Part Two – The Digital Revolution (Part Five)

Economic Unit

National Cyber Strategy

In 2022, the government published its National Cyber Strategy, setting out a clear vision for the UK to be a “leading, responsible, and democratic cyber power” — capable of protecting and advancing its interests in cyberspace while supporting broader national objectives.

The strategy identified five key pillars to guide concrete actions and the outcomes the government aims to achieve by 2025:

1. Strengthening the UK cyber ecosystem, investing in workforce and skills, and deepening collaboration between government, academia, and industry.

2. Building a resilient and prosperous digital UK, reducing cyber risks so that businesses can gain the greatest economic benefits from digital technologies, and ensuring citizens are safe online and confident their data is protected.

3. Leading in critical technologies for cyber power, enhancing industrial capabilities, and developing frameworks to secure future technologies.

4. Enhancing the UK’s global leadership and influence to create a safer, more prosperous, and open international order, through cooperation with governments and industry partners and sharing the expertise that underpins the UK’s cyber strength.

5. Detecting, disrupting, and deterring adversaries to increase the UK’s security in and through cyberspace by using all national tools in an integrated, innovative, and sustained way.

These pillars include crucial steps to support the UK’s cyber resilience — especially through stronger cooperation between government, academia, and industry, as well as reducing cyber risks to help businesses benefit from digital advancement.

The government also committed to creating integrated and effective regional cyber networks across the UK, fostering stronger collaboration between government, businesses, and universities to support sectoral growth and business resilience. As part of this effort, the government announced it would work with regional cyber clusters and in collaboration with UK Cyber Cluster Collaboration (UKC3) to strengthen regional connections.

UKC3 facilitates collaboration, knowledge exchange, and best practices, identifies emerging needs and opportunities, and serves as a key resource for cybersecurity organizations — particularly at the regional level.

Since the new government took office, the work done under the National Cyber Strategy has been reviewed, and the government has stated it is reassessing national security and resilience priorities.

Recommendations:
The government should publish an update to its National Cyber Strategy to reaffirm its commitment to the five guiding pillars of the UK’s cybersecurity activities. This update should include a progress report on actions taken and outcomes achieved toward the 2025 goals.

Cyber Security and Resilience Bill

In the King’s Speech of 2024, the Cyber Security and Resilience Bill was announced. In presenting the Bill, the government referred to recent cyberattacks by criminal and state actors and their impact on public services and infrastructure.

According to the Department for Science, Innovation and Technology:

“This Bill will strengthen our defenses and ensure that essential digital services are better protected than ever before, for example, by expanding the scope of existing regulations, strengthening the role of regulators, and increasing reporting requirements to build a better picture of cyber threats across government.”

The Bill, expected to be formally introduced to Parliament in 2025, could represent a positive step toward strengthening the UK’s digital security and send a message of confidence in the nation’s cyber resilience.

However, although the Bill has not yet been published, reports suggest it may increase compliance costs for businesses. While such measures are likely necessary for security, the government must ensure that reporting requirements do not impose unnecessary burdens and that businesses are actively encouraged to report cyber breaches or attacks.

Recommendations:
The government should ensure that any proposed cybersecurity legislation is developed in full consultation with businesses, ensuring the business community fully understands the requirements. This includes sharing timely, practical, and useful information derived from cyber incidents with the business sector to identify areas requiring further action.

Additionally, the government should explore incentives to encourage businesses to report cyber intrusions or attacks — rather than imposing penalties — so that reporting requirements are not seen as an additional burden.