Tackling strategic cyber challenges at the 2024 BAE Systems Cyber Forum

In November, we brought together policymakers, cyber defenders, business leaders and thinkers from a cross-section of government, critical industries and academia for our third annual Cyber Forum at the Institute of Engineering and Technology in London.

This multi-stakeholder group – which included UK government organisations such as the Cabinet Office, UKIC, FCDO, MOD, NCF and Dstl alongside industry partners – combined a wide range of operational and strategic perspectives. The vast experience in the room enabled in-depth discussions of the cyber challenges facing the UK, including adversaries in the form of cyber-criminals and nation states, the threat to CNI and military platforms, and the rise of misinformation campaigns.

This at a time when the cyber landscape continues to increase in complexity and uncertainty. We’re facing an increasingly volatile world, where the wide-ranging threats to society are being enabled by an evolving technology landscape.

While we recognise that much of our response toolkit is already known and understood, amidst this landscape we have to understand what’s not working and why, the new threats we should be paying attention to, and how we can break down siloes that may be hindering progress. That’s why shared understanding and collaboration are so fundamental to our collective success, as is learning from our respective experience to address future strategic challenges in cyberspace.

This blog provides our perspective of the key themes that emerged from the Cyber Forum, which was held under Chatham House rules.

Putting Adversaries in the Spotlight

The first half of the event focused on the key threats facing the UK, with our opening session examining the serious organised crime landscape and the scale of the threat.

This session highlighted three core concerns: cybercrime (including ransomware), fraud and child sexual abuse – which are highly interconnected. For example, 89% of fraud offences in the UK are cyber-enabled in some way. Common enablers across cybercrime and fraud include technologies such as remote access tools and mobile malware, with phishing and smishing attacks also common in both offences.

It was noted how the scale and sophistication of these threats are growing due to continued proliferation of offensive cyber security tools that were previously bespoke, specialist or expensive lowering the barrier to entry. Furthermore, cryptocurrency presents a way to monetise cyber and physical crimes, while generative AI is increasingly being leveraged to make fraudulent content more believable.

Amidst this backdrop, we discussed taking an upstream approach to tackle the roots of criminality online. Also highlighted was the need for a ‘whole of system’ response where law enforcement, government and the private sector collaborate and share best practice to protect the UK from serious organised crime.

This was followed by a series of sessions looking at specific nation state threats, which shone a light onto some notable behaviours:

• A focus on cyber espionage – both domestically and internationally – on an industrial scale, targeting a range of critical sectors including government and academia.
• A ‘hack for hire’ approach, where nation states leverage private companies to conduct offensive cyber operations on their behalf.
• Developing cyber operations that are highly reactive to the wider geopolitical situation, supported by ‘business as usual’ intelligence collection efforts in immediate region and worldwide.
• The strategy observed during conflict of maintaining a high tempo of disruptive activity to keep defenders occupied, characterised by quickly switching focus to new targets if initial intrusion attempts fail. 
• Although we do not expect to see collaboration between major state adversaries in the short term, we do see collaboration with their domestic industry and criminal ecosystems. There is also a longer term concern that this collaboration will increase in the future.
   

A Thematic Lens

The next series of sessions focused on four key thematics from a targeting perspective: CNI, misinformation, defence platforms, and battlefield CEMA.

Looking first at CNI, a CISO from the aviation sector spoke about how the cyber threat is now attracting a similar level of attention to physical and terrorist threats. He highlighted ransomware as a particular concern as attackers recognise the value of prioritising service criticality over revenue generation, particularly relevant to domains such as air traffic control which rely on the continuous flow of critical data across the ecosystem.

He also acknowledged the challenge of ensuring resilience given the high premium on downtime for changes and upgrades to critical airspace traffic systems, discussing how any interference of services underpinning flight schedules and airspace availability is a major concern. As such, threat intelligence from government sources that helps critical industry complete its situational awareness picture, is crucial.

Next, we looked at the threat to information, which in the UK has traditionally been seen as adjacent to cyber issues with significant overlaps between the two. While different problems, we can learn lessons from the last decade of private sector engagement on national security issues, drawing on existing expertise and structures that have been developed to address cyber security threats. For example, should we be building information integrity teams similar to cyber incident response teams?

It was suggested that any national security discussion must now include protecting the integrity of the information environment and its supporting ecosystem – it being in the public interest for government to take the lead against the exploitation of the information environment. However, it was recognised that there is a gap between the government’s need and responsibility to address the threat, and its ability to do so when it doesn’t control the infrastructure on which content is hosted and communicated.

This was followed by a discussion on defence platforms as a target. It was highlighted that, while industry works closely with government in many areas, it often lacks insights into the underpinning assumptions or thinking behind policies which affect it. This can lead to a knowledge gap of the threat that could impact national resilience.

The inherent ambiguity of cyber operations was also emphasised. Challenges around attribution and deniability remain, with the origin and intent of threat actors becoming increasingly opaque – particularly as nations leverage criminal gangs as proxies. The discussion finished with a call for greater cooperation and information sharing of threat insights from government to help industry manage the evolving strategic threat and boost UK resilience.

Finally, we heard about the role of CEMA in the battlespace. As conflicts are being fought more in an urban environment, there’s a greater need to understand what adversaries are doing in the CEMA space in order to protect against it.

We heard that the importance of controlling and understanding one’s own RF emissions, highlighted how the increasing tempo of the battlefield is reducing the time to detect indications of an incoming threat, and emphasised how the pace of change in the evolution of effects, threats and doctrine is placing significant challenges on both industry and government. The final note was that the future will likely be driven by the development of open standards architectures in electronic warfare systems, allowing a much more flexible software-based approach.

Analysing our Response Options

In the afternoon, we switched focus from the strategic threat to the potential response options. The first panel session looked at the domestic opportunities and levers that could help us respond to today’s threats.
 
It was noted that this is a uniquely challenging time to be in cyber – necessitating a system-wide response to uplift our collective ability to detect and disrupt malicious actors. While government has a responsibility to create the right environment for greater resilience via both directive and supportive measures, industry also has a fundamental role to play in protecting itself by driving standards and adopting best practices such as secure by design principles.
 
Key discussion points included:

• Shifting the balance of responsibility for security more onto tech companies: everyone needs to know where responsibility for each piece of the puzzle sits, to avoid wasting resources or confusing the direction. Outside of government, the cyber ecosystem can provide scaled solutions to boost resilience generally.
• Making a step change on resilience: The panellists agreed that there is still more to be done on resilience and we have not sufficiently shifted the dial – particularly when looking across CNI. Sharing best practice is something we can all do more of, but it needs dynamic collaboration across CNI – which must be two-way, open, trusted and proactive.
• The role of regulation and avoiding unintended consequences: The cyber regulatory landscape in the UK is both complex and inconsistent, leading to disparities in the regulatory frameworks that operators work within. While legislation is needed, particularly to force the issue when market incentives fail, we also need to jointly co-create other propositions for sectors to raise the bar.

 
Finally, we looked at the international opportunities and levers that can be leveraged in response to the threats we’re currently facing. Key discussion points included:

• Remaining globally influential: The panel agreed that the UK has strong assets in terms of its relationships, experience and convening power. While the depth of information sharing between and across government and industry is helping to keep the UK at the forefront of the cyber system, this must continue and indeed be augmented to support critical industry.
• How industry can help: Industry can help the UK’s influence on the international stage by providing reach (e.g. investing in global markets) and scale (e.g. bringing resources that government simply doesn’t have access to). Relatively low-cost improvements to existing measures such as smarter export control and reducing bureaucratic burden would be valuable.
• Where the UK can take action: We’ve learned over the last few years that sanctions have been impactful, both in terms of delivering meaningful deterrent effects and in articulating red lines. We should also be creating safe spaces for international partners that have shown willingness to work with us, building levers such as commercial incentives to help boost resilience, and continue innovating to maintain our influence on the global stage.

Key Takeaways

The discussions throughout the day brought out the interconnectedness of the challenges internationally and at home, as well as the inter-dependency of our response toolkits.

It’s clear that, with the barrier to entry lowering and the ability to scale ever increasing, getting the basics right remains a key line of defence. However, we must not lose sight of the fact that we need to evolve given the capabilities available and techniques employed by cybercriminals, the collaboration between state and non-state actors, and the concern that adversaries may collaborate more closely in the future.

The discussions also highlighted the balance of responsibility across society, with a call for joint propositions co-created by government and industry to incentivise the behaviour that we need. What’s more, there needs to be a shift from incident response, to developing an understanding of patterns and behaviours. The evidence base is important for situational awareness, directing efforts and interventions such as disruption and attribution.

Thank you again to all of our speakers and attendees for contributing to a rich and rewarding day. We look forward to continuing these discussions throughout 2025 and supporting the UK’s cyber ecosystem in tackling today’s biggest challenges in cyberspace.