Introduction

The United Kingdom of Great Britain and Northern Ireland (UK) is one of the world’s leading economies and has been able to marshal substantial national resources to address a range of cybersecurity issues. The UK’s overt national cybersecurity program is a decade old and constitutes a sophisticated approach to cybersecurity involving multiple public and private actors. These operate in a robust planning framework that treats cyberspace as a strategic domain and cybersecurity as a means of pursuing the national interest at home and abroad. The UK recognizes that its prosperity and international visibility makes it an attractive target to cyber criminals and strategic adversaries and is developing ways of countering these threats. This chapter outlines the UK’s cybersecurity strategy and its planning assumptions; sets out the main institutions and stakeholders; describes pertinent UK legislation; and discusses relevant aspects of UK foreign policy. It also looks ahead briefly to some of the societal implications of UK cybersecurity and concludes that while there are some strategic challenges to UK cybersecurity in the form of Brexit and Russian subversion, the UK is relatively well prepared to address the broad landscape of cybersecurity challenges.

National cybersecurity strategy

The UK’s first national cybersecurity strategy (NCSS) was published in 2009, with subsequent iterations in 2011 and 2016 (Cabinet Office, 2011; HM Government, 2009a, 2016a). The current NCSS, issued in November 2016, is a mature statement of national cybersecurity aims, coupled with an ambitious auditing program for measuring progress towards its strategic goals. It is framed as a second five-year (2016–2021) National Cyber Security Programme (NCSP), following its 2011 predecessor, but looks beyond the 2021 time-frame to recognize evolving challenges from emerging technologies and adaptations in adversarial tools and capabilities. The NCSS prioritizes partnerships between government, industry, and society to deliver better national cybersecurity through multi-sectoral behavioral change but is driven by an important shift in government thinking. Government recognized that earlier reliance on the market to drive national cybersecurity innovation had engendered insufficient “scale and pace of change required to stay ahead of the fast moving threat” (HM Government, 2016a: 9). Accordingly, government has adopted a more interventionist stance to drive secure cyber behaviors across multiple sectors, supported by an enhanced financial investment of £1.9 billion over five years to “transform significantly” UK cybersecurity (HM Government, 2016a: 10). If successful, government will retreat from this central role, allowing the twin drivers of the market and technology to continue improving the cybersecurity of UK society and economy (HM Government, 2016a: 71).

The NCSS is organized around three mutually supporting themes – Defend, Deter, and Develop – undergirded by a renewed commitment to International Action to promote bilateral and multilateral cyber initiatives that advance UK national interests and promote collective security. “Defend” counters evolving cyber threats and promotes the protection and resilience of UK assets and society, including through public education and knowledge exchange with industry, particularly small-medium enterprises (SMEs). This includes an Active Cyber Defence (ACD) program, which claims to have “objectively” reduced through automated means the incidence and effects of common cyber threats across the public sector (gov.uk) domain (Stevens et al., 2019). “Deter” prioritizes actions to identify and pursue hostile actors in cyberspace and reserves the right to prosecute offensive actions against them if necessary. It emphasizes the development of sovereign capabilities, including cryptography, to reduce risk from cybercrime, cyberterrorism, and foreign cyber actors, both state and non-state. A core component of this effort is the establishment of a National Offensive Cyber Programme (NOCP) across the Ministry of Defence and GCHQ, the UK signals intelligence agency, which marks the present NCSS as more “offensive” in orientation than its defensively minded forerunners (Christou, 2016: 62–86; Lonsdale, 2016). The “Develop” strand promotes cybersecurity education, research, and training to reduce the cybersecurity skills gap, and support private-sector innovation and growth. Alongside a range of educational outreach and engagement programs, one highly visible component of “Develop” has been an increase to 19 in the number of accredited Academic Centres of Excellence in Cyber Security Research (ACE-CSRs) at UK universities.

Britain’s perceived self-identity is an important driver in the framing of national cybersecurity and its strategic ambitions. Its historical contribution to digital innovation informs its status as “one of the world’s leading digital nations” (HM Government, 2016a: 6). The UK is also, as attributed to Napoleon, “a nation of shopkeepers,” by which is meant that England’s wealth derived from commerce, rather than any innate material advantage. So too with cyberspace, which is seen as an opportunity to bolster and promote national economic productivity and prosperity. Indeed, as the NCSS makes clear, the “future of the UK’s security and prosperity rests on digital foundations” (HM Government, 2016a: 9), an unsurprising conclusion for a country that generates upwards of 10 per cent of its gross domestic product from the digital economy, the highest proportion in the G-20 (Boston Consulting Group, 2015). Cybersecurity policy has always gone hand-in-hand with economic policy in the UK. The first national cybersecurity strategy, for instance, was launched together with the government’s Digital Britain agenda, “a guide-path for how Britain can sustain its position as a leading digital economy and society” (HM Government, 2009b: 8). Subsequent strategies have reinforced the notion of the UK as a dynamic, outward-facing entrepôt nation and the potential of the cybersecurity industry itself to become a vibrant economic sector. Complementary ambitions are expressed in the Digital Economy Act (2017).

Institutions and stakeholders

No single government department or agency has sole responsibility for cybersecurity in the UK. Formally, the Cabinet Office, which sits at the heart of government and civil service, is responsible for developing cybersecurity policy and implementing the National Cyber Security Programme (NCSP) outlined therein. Many tasks are coordinated by the Cyber and Government Security Directorate (CGSD) in the Cabinet Office, which has its origins in the Office for Cyber Security (and, later, Information Assurance), founded in 2009. CGSD works with government partners, each of which has responsibility for various components of the UK cybersecurity architecture. The Department for Digital Culture, Media and Sport (DCMS) leads on the digital economy. The Home Office is the parent department for the Security Service (MI5) and National Crime Agency and guides cybercrime and counterterrorism operations. The Department for Business, Energy and Industrial Strategy (BEIS) oversees aspects of industrial cybersecurity outreach and engagement, including specific provisions for the civil nuclear industry. The Department for Education (DfE) delivers an extensive program for cybersecurity and online safety education in schools. The Cabinet Office itself controls the resilience agenda through the Civil Contingencies Secretariat.

The Foreign and Commonwealth Office (FCO) is responsible for the Secret Intelligence Service (MI6), GCHQ, and its offshoot the National Cyber Security Centre (NCSC) in London. It also handles diplomatic issues arising from foreign cyber actions, such as the 2018 attribution to Russian military intelligence of a series of hostile cyber operations (NCSC, 2018). The Ministry of Defence (MoD) harmonizes the activities of its service branches and executive agencies to develop sovereign capabilities and deliver operational advantage, including, in partnership with GCHQ, through the National Offensive Cyber Programme (NOCP). The UK was the first country in the world to admit to developing “a full spectrum military cyber capability” (Blitz, 2013), and joint cyber units at Cheltenham and Corsham deliver offensive and defensive capabilities respectively. These units and others, including the Joint Cyber Reserve, sit within the Joint Forces Cyber Group (JFCyG), created in May 2013 as a successor to the Defence Cyber Operations Group.

Previous investigations into UK cybersecurity suggest a rather haphazard, historical development of institutional capacity and responsibility (Harvey, 2013). This is broadly correct (although see, Pepper, 2010), but the present architecture represents a robust attempt since 2009 to establish cross-government cooperation, facilitated by a central coordinating body reporting upwards to the prime minister and cabinet and to the National Security Secretariat. Responsibilities are granted to departments with existing expertise and capabilities; where these need strengthening, additional funds have been allocated when possible from the £1.9 billion investment program announced in NCSS 2016. Cybersecurity is one of the few policy areas to receive additional funding when other budgets have been cut through spending reviews and financial austerity measures. Much of this is channeled into the intelligence agencies, an historical characteristic of all UK government cybersecurity (Stoddart, 2016). This raises questions about internal skewing of stated priorities and of bureaucratic land grabs, but the government would defend this on the basis that GCHQ, in particular, has the necessary technical heritage and resources to be a uniquely effective contributor to national cybersecurity.

As the government acknowledges fully, essential capabilities and knowledge exist outside the public sector too. The NCSS views the private sector as a key partner in achieving the stated ambitions of the NCSP, including the development of a robust cybersecurity exportmarket (Department for International Trade, 2018). This is despite government’s view that the market has not taken adequate account of cyber risk and has so far invested insufficiently in cybersecurity (HM Government, 2016b). Indeed, given private ownership of almost all critical national infrastructure, UK government has to look to public–private partnerships as a solution to a range of cybersecurity problems. These are well-established in the UK for purposes of threat intelligence sharing, knowledge exchange, capacity building, skills development, innovation partnerships, specialist outsourcing, supply of goods and services, and so on. Given the differing motives of the public and private sectors, the tensions inherent in such relationships can be ameliorated by embedding all actors early in the policy planning process (Carr, 2016). The UK therefore involves the private sector in a range of activities that feed into developing cybersecurity policy, in addition to the informal policy advice provided by commercial interest groups like the Information Assurance Advisory Council (IAAC), aerospace and defense industry organization ADS Group, and the Security and Resilience Industry Suppliers Community (RISC). Of particular note is the Defence Cyber Protection Partnership between MoD and industry which works to protect the defence supply chain from cyber threats. These initiatives ensure that government capitalizes upon private-sector skills and knowledge to understand the threat environment and available cybersecurity solutions. It also implicitly incentivizes commercial buy-in whilst staving off the twin perils of private-sector pushback on government policy and any immediate need for government regulation.

The NCSC is now a primary facilitator of public–private interaction, although by no means the only one. One of its key roles is to advise government departments and agencies on cybersecurity policy, including on how to “future-proof” policy in a dynamic technical environment. This is tied in to a broader horizon-scanning agenda across government and means that NCSC must seek expertise from outside government to inform its advice on cybersecurity science and technology (Cabinet Office, 2017). Industry representatives are integral to this process, through schemes like Industry 100, which embeds firms’ employees in the NCSC to work on specific issues of technical and behavioral cybersecurity. This program acts as a knowledge exchange mechanism between industry and government to drive internal and external change but also assures the specialist advice that NCSC disseminates to other government partners and which forms the basis for policy development. Private companies are essential partners in establishing the NCSC as “the single authoritative voice for cyber security science and technology” policy advice (Cabinet Office, 2017: 17). Companies with national scope, like BT and Nominet UK, the official registry for.uk domain names, interface directly with various parts of government, including the NCSC. Nominet is also a key stakeholder, along with DCMS, in the UK Internet Governance Forum, which represents industry and third-sector views to policy-making organs of government. On occasion, companies are invited to present on specific policy issues to central government or parliamentary select committees, and extensive consultation with industry has occurred during the drafting of legislation (e.g., Investigatory Powers Act) and policy (e.g., DCMS, 2018).

Legislation

The UK Parliament has little direct involvement in cybersecurity policy and strategy, responsibility for which rests with government rather than the central or devolved legislatures. It has an important role, however, in shaping the legal environment in which cybersecurity operates and in exercising oversight over the activities of public and private cybersecurity actors. In the absence of a unified national legal framework for cybersecurity, Parliament has enacted a range of laws that impact upon cybersecurity and allied fields. The UK was one of the first countries to recognize the necessity of criminalizing certain computer-related crimes, leading to the Computer Misuse Act (1990). This has been amended over the years, most recently by the Serious Crime Act (2015). This legislation makes illegal a wide range of unauthorized access to and subversion of data and computer systems. Recent amendments have increased tariffs for some offences, whilst also criminalizing malicious cyber actions by British citizens outside UK territory.

Of particular interest to the intelligence community has been the sometimes awkward passage through Parliament of the Investigatory Powers Act (2016) (IPA). Nicknamed “the Snoopers’ Charter” by critics, the IPA describes and expands the electronic surveillance powers of UK intelligence agencies but, in response to post-Snowden demands, also renders these more transparent and with greater safeguards on their use, including judicial review of warrants. It created an Investigatory Powers Commission and Investigatory Powers Tribunal to exercise oversight alongside the existing Intelligence and Security Committee (ISC) of Parliament. The IPA is in some respects an improvement on earlier legislation – and contrasts favorably, for example, with US surveillance law and intelligence community practice – but has been poorly received by privacy campaigners and civil liberties group, who continue to pursue legal actions against what they see as an authoritarian drift in UK government.

Another key area of legislative activity is data protection. Existing legislation includes the Data Protection Act (1998) and the Privacy and Electronic Communications Regulations (2003), which apply to all organizations handling personal information about living individuals, outlining their responsibilities and the penalties for non-compliance. Certain provisions have been strengthened by the incorporation into British law of the European Union General Data Protection Regulation (GDPR) in May 2018. A new Data Protection Act 2018 requires the Information Commissioner to be notified of all data breaches, with severe penalties – up to 4 per cent of annual turnover – for non-reporting and irresponsible data protection practices, and tightens up the data protection framework. This has elicited some concern from industry, not least from small-medium enterprises and charities struggling to understand, let alone comply with, the new regulation. NCSC has responded with a range of accessible resources to assist these organizations to do so. Government has also implemented the 2016 EU Directive on the security of network and information systems (NIS Directive), which identifies essential operators of UK information infrastructures and incentivizes better cybersecurity.

Foreign policy

The UK has repeatedly signaled its belief that international law applies to cyberspace, as it does in any other operational domain. The first national cybersecurity strategy hedged on the issue but, since the second strategy of 2011, national cybersecurity policy has expressed the existence of “a body of international agreed principles, behaviour and law which applies to cyberspace” (Cabinet Office, 2011: 18), even if it has side-stepped the issue of quite how these apply and the attendant implications. UK government also encourages the international community to act in accordance with international law and other norms of inter-state behavior (e.g.,Wright, 2018). On those occasions when it has perceived other states to have challenged those frameworks, it has, consistent with articles of the NCSS (HM Government, 2016: 50), attributed cyber incidents to specific state actors. Notable in this respect are the public attribution of the WannaCry ransomware to North Korea and a range of aggressive cyber operations to the Russian Federation (Foreign and Commonwealth Office, 2017;NCSC, 2018). Its political legitimacy in this space has been challenged, including as a result of its involvement in transnational surveillance practices, as exposed by Edward Snowden in 2013. However, the UK is publicly committed to the rule of international law, both to constrain its actions and those of others, and to facilitate its own cyber operations within existing international legal frameworks.

A good example of this dynamic is provided by UK involvement in the Tallinn Manual process of the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) in Tallinn, Estonia. The two volumes of the Tallinn Manual (Schmitt, 2013, 2017) report on NATO’s expert legal panel’s explorations of the applicability of international humanitarian law to military cyber operations and other legal regimes’ relevance to peacetime cyber operations, respectively. The first volume found that military cyberwarfare was regulated by the same international legal frameworks that shape and constrain other uses of military force. This is perhaps unsurprising, given the generally liberal-democratic character of the contributing NATO countries, but its rapid integration into national defense policy has been noteworthy. The UK quickly incorporated its findings into defense planning (Ministry of Defence, 2013) and, as a major player in NATO, also respects NATO’s policy commitments to the Tallinn principles (e.g.,NATO, 2014, 2016). UK military cyber doctrine is somewhat disconnected from national cybersecurity strategy (Ormrod & Turnbull, 2016), but the military and wider government both respect international law in the preparation and execution of cyber operations. In the military’s case, as legal advice like the Tallinn principles trickles down into doctrine, this will constrain UK military cyber operations but also allow them to exploit the cyber environment fully by “playing to the edge” (Hayden, 2016) of the doctrinal box. Naturally, the UK’s adoption – in common with NATO allies – of “modern deterrence” and cross-domain responses to cyber provocations (Donaldson, 2017; Lindsay & Gartzke, 2017) also means it must consider the applicability of other legal regimes to those response modes.

UK cybersecurity policy has insisted unwaveringly on the desirability of promoting international norms for responsible state behavior in and through cyberspace. These are expressed as “rules of the road” to be developed with international partners to “safeguard the long-term future of a free, open, peaceful and secure cyberspace” (HM Government, 2016a: 63). As a permanent member of the UN Security Council, the UK has been involved with the United Nations Group of Government Experts on Information Security (GGE) since its 2004 inauguration. The GGE has had some success in shaping the global cybersecurity agenda and in promoting the norm of the applicability of international law in cyberspace. However, the GGE is riven by a “Cold War” schism that prevented it reporting in 2016–2017. This is widely seen as a failure and an intractable obstacle to further global norms development. Despite this, the UK Foreign and Commonwealth Office remains committed to the spirit behind the GGE, even if it is unclear what may succeed it (Bowcott, 2017). It is also engaged fully with the new Sino-Russian Open-Ended Working Group on cyber issues, which started its UN General Assembly work in 2019.

The UK considers itself a “champion” of the multi-stakeholder approach to global internet governance (HM Government, 2016a, p. 63). It is proud of its heritage as a digital innovator – often invoking the likes of Alan Turing and Tim Berners-Lee – and has been a member of most organizations and institutions engaged in technical, regulatory, and policy aspects of internet governance since their inception. Whilst British influence is less than its closest ally the United States, the UK is an important actor in global internet governance and a net contributor to international cooperation and collaboration. In this, the UK considers government more a facilitator and guarantor of multi-stakeholder governance than a tool of control over the global internet (DCMS, 2013). This position does not disbar the UK from taking robust positions on global governance issues, including cybersecurity, but it does mark a conceptual boundary between it and those governments with more autocratic reflexes.

In the specific context of regional security governance, the UK is a key member of NATO, as previously mentioned, and of European institutions and organizations with critical roles to play in regional cybersecurity. It was an original signatory of the Council of Europe Convention on Cybercrime (2001), which seeks to harmonize international counter-cybercrime legislation and operations. Although it did not ratify the Convention until 2011, the UK is an active member of policing organizations that support the ambitions of the Convention, principally Europol, the law enforcement agency of the European Union, and its new European Cybercrime Centre (EC3). It also supports the work of the EU Agency for Network and Information Security (ENISA) and a range of other regional and supra-regional initiatives in critical infrastructure protection, cybersecurity, cybercrime, and counter-terrorism. The effects of the UK leaving the European Union in 2019 (Brexit) are unclear, particularly with respect to cybercrime policing, threat intelligence sharing, and its involvement with ENISA, although government officials have claimed Brexit will not impact UK–EU cybersecurity cooperation (Stevens & O’Brien, 2019). Parties to the exit negotiations have committed to maintaining close and strong links on security and intelligence matters, but the UK’s interactions with regional cybersecurity arrangements will be subject to internal and external review (e.g., HM Government, 2017).

Like many former imperial powers, the UK maintains close ties with its erstwhile colonies, in this case through leadership of the Commonwealth of Nations. The UK acts as a source of advice and assistance to the 52 other countries in this intergovernmental organization and, by extension, to the population of 2.5 billion contained therein. This gives the UK unique reach into countries on every continent and allows it to shape cybersecurity to further its own national interest, particularly once it leaves the European Union. In addition to a host of bilateral capacity-building and advisory measures, the Commonwealth Telecommunications Organisation (CTO) has since 2010 organized annual forums to promote international cooperation on cybersecurity matters and to develop strategies for development and implementation, including its Commonwealth Cybergovernance Model (CTO, 2014). The Commonwealth Heads of Government 2018 meeting in London saw the launch by former Prime Minister Theresa May of the Commonwealth Cyber Declaration, a statement of principles and ambitions for improving cybersecurity across the community, although it remained focused principally on cybercrime (The Commonwealth, 2018).

Looking ahead

Like its immediate predecessors, the 2015 National Security Risk Assessment (NSRA) adjudged cyber threats a “Tier One” (high probability, high impact) risk to the UK over a five-year period, alongside terrorism, interstate war, pandemic disease, and natural disasters (HM Government, 2015). This explicitly referred to cyberattacks by hostile states and large-scale organized cybercrime but also interacts with other risk categories (Blagden, 2018). This assessment informs government cybersecurity policy and strategy and demands the cross-cutting, national response outlined above. From government’s perspective, cybersecurity is key to national and economic security, without which national interests at home and abroad will be threatened. There are many positive outcomes to this way of thinking: greater public awareness of cyber issues; improved business cybersecurity; more sophisticated modes of cyber risk management; improved societal resilience, etc. However, internal government assessments have been critical of overall progress thus far (e.g.,National Audit Office, 2019) and it is clear that planning for the next NCSS – due in 2021 – will have to address issues around resourcing, intra-governmental coordination, supply-chain cybersecurity, and critical infrastructure protection.

A key factor in the ongoing improvement of UK national cybersecurity has been the emergence of a more public-facing intelligence community, principally through the NCSC. This is the continuation of a longer process in which the secret agencies have “opened up” to public scrutiny since the 1990s. As the chief executive of NCSC observes, this is a necessity in the “team sport” of cybersecurity (Martin, 2016). There remain concerns that, despite this more open posture, the intelligence agencies at the heart of UK cybersecurity are unaccountable to the British public. The primary oversight mechanism of the parliamentary Intelligence and Security Committee, for instance, is thought to be less independent, and therefore less effective, than it might be (Defty, 2018). Coupled with weak parliamentary opposition to government security policy and a less than glorious track record on surveillance, it is unclear where meaningful resistance would emerge should the UK’s whole-nation approach to cybersecurity overstep some as-yet unperceived line. The 2009 NCSS contained a short section observing that cybersecurity tools must meet criteria of necessity and proportionality and that a “clear ethical foundation and appropriate safeguards on use are essential to ensure that the power of these tools is not abused” (HM Government, 2009a: 10). This aspiration has yet to reappear in any formal national cybersecurity statements.

Conclusion

The UK can plausibly claim to have one of the most integrated approaches to national cybersecurity in the world. By its own admission, this can never be perfect, any more than any other form of security. Viewed as an exercise in risk management, therefore, the aim of UK cybersecurity is to minimize serious disruption and maximize economic prosperity, whilst maintaining its ability to project influence abroad and operate globally in the national interest. It is able to capitalize on extant sovereign capabilities whilst reaching out to partners across multiple sectors to assist in the national cybersecurity project. It views cybersecurity as an opportunity to promote itself in the world, both by example and as demonstration of its commitment to an open and secure global internet. Like most countries, it also faces challenges from a dynamic threat environment. It is a rich country that presents an attractive target for cybercriminals and a major, if waning, global power which must contend with other powerful states also seeking advantage in cyberspace. Its recent experiences with Russian cyber and informational subversion suggest a rocky road ahead and the very real prospect that deterrence simply is not working as well as it might. A new NCSS, scheduled for 2021, will have to take this into account. Its 2019 exit from the European Union also confounds predictions about future cybersecurity, but the UK is perhaps better placed than many to tackle the scale and scope of cybersecurity issues to which it is exposed.

Suggested reading

• Harrop, W. & Matteson, A. (2015). “Cyber resilience: A review of critical national infrastructure and cyber-security protection measures applied in the UK and USA,” in F.Lemieux (ed.), Current and emerging trends in cyber operations (pp. 149–166). London: Palgrave Macmillan.
• HM Government. (2016). “National cyber security strategy, 2016–2021.” https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf
• Steed, D. (2019). The politics and technology of cyberspace. London, Routledge.

References

• Blagden, D. (2018). “The flawed promise of National Security Risk Assessment: Nine lessons from the British approach,” Intelligence & National Security, 33 (5), 716–736.
• Blitz, J. (2013, September 29). “UK becomes first state to admit to offensive cyber attack capability,” Financial Times. www.ft.com
• Boston Consulting Group. (2015, May1). “The internet now contributes 10 percent of GDP to the UK economy, surpassing the manufacturing and retail sectors.” fromwww.bcg.com/d/press/1may2015-internet-contributes-10-percent-gdp-uk-economy-12111
• Bowcott, O. (2017, August 23). “Dispute along cold war lines led to collapse of UN cyberwarfare talks,” The Guardian. www.theguardian.com
• Cabinet Office. (2011). “The UK cyber security strategy: Protecting and promoting the UK in a digital world.” www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf
• Cabinet Office. (2017). “Interim cyber security science and technology strategy: Future-proofing cyber security.” www.gov.uk/government/uploads/system/uploads/attachment_data/file/663181/Embargoed_National_Cyber_Science_and_Technology_Strategy_FINALpdf.pdf
• Carr, M. (2016). “Public-private partnerships in national cyber-security strategies,” International Affairs, 92 (1): 43–62.
• Christou, G. (2016). Cybersecurity in the European Union: Resilience and adaptability in governance policy. Basingstoke: Palgrave Macmillan.
• Commonwealth Telecommunications Organisation. (2014, March 3–4). “Commonwealth cybergovernance model.” www.cto.int/media/pr-re/Commonwealth per cent20Cybergovernance per cent20Model.pdf
• The Commonwealth. (2018, April 20). “Commonwealth cyber declaration.” www.chogm2018.org.uk/sites/default/files/Commonwealth per cent20Cyber per cent20Declaration per cent20pdf.pdf
• Defty, A. (2018). “Coming in from the cold: Bringing the intelligence and security committee into parliament,” Intelligence and National Security, 34 (1): 22–37.
• Department for Digital, Culture, Media and Sport. (2013, October 28). “UK paper on the roles of governments in internet governance.” www.gov.uk/government/uploads/system/uploads/attachment_data/file/330740/UK_PAPER_ON_THE_ROLES_OF_GOVERNMENTS_IN_INTERNET_GOVERNANCE.docx
• Department for Digital, Culture, Media and Sport. (2018). “Secure by design: Improving the cyber security of consumer internet of things.” www.gov.uk/government/uploads/system/uploads/attachment_data/file/686089/Secure_by_Design_Report_.pdf
• Department for International Trade. (2018). “Cyber security export strategy.” www.gov.uk//government/publications/cyber-security-export-strategy
• Donaldson, K. (2017, December 18). “UK would respond to a Russian cyberattack with the weapon of its choice,” Bloomberg. www.bloomberg.com/news/articles/2017-12-18/u-k-would-respond-to-russian-cyberattack-with-weapon-of-choice
• Foreign and Commonwealth Office. (2017, December 19). “Foreign Office Minister condemns North Korean actor for WannaCry attacks.” www.gov.uk/government/news/foreign-office-minister-condemns-north-korean-actor-for-wannacry-attacks
• Harvey, S. (2013). “Unglamorous awakenings: How the UK developed its approach to cyber,” in J.Healey (ed.), A fierce domain: Conflict in cyberspace, 1986-2012 (pp. 251–264). Arlington: Cyber Conflict Studies Association; Washington, DC: Atlantic Council.
• Hayden, M. V. (2016). Playing to the edge: American intelligence in the age of terror. New York: Penguin Press.
• HM Government. (2009a). “Cyber security strategy of the United Kingdom_ Safety, security and resilience in cyber space.” webarchive.nationalarchives.gov.uk/+/http:/www.cabinetoffice.gov.uk/media/216620/css0906.pdf
• HM Government. (2009b). “Digital Britain: Final report.” www.gov.uk/government/uploads/system/uploads/attachment_data/file/228844/7650.pdf
• HM Government. (2015). “National security strategy and strategic defence and security review 2015: A secure and prosperous United Kingdom.” www.gov.uk/government/uploads/system/uploads/attachment_data/file/478936/52309_Cm_9161_NSS_SD_Review_PRINT_only.pdf
• HM Government. (2016a). “National Cyber Security Strategy 2016-2021.” www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf
• HM Government. (2016b). “Cyber security regulation and incentives review.” www.gov.uk/government/uploads/system/uploads/attachment_data/file/579442/Cyber_Security_Regulation_and_Incentives_Review.pdf
• HM Government. (2017). “Security, law enforcement and criminal justice: A future partnership paper.” www.gov.uk/government/uploads/system/uploads/attachment_data/file/645416/Security__law_enforcement_and_criminal_justice_-_a_future_partnership_paper.PDF
• Lindsay, J. & Gartzke, E. (2017). “Cybersecurity and cross-domain deterrence: The consequences of complexity,” in D.van Puyvelde & A. F.Brantly (eds.), US national cybersecurity: International politics, concepts and organization (pp. 11–27). London and New York: Routledge.
• Lonsdale, D. J. (2016). “Britain’s emerging cyber-strategy,” The RUSI Journal, 161 (4): 52–62.
• Martin, C. (2016, September 13). “A new approach for cyber security in the UK. Speech given at the Billington Cyber Security Summit.” www.ncsc.gov.uk/news/new-approach-cyber-security-uk
• Ministry of Defence. (2013). Cyber primer. Shrivenham: Development, Concepts and Doctrine Centre.
• National Audit Office. (2019). “Progress of the 2016–2021 National Cyber Security Programme.” www.nao.org.uk/report/progress-of-the-2016-2021-national-cyber-security-programme/
• National Cyber Security Centre. (2018, October 3). “Reckless campaign of cyber attacks by Russian military intelligence service exposed.” www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposed
• NATO. (2014, September 5). “Wales summit declaration. www.nato.int/cps/en/natohq/of per centEF per centAC per cent81cial_texts_112964.htm
• NATO. (2016, July 8). “Cyber defence pledge.” www.nato.int/cps/en/natohq/of per centEF per centAC per cent81cial_texts_133177.htm
• Ormrod, D. & Turnbull, B. (2016). “The cyber conceptual framework for developing military doctrine,” Defence Studies, 16 (3): 270–298.
• Pepper, D. (2010). “The business of SIGINT: The role of modern management in the transformation of GCHQ,” Public Policy & Administration, 25 (1): 85–97.
• Schmitt, M. N. (ed.). (2013). Tallinn manual on the international law applicable to cyber warfare. Cambridge: Cambridge University Press.
• Schmitt, M. N. (ed.). (2017). Tallinn manual 2.0 on the international law applicable to cyber operations. Cambridge: Cambridge University Press.
• Stevens, T. & O’Brien, K. (2019). “Brexit and cyber security,” The RUSI Journal, 164 (3): 22–30.
• Stevens, T.,O’Brien, K.,Overill, R.,Wilkinson, B.,Pildegovičs, T. & Hill, S. (2019). “UK active cyber defence: A public good for the private sector.” www.kcl.ac.uk/policy-institute/research-analysis/active-cyber-defence
• Stoddart, K. (2016). “UK cyber security and critical national infrastructure protection. International Affairs,” 92 (5): 1079–1105.
• Wright, J. (2018, 23 May). “Cyber and international law in the 21st century.” www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century