Learning lessons from the UK’s confident approach to cyber
8 Dec 2015|

An aerial image of the Government Communications Headquarters (GCHQ) in Cheltenham, Gloucestershire.

The launch of the 2015 SDSR provided evidence that UK Defence and Security agencies are being re-invigorated after a period of extensive cuts. Over the next ten years £178 billion will be spent on a range of military platforms. While this won’t elevate the UK to the peak of global military powers, it will reassure allied partners that it’s a reliable security partner.

Large quantities of money are often associated with ‘big ticket’ military hardware, yet the UK has spent comparable sums on its cyber capabilities. At the launch of the 2010 SDSR, the sting of looming cuts were softened by the announcement that the Government would invest £500 million in cyber security. In the intervening period, that’s risen to an £860 million investment in a growing area of national security concern and potential advantage.

The 2015 SDSR announced that spending on cyber security will grow again with a commitment to invest a further £1.9 billion (A$S3.9 billion) over the next five years. When that sum is added to the core spending on cyber security capabilities to protect UK networks, the total spend amounts to more than £3.2 billion (A$6.5 billion).

The clear and concise wording of the document is just as significant as the money attached to it. The 2015 SDSR weaves together a clear articulation of the UK’s strategic goals in cyber along with a comprehensive narrative about the importance of cyber security to national and economic security, and introduces measures to enhance capability and skills in both areas. It commits the UK to remaining a world leader in cyber security to protect critical networks, to maintain high levels of confidence in its ability to protect business from cyber threats, to bolstering the digital economy to help it reap the economic rewards of high value cyber security technology and skills.

The lead component of the cyber section of the SDSR is the newly formed National Cyber Centre established under GCHQ’s leadership. This centre will have charge over operational responses to cyber incidents. Not only will it have an operational lead but it will also act as a focal point for companies seeking advice on cyber issues, simplifying previous arrangements.

There are three areas worthy of specific comment. First, the UK has worked hard over the past 10 years to mature the Government’s relationship with the private sector on cyber.. There’s a clear commitment to ‘share knowledge with British industry and with allies’, ‘help companies and the public do more to protect their own data’, and ‘simplifying private sector access to government cyber security advice’. That’s evidenced most strongly in the promise to develop a ‘series of measures to actively defend…against cyber attacks’, alluding to active defence tactics which aim to disrupt attackers prior to, or while they’re attacking a network. The SDSR states that those capabilities will be ‘developed and operated by the private sector’, which is a leap forward in coordination between the UK’s public and private sectors.

Despite efforts to build stronger relationships with the private sector on cyber, Australia is some way off being able to make these kinds of statements. There’s a continuing journey that needs to be undertaken in order to reach the same level of maturity that the UK has achieved.

Second, the SDSR details a significant investment in creating highly qualified and skilled personnel, including £20 million to open an Institute of Coding to fill the current gap in higher education. A £165 million Defence and Cyber Innovation Fund was also announced to support innovative procurement across government, alongside two new cyber ‘start-up’ centres where new companies can incubate their tech in the early stages of development.

Finally, one of the most striking aspects of the plan was the emphasis placed on developing offensive cyber capability. The UK has firmly stated that it has this capability and will use it as a tool of national power and to respond to security threats. George Osborne used strong words to underscore this part of the plan:

‘Part of establishing deterrence will be making ourselves a difficult target…We need to destroy the idea that there is impunity in cyberspace…We are building our own offensive cyber capability—a dedicated ability to counter-attack in cyberspace.’

Following on from the US admission in 2010, this further illustrates an emerging trend among Australia’s allies to publically state their capacity to conduct or develop offensive cyber operations. A clear statement of the way Australia views the use of offensive cyber capabilities would be a welcome addition to the Australian Defence White Paper when it emerges.

There are lessons for Australia on the cyber front here. First is the use of committed, firm ideas and language which are backed financially. We are yet to see how much the Australian Government will invest in this important area of national security. Second, there’s a clear articulation of the linkage between cyber security, economic security, digital innovation and national security. Australian cyber strategy will hopefully follow suit. Finally, there’s evidence of a mature and trusted relationship between Government and the private sector built over time, which Australia can afford to do much better at. With both a Cyber Review and a Defence White Paper due imminently, expectations will be high that Australia can deliver on both fronts.