The UK possesses all the tools and capability required to actively engage and repel the substantial and growing cyber threat from Russia, China and other malicious actors.
It has the access to the intelligence, the technology and the human skill base to face up to the coordinated assault from state-enabled cyber actors.
Yet a critical vulnerability persists. The fragmented defense and government sector response to a threat that operates without boundaries poses an existential threat to our lives.
Without developing a coordinated, collaborative response capacity that combines intelligence from the public and private sectors, attacks such as the recent breaches experienced by Marks & Spencer (M&S), the Co-op and Harrods will become even more commonplace.
Russia Targeting the UK with Impunity
The truth is that, at present, Russia, with a high degree of confidence, can target almost any organization in the UK. It can conduct operations on a federated, mass scale.
When it comes to the UK, the gloves are now off. Britain is a major target because of its outspoken position on Ukraine. Add that to the US’ domestic priorities towards Russia and it means that cyber gangs enabled by the Russian state have abandoned any reticence about attacking critical UK infrastructure and services, such as the NHS.
The biggest cyber challenge we face, and the reason we are likely to see more attacks such as the one on M&S, is not that we lack the skills or technology to combat the threat, but that we lack a joint organizational structure to respond effectively.
A Siloed Structure
The UK's cyber defense strategy is hampered by its siloed structure. GCHQ and the Secret Intelligence Service (SIS) predominantly focus on international threats, while the Home Office focuses on domestic counter-espionage and organized crime.
The National Crime Agency (NCA) is nominally responsible for domestic cybercrime via its National Cyber Crime Unit (NCCU), but it is, as publicly stated, limited in its current operational capabilities.
The result of these multiple, operationally polarised environments, is that it creates a chasm in our cyber defense, preventing an agile response to a threat that does not respect national borders or agency jurisdictions.
This situation contrasts with other successful international models, such as Europol's European Cybercrime Centre (EC3), which collaborates with the private sector on highly sensitive criminal activities with significant success. Even the FBI has openly acknowledged its inability to effectively combat cybercrime without robust industry engagement.
Unfortunately, the UK lacks a comparable framework and there is no open discourse about establishing a British equivalent of EC3. The existing public-private collaborations we do have are informal and often severely limited. While key figures in our security agencies recognize the urgent need for such a capability, they are constrained by a lack of resources and the necessary authority to implement it.
Time for the Private Sector to Step in
All is not lost. The private sector, with its technical expertise and access to real-time threat intelligence, is ready to bridge this gap. With governmental authority and support, a private sector-led solution could be rapidly established, transforming the UK's defensive posture from reactive to pre-emptive.
Much like the FBI, the government must acknowledge its limited capacity in cyber defense in the face of unprecedented aggression from Russia and other hostile actors. This crucial recognition would pave the way for establishing a UK equivalent of Europol’s EC3.
The current lack of visibility and coordination at the government level is a critical weakness that undermines the UK’s ability to use its cyber capacity as a soft power bargaining chip in an increasingly fraught geopolitical climate.
Without a comprehensive and collaborative solution, the UK is at a significant disadvantage in the information warfare race. Supercharged by AI, Russian cyber gangs possess vast datasets on the UK, which can be weaponized to target any company within the supply chain. This systemic risk, coupled with the absence of a macro-level understanding of the threat, leaves the UK acutely vulnerable.
The need for a coordinated, private sector-enabled solution is paramount to protect British businesses and national security.