In the UK National Cyber Strategy – a strategic framework that lays out the UK’s aspirations to be a leading cyber power – one of the five pillars is focused on “deepening the partnership between government, academia and industry”. It’s the link between government and industry that we’ll be focusing on here, within the context of national cyber defence in both peacetime and conflict scenarios.
This is not a straightforward topic to unpick. There are many complex factors to consider and, although best practice guides for public-private partnership exist, it’s a broad topic and there’s no overarching blueprint for coordinating or funding industry’s engagement in a nation’s cyber defence. The Russian invasion of Ukraine has provided an illustration of what’s possible when international industry and governments come together during a conflict. But a conflict situation is very different to a peacetime context in which industry and government primarily operate, and when strategic planning tends to take place.
Even as an example of a conflict, Ukraine is unique in the scale of the alignment across nations and industry players in support of the Ukrainian people. Most conflicts aren’t so unanimously publicly opposed and industry won’t always naturally align with government as it has with Ukraine. Governments can’t assume that those same companies would be willing to support other emergency situations and the nuances of geopolitics mean that no two scenarios are the same. As such, we’re still a long way from any sustainable model that could be applied elsewhere.
We must remember that conflict shouldn’t be the primary lens through which to examine this topic. Conflict is the exception, rather than the norm. The key question therefore, is how can government build that bridge with industry and establish effective relationships and incentives so that, when needed, they are aligned behind a common set of objectives that contribute to national cyber defence?
Alignment in a heterogeneous ecosystem
A key consideration that immediately surfaces when thinking about government-industry alignment is that ‘industry’ is not one homogenous mass. It comprises a diverse pool of organisations – including big tech, enterprise service providers, defence primes, specialist SMEs, and more – with different shapes, sizes and approaches to decision-making. Every company has a slightly different risk calculus that is driven by individual strategies, cultures and values. This calculus plays a big role in influencing how – or if – commercial entities choose to engage with government and where they direct their capability.
Consider the values aspect. This will impact how companies react to particular cases or conflicts and is particularly prevalent in the modern day of personality-driven companies. For example, Silicon Valley tech companies in the 2010’s were vocally libertarian in their values, often illustrated in their prioritisation of user privacy over national security.
Modern society’s deepening dependence on the services of a handful of commercial entities has bestowed these companies with immense influence over a widening range of political, social and legal issues. Although their reach and influence is exactly what can make them such powerful allies for government, a company’s values can significantly influence its appetite to align with government policy.
The target market of the company and its strategic approach to its market are also key factors in its decision calculus. An organisation’s willingness to put its head above the parapet and openly align itself with a specific government will to some degree be influenced by its core markets. Unless an organisation’s leadership has a particular moral reason, it is less likely to explicitly pick a side due to the potential impact on its ability to conduct business in certain markets.
This will vary by sector. In general, organisations and individuals working within the defence sector tend to be more aligned with the national security policy objectives of their home nation. For other sectors, it depends on the markets they serve. A multinational company that is dependent on several markets will always be less likely to align itself with a single government’s objectives – unless it is reliant on export licences granted by the “home” country for a significant portion of its revenue. Similarly, large enterprises will have different motivations and abilities to tolerate risk than an SME that is trying to grow and survive.
Another risk that factors into a company’s decision to align with political and defence objectives is potentially making itself a prime target to adversaries. This is particularly salient in the context of cyber, in which state-sponsored attackers will target supply chains and critical industry.
This all means that industry can’t be viewed as a single entity. Understanding the key drivers that impact how different companies make decisions about their engagement with specific government programmes is vital to identifying the role industry can play in certain situations. Without this understanding, effective alignment will be much harder to attain.
A foundation of capacity building
There’s now a general recognition that we can’t have security at home without having security abroad. This international component of national cyber defence has therefore become increasingly important, putting greater focus on international cyber capacity building programmes that support a ‘whole of alliance’ approach to security.
For example, governments will often work with industry to provide allied countries with support and education around areas such as protecting critical assets, cyber threat detection and national incident response. This work – which is typically undertaken outside of conflict scenarios – ranges from technical training to policy development, and helps to build relationships with strategically important partner nations and enhance collective cyber resilience. Although international in nature, it will provide an understanding of wider cyber needs and challenges that can be fed back into defensive efforts at home.
Industry can be at the centre of this activity, helping a country be globally connected and grow its influence abroad. Through international collaboration, a country can boost the security of its allies and, in turn, its own national security. Having businesses established in different countries in partnership with government provides a tangible link that can help ensure a collective approach to cyber defence.
This was highlighted in the recently published ‘UK–Poland 2030 strategic partnership joint declaration on foreign policy, security and defence’. The declaration refers to enhancing and developing cyber cooperation across governments by bringing “trusted industry partners into a single, coherent approach” through a combination of knowledge sharing, operational cooperation, and bilateral cyber consultations.
Of course, organisations won’t always be willing or able to do this independently. If government wants an industry presence in a country or region and the business case for companies is not itself compelling, it’s therefore going to have to provide incentives – either through direct funding or initiatives such as industry hubs or tax breaks. These incentives could make it more worthwhile for industry to act as a scaling mechanism for the delivery of national objectives and provide a non-political partnership layer in support of collective cyber resilience.
In the long-term, the focus must be on two areas. First, sustaining private sector involvement beyond publicly-funded programmes, such as by streamlining exporting regulations or providing local upskilling incentives. And second, supporting the SME ecosystem in a way that empowers SMEs to overcome the barriers and risks of international cyber capacity building work that large enterprises can tolerate. These two pillars will help to increase the reach and influence of industry for national security.
Establishing domestic capability
As highlighted in the previous section, cyber resilience is built on a foundation of capacity building – which is largely carried out in peacetime contexts. Domestically, this puts the focus on business-as-usual activities that enhance and support alignment on domestic cyber defence objectives. Operating well in ‘normal’ times – i.e. following Secure by Design principles and ensuring that the basics are in place – forms the critical backbone of any effective national cyber strategy.
Businesses must have the confidence that they can withstand barrages of attacks and the latest generation of cyber threats, with an understanding of the latest capability as well as their strengths and weaknesses. Similarly, government needs to be able to trust industry to establish this foundational capability. Governments should also consider what it wants partners and companies to be doing day-to-day in order to build their individual and collective resilience.
This will then make it easier and faster to deploy additional capability and provide meaningful assistance during an emergency situation. Having the basics in place is what will enable companies and governments to react to a cyber-conflict with quick patches and configuration changes, continual vulnerability scanning, and deployment of new procedures or tools as part of their emergency response. In this way we can envisage DevSecOps moving to the frontline of the persistent cyber conflict, which is the reality of modern defence operations.
This is where it’s so important for interests to align between government and industry. Working together to promote things like security best practices, standards and good governance will put any nation on a better footing for conflict operations. Industry has a key role to play in establishing the building blocks of an effective cyber defence. Given that in liberal market economies industry is not mandated to follow particular strategies, government must focus on developing partnerships, providing incentives, and effectively communicating its objectives outside of conflict – while at the same time analysing what incidents can teach us about business-as-usual, and vice versa.
Ultimately, government is looking for assurance that industry will step up when needed and the confidence that it is well positioned to have a positive impact. But the reality is that such clarity and commitment is challenging to achieve. First, industry is not – not is it ever going to be – simply a strategic cyber reserve for the government to call upon. Second, the role of industry in national cyber defence is entirely dependent on the alignment of government and industry objectives – the latter of which includes a lot of diversity.
This highlights the nuanced nature of the issue, and the range of technical and geopolitical issues to consider. That’s why there must be a long-term focus on building strategic relationships with industry and establishing a base capability that can be grown when needed. Defence primes can be central to this mission, alongside major technology and service providers which also have important roles to play. The technical reach and capability of these major tech and service providers, combined with primes’ natural alignment to government and connections to a large ecosystem of SMEs and industry partners, forms a powerful proposition to help government tackle the alignment challenge in support of national cyber defence.