CYBERSECURITY STRATEGY MANAGEMENT
Most of the NSSs have identified cyber threats as new security risks that the policymakers should be aware of and address with the highest precedence compared to other threats . Due to cyberspace has been closely integrated in all four domains and has symbolic relationships with other warfare capabilities, nations are increasingly aware that the proper use of cyber strategies can be a major force multiplier and equaliser; smaller countries which could never compete in a conventional military matter with their bigger neighbours can develop a capability which gives them a strategic advantage. Hence, many states are now developing national strategies to implement safer and more secure digital infrastructures.
A well-developed strategy should provide policymakers with guidance of concerning key goals, required resources, and how these could be employed most effectively. As the nation also have numbers of other strategies, all the stakeholders should understand how the NCSS’s vison and activities relate to other important national strategies. The analysis of 19 NCSS by Luiijf et al shows that numerous key topics and visions are highlighted throughout those strategies. The most repeated among them are:
- Maintaining a secure, resilient, and trusted cyberspace ,
- Promoting economic and social prosperity/ promoting trust and enable business and economic growth,
- Overcoming the risk of digital technologies, and
- Strengthening the resilience of CNI.
On the other hand, Götz Neuneck in warns that only national strategies are not enough to manage cyber warfare. Given the global access to digital technology and the universal structure of the Internet, international cooperation will be a crucial factor in regulating cyberspace and stopping the future cyber conflict. Governments, private, public and civil society need to work collectively to manage national activities, lawful and regulatory approaches, and worldwide responses to prevent future cyber risks.
UK NATIONAL CYBERSECURITY STRATEGY GAP AND CHALLENGES
The UK NCSS was introduced in 2009 and has been reviewed twice so far in 2011and 2016. The primary goal is to secure the UK’s position in cyberspace and its ability to conduct and attract e-commerce as well as safeguard the national interest and UK citizens when online. The 2016 NCSS set out the UK’s core vision for cybersecurity up to 2021 that the UK be “secure and resilient to cyberthreats, prosperous and confident in the digital world”.
To accomplish this vision, the Strategy has set out its 4 main targets:
1. To defend the UK against evolving cyber threats.
2. To deter adversaries using the means to take offensive action in cyberspace should the need arise, in order to detect understand and disrupt hostile action .
3. To support industry and science to develop and maintain the expertise to overcome current and future threats.
4. To achieve free, open, peaceful and secure cyberspace through co-operation with other actors and entities and promoting multi-stakeholder Internet governance.
According to Dewar in , the UK cybersecurity policy can be described as one that subordinates defence and military matters to social, governmental and business priorities which means civilian authorities have the lead in cybersecurity matters given the overall responsibilities to the Office for Cybersecurity (OCS). As with other European nations, the UK also primarily follow civilian-dominant approach with an acknowledged but bounded military dimensions .
The National Audit Office recently assessed that only one strategic outcome is on the track to complete by March 2021. None of the remaining 11 strategic outcomes is currently due to be achieved by March 2021, and the department has a ‘low confidence’ in the quality of the evidence that underpins the assessment of progress against many of these strategic outcomes. According to the report, areas where the UK must improve include; a lack of metrics to measure the effectiveness of the programme and providing visibility of return on investment from cyber initiatives. Additionally, it is said that there are also some doubts over just how much cybersecurity has progressed in the last eight years, and with some criticism, the strategy’s objectives have been wide-ranging and too high level to achieve .
When the NCSS were written the chance of Brexit was not even a political likelihood. However, the Brexit referendum followed by recent election result indicated that now it is certain the UK is heading for Brexit. Establishing broad strategic alignment is one of the core challenges for the next NCSS. Helping to turn political vision into reality, the UK political leaders must specify an international political vision against which a cybersecurity strategy can orient its mission effectively, otherwise, the next cybersecurity strategy risks will be merely a budgetary exercise.
Furthermore, the UK 2015 NSS states that the Armed Forces will have strong cyber defence and will be equipped to render assistance “in the event of a significant cyber incident in the UK” . This involves the use of offensive cyber capabilities developed within the NOCP as part of “full spectrum of UK capabilities to deter adversaries. A cyber attack will be treated as seriously as an equivalent to conventional attack “and we will defend ourselves as necessary” . By explicitly stating its existence and the UK’s willingness to undertake offensive cyber operations, the NSS demonstrates the UK’s commitment to a more active posture in cyber defence . However, specific details are not given on the nature of those capabilities nor the range and scope of the NOCP, and at no other point in MoD policy is military assistance in cyber defence is being mentioned . Even not on the national crisis website where Armed Forces will provide assistance, cyber is not mentioned.
Despite the roots in GCHQ, the UK NCSS will require continuous transparency, clear communication, and commitment from the NCSC to maintain a high level of engagement with the public.
Another gap in the UK NCSS is both roles of government and private sector; the UK policy states that CNI must be resilient to cyberattack . To achieve this goal, a collaboration between the private and public sectors are pivotal. The government will encourage investment in an “innovative UK cyber sector, if necessary through regulation and, where government systems and agencies develop new tools, and these will be offered to the private sector where possible and the citizen”. But how the government reconciles managing the cyber risks for private sectors control is not made clear in public policy. There is a disconnection of a mutual understanding point where private sectors accountability begins and where UK government responsibility ends .
Sneha Dawda, a research analyst in cyber threats at Royal United Services Institute (RUSI) points out that an important focus for the NCSC is increasingly sophisticated states and no-state actors. The Russia-based Turla Group compromised the Iranian Oilrig group and accessed their infrastructure and piggybacked on them and used their unique tools to target its own victim . The NCSC said that the level of sophistication has never been seen previously . Additionally, another challenge the NCSC will face is people – skills shortage for cybersecurity. In order to reduce the skills gap which inhibits the private and public sectors, the NCSC must focus on mid-career professionals. Individuals who have a proficiency for cybersecurity but little to no guidance or opportunity . The primary goal should be developing home-grown talent by advancing cybersecurity skills in school and at all level of the UK’s education system .
The UK’s 2009 NCSS includes jamming and signal modification of, for instance, GPS signals, and high-power radiofrequency transmission with, for instance, a High-Power Microwave, damaging unprotected electronics as cybersecurity threats to address . These may not be digital as a threat, but they are impairing digital assets. The UK Cyber Primer also mentioned that cyber and electromagnetic activities should be seen as one of resilience and complementary (interdependent) in nature and need to be delivered in a coordinated manner within Defence . However, none of the other NCSS refers to these electromagnetic spectrum threats despite growing global concerns about the adversaries applying these technologies. Hence, it is surprising that the recent NCSS do not mention these vulnerabilities and challenges anymore .
In this paper, cyberspace, cybersecurity risks, cyberwarfare, offensive strategy and techniques, cyberwarfare prosecution, and cybersecurity strategy along with UK National Cybersecurity Strategy have been highlighted. The challenges in cyber warfare management in relation to what constitutes a cyber-attack an act of war has been identified. Attribution issue in cyberspace when prosecuting criminal due to complexities is also discussed. The benefit of developing a national cybersecurity strategy in terms of prosperity and warfare capability was also discussed. The UK National Cybersecurity Strategy gaps were identified and discussed.
The rise in cybercrime will continue to increase in the future as an exponential number of devices are expected to be connected soon and malware gets sophisticated, complex and intelligent. And this will be used by nation-states to exploit cyberspace for information superiority to conduct both defensive and offensive cyber operations against others.
Cyberwarfare must be regulated by internationally accepted laws of principles of just war and law of maintaining world peace and security. All the national cybersecurity strategies must be built on these principles and standardise leaving no ambiguities or gaps. All governments, private, and public sectors need to work collectively to manage cyberspace through lawful and regulatory approaches to prevent future cyber conflict. All the opportunities and challenges present by cyberspace should be utilised in favour of the wellbeing of humankind.