation, and the UK is a world-leader in the development of cutting edge intellectual property (IP). But given the advances in hacking capabilities and tradecraft and the lowering of barriers to entry for advanced

cyber attack operations, the theft of this world-beating IP is a significant threat to our national prosperity. Cyber is used by organised gangs of criminals to steal money and hold at ransom information they know is of significant value for the owner. And the protection of the UK’s critical national infrastructure, including cyber threats to it, remain a topic of significant importance for HMG. To counter these threats, the UK is developing and will continue to develop a second-to-none stable of cyber defence capabilities to ensure that the UK remains internationally competitive and a prosperous place to live and do business.

SDSR2015 Commitments

SDSR2015 made many cyber commitments, but a few stand out:

• The establishment of the National Cyber Security Centre;
• a ￡2.5b increase in the funding of the national intelligence agencies; and
• an extra 1900 security and intelligence staff across the intelligence agencies.

While cyber isn't the only mission for that ￡2.5b and 1900 new staff, these commitments none-the-less provide testimony to how seriously government takes cyber as an issue of strategic importance.

Another clear commitment made by HMG in SDSR2015 is the commitment to work with industry partners in building the capabilities needed to generate outcomes in cyberspace. Input from industry is specifically being sought to ensure that HMG has access to:

• a wide breadth and depth of technical innovation necessary to ensure that cyber solutions in the UK are world-class and enable the outcomes the UK needs both domestically and internationally;
• the massive technical and developmental scale needed to create cyber capabilities and solutions needed by government; and
• the developmental pace to be able to create capabilities in an agile manner while at the same time getting them in place when they are needed most.

But there is a significant bottleneck putting the delivery of SDSR2015’s cyber objectives at risk: people. Achieving the type of cyber success that HMG is looking for isn’t an exercise in building great widgets or “cyber-boxes”; it’s an exercise in ensuring that the UK has the right cyber workforce necessary to deliver success. And I’d go so far as to say that until recently, this was a problem that has been getting worse; there simply isn't enough talented cyber ninjas coming out of the schooling system to address the need. Demand has been drastically outstripping supply. That said, SDSR2015 recognised this fact, and I’m pleased to see that government has been taking steps to address this; the CyberFirst scheme is a fantastic scheme aiming to build the next generation of

cyber experts, and the CyberInvest scheme is breaking down barriers in the traditionally challenging triumvirate of industry, academia and government. These are but a few of the initiatives that government is undertaking to address the need, and I’m pleased to see that they are inviting industry to play a role in most of their ideas.

Conclusion

While we eagerly await the upcoming 2016 Cyber Security Strategy and expect it to reinforce HMG’s established stance on cyber, SDSR2015 made very clear that cyber isn’t a “flash-in-the-pan” issue; it’s not this decade’s “dotcom” bubble waiting to burst. It’s a clear and important priority for HMG for at least the next five years, and those companies who are able to design and develop the cyber capabilities needed by government will have the opportunity to be part of the UK’s drive for international cyber excellence.