A constant theme at CIISec LIVE and across the profession is the growing strategic importance of cyber security. Whether discussing hostage negotiation, transportation or misinformation the message is clear.
There may have been a time when cyber was viewed as another element of “keeping the lights on”. But, if it ever existed, that time is long gone, with cyber at the heart of our businesses, infrastructure and economies.
This is a challenge, but also an opportunity. With trust and resilience crucial to global networks, cyber has become another form of soft power – countries that lead the way in cyber security will have another way to influence others and build their standing. For the UK, already a soft superpower, cyber security can find its place alongside The Beatles, Grand Theft Auto and the Premier League on one side, and our educational institutions, legal system and the English language itself on the other.
Miriam Howe, Head of International Consulting at BAE Systems and a RUSI Associate Fellow, addressed this in her CIISec LIVE keynote. Drawing on her wealth of experience leading cyber programs for UK and national governments, Miriam took her audience through the threat landscape, the opportunity to both lead and learn from other countries, and how we in the profession can help drive the UK’s leading position.
The threat landscape is constantly growing: including pressure on Critical National Infrastructure (CNI), and an expanding definition of CNI that means there are more targets than ever. At the same time, the very domains we need to defend are expanding. Both subsea cables and space are part of our vital infrastructure, and need to be defended as such. The Ukraine war showed how action is reaching both outside the atmosphere and below the waves, with attacks on the ViaSat/Eutelsat satellite network, and the Nord Stream pipeline sabotage.
Coupled with this is the spread of new threat actors. Gangs of teenage hackers are capable of causing damage alongside more organised criminal gangs and actors for hostile businesses or governments. At the same time AI and lower-cost attacks are lowering the barriers to entry, and it’s easier than ever to perform reconnaissance, launch and iterate attacks at scale. This in turn makes it harder to predict an attacker’s behaviour or motives.
The inevitable result is the growth of hybrid threats, where attacks will spread across domains and those behind them, especially nation states, will want to maintain plausible deniability. What’s vital is that the strategy and policy landscapes reflect this: not putting security in silos but recognising new threats and encouraging cooperation.
In the UK, that policy and strategy landscape is vibrant. As mentioned above, the Government is already investing in defence against subsea threats, and there is a wealth of strategies, reviews and bills that all contribute to the nation’s defensive posture. The Cyber Security and Resilience Bill is at centre stage, but the 2025 Spending Review and Strategic Defence Review; the National Cyber, AI, Industrial and Infrastructure strategies; and initiatives such as the UK Cyber growth action plan all have a role to play, and are all interconnected.
With all these initiatives, the crucial question for the Government is what do we need to do to shift the dial on cyber resilience? Here Miriam was clear. Economic growth is a strong driver of better resilience, and the cyber security industry is, in turn, part of that growth. Value for money is a key consideration. Ultimately the Government, like many organisations, needs to do more with less, which in turn means making difficult choices and being able to accurately measure the value of each action. And any shift needs to consider the significant changes and transformation happening in other parts of Government.
With all this in mind, we could look at where the UK can lead on cyber, and where it can learn from others. First is the UK’s own cyber brand: its importance in international trade, its own experience, and its reputation for professionalism. The relatively large capacity of the UK ecosystem is not replicated everywhere, and there may be opportunities to teach and support others. Similarly, our experiences of private and public partnerships can be an example for the rest of the world.
There is also the space to learn: from how others deal with the universal threat to CNI for instance, or the real-world experiences of countries such as Ukraine in an all-out cyber war, or Singapore and Estonia with digital services and ID. Ultimately, learning from each other whilst recognising that not all threats are uniform will build cooperation and support our allies’ cyber resilience. And more resilient countries make for better partners.
Finally, what can we do as a profession? Most importantly, we need to remember that community is defence. Information sharing and support is crucial to presenting a unified front and building the UK’s cyber security soft power. The more we can leverage our own experience to lift all boats, and articulate the benefits of a resilient approach, the more the UK and the profession will benefit, and the more we can grow the cyber industry as a whole. By doing so, we expand a crucial bedrock of the UK’s security and soft power.