About 20 years ago, Will Middleton was in a meeting with his editor, at a time while he was writing business articles forThe Sunday Times.
A reporter for less than 12 months, Middleton, perhaps propelled by his background in international relations, was keen to make a change. “I told him that what I really wanted to be was a foreign correspondent and report from conflict zones,” he recalls.
“There was a bit of a pause. And then my editor said that journalism as an industry is only going to get harder. He also added that being a foreign correspondent is about the hardest job you can do – it’s very popular, there’s not many of them and it’s not very secure. Then he asked me ‘have you thought about joining the Foreign Office? You can do all those things but it’s more secure and is really interesting at the same time.’ And that was how it all began.”
Fast forward to today and Middleton is now firmly established as cyber director at the Foreign, Commonwealth and Development Office (FCDO). It’s the latest stopping off point in a career built on interesting roles ranging from political counsellor at the British High Commission in Islamabad to speechwriting for the foreign secretary to, more recently, heading up strategy and international engagement as part of the department’s pandemic response.
But while his CV is testament to the diversity of a career in the diplomatic service, Middleton says that his newfound focus on all things cyber is more natural evolution than total change. It also reflects the need to stay ahead of the ever-evolving challenges surrounding UK national security.
Welcome to the Foreign Office
Not for nothing is the FCDO one of the most prestigious departments in the British government.
There’s its history: it oversees a network of embassies and high commissions more than 500 years old. There’s its location: sandwiched in between Downing Street and the Treasury, it is at the very epicentre of British power. There’s its remit: it employs over 20,000 people in 270 diplomatic offices around the world. And there’s its sheer gravitas: its architect, George Gilbert Scott, designed its main building on King Charles Street as “a kind of national palace or drawing room for the nation”.
But time marches on. A rich history is no guarantee of continuing influence and impact – especially in a world reshaped by the pandemic, ricocheting technologies and the fluctuating demands of national security. Middleton says that the latter, in particular, has proved pivotal in guiding him towards his current role and the array of responsibilities now jostling for space in his in-tray.
“My career has increasingly focused on national security issues,” he reflects. “In Pakistan, I was essentially leading our national security relationship and it largely consisted of counter-terrorism. This is still prominent but it’s not the number one issue when we think about national security today. I’ve worked on counter terrorism, counter proliferation, counter extremism, organised crime, illegal migration – all these different fields of national security – and for me it felt like a natural evolution to move to the next frontier, which is cyber. If you want to build a career in national security you have to work in cyber and technology security.”
He goes on to freely admit that his is not a technical background. But actually, this has proved no hindrance.
“In this role, your understanding of international politics and the art of diplomacy, politics and negotiation is just as important as your understanding of the networks, nodes and codes of cyber programming. This is the now the frontline of national security.”
Will Middleton, Cyber Director of the UK's Foreign Office
“As I say all the time, ‘I’m not a cyber expert’ but I have 19 years of diplomatic experience and lots of national security expertise,” he points out. “In this role, your understanding of international politics and the art of diplomacy, politics and negotiation is just as important as your understanding of the networks, nodes and codes of cyber programming. This is the now the frontline of national security.”
Rising up the agenda
It’s fair to say that effective national security can’t happen without close collaboration between a whole range of bodies and organisations – a joined up effort which mirrors how the FCDO itself operates.
So what role does cyber play in influencing power? Can it be seen as an instrument of state power and influence along with other traditional levers such as diplomacy and sanctions? Or is it more of an enabler or amplifier? Middleton, citing the British government’s recent Integrated Review (IR) of security, defence, development and foreign policy, says that cyber is now a key and prominent priority, something which involves the whole of government.
“The IR clearly says cyber is one of the critical national assets alongside our economic power, our military and so on,” he says. “It recognises that in today’s world you cannot exercise power without these capabilities. It’s not just about having government’s technical capability – it’s also right from the ground up, including investments in education, skills, research and development, all the way through to integrating it into diplomacy and development.”
Cyber’s growing visibility also reflects the fact that it is no longer a binary issue concerned with just defence and attack. Agreeing that cyber now encompasses a full spectrum of different missions, Middleton says its cross-government elevation has helped give it far greater prominence within his department too.
“I’ve come to this as a non-expert and I would observe that while cyber security and policy has not been around an awfully long time, it has felt, if I’m honest, as a bit sidelined – the realm of a few experts – but no longer,” he says.
“I’ve spent a lot more time with the foreign secretary over the past three or four months than my predecessors did. I definitely believe this is moving into the mainstream and people are seeing the ways how cyber, in all its contexts, is attached to broader issues.”
Will Middleton, Cyber Director of the UK's Foreign Office
“I’ve spent a lot more time with the foreign secretary over the past three or four months than my predecessors did. I definitely believe this is moving into the mainstream and people are seeing the ways how cyber, in all its contexts, is attached to broader issues. Cyber is fundamentally a tool which state and non-state actors use to pursue their aims. It’s not a separate area of work.”
Building cyber capacity overseas
The FCDO runs a number of funds and programmes for cyber capacity building projects via its global network of embassies and high commissions. Middleton agrees that every country is different – their digital footprint, how they construct their government responsibilities and so on – and this means that his team has to take a bespoke approach. There is no one size fits all rule which applies, other than the underpinning principle that all of this is done to help keep the UK safe.
“We really have to see this as part of the UK domestic resilience,” says Middleton. “You can’t cut yourselves off from cyberspace. This means we have to look at where we are vulnerable and where our allies are vulnerable, so we have to be strategic about identifying where we want to build existing capabilities and where we want to learn from others.”
He goes on to reiterate that priorities differ from country to country. “Sometimes we’re doing a bottom-up start from scratch role, and others we are simply trying to add a few niche capabilities or just information exchange,” he says. “All the time, though, we’re focusing on those countries which are most linked to our own security and resilience, working with allies and like-minded so we’re not all operating in the same space and not tripping over each other.”
“We’re going to be spending half as much this financial year on cyber capacity building as we have in total since 2012. But this is still a small amount – I speak to people across government to try and persuade them that our ambition should be even higher.”
Will Middleton, Cyber Director of the UK's Foreign Office
There is also a potential shift in geographic focus on the horizon after the IR indicated that there will be a greater emphasis on the Indo-Pacific region and Africa, not to mention extra funding being available. “We’re going to be spending half as much this financial year on cyber capacity building as we have in total since 2012,” he says. “But this is still a small amount – I speak to people across government to try and persuade them that our ambition should be even higher. But we’re also well aware that we can’t fully operate in 192 other countries.”
A key partner in these efforts is the UK’s National Cyber Security Centre (NCSC) and Middleton says that their intersection of role and remit has had a hugely positive impact. “It’s a really close partnership,” he explains.
“NCSC’s core mission is defending the UK but they have an international arm and are incredibly good partners for our capacity building efforts, even though it’s not their core mission. So it is our role to lead that international engagement – the strategy of where we focus our efforts – but also ensure we’re not always relying on NCSC to do it as we don’t want to use them to their point of exhaustion. This means that we want to work with other partners, contractors and other parts of government too.”
That said, when it comes to working on capacity building with UK industry partners, he says that different countries have different priorities.
“Some see involvement of our industry as a threat because they’re trying to build up their domestic capacity, whereas others are genuinely interested in our cyber expertise and the role of UK industry in supporting them,” he explains. “So we need to be sensitive towards what each country is looking for while understanding that in most cases trust is built on a government-to-government agreement.”
‘A science and technology superpower?’
Returning once again to the subject of the IR – few government documents have held such sway over British policymakers in recent years – our talk turns to the concept of the UK being a “science and technology superpower” by 2030. Middleton says that cyber power and this science and technology ambition are closely interlinked.
“There is currently a debate going on across government about how much we should specialise on cyber and if it should broaden out,” he reveals. “Personally, I go with the more strategic, broadening out approach because of the links between cyber security and broader technology security. It’s not simply the security of the technology, it’s also about supply chains, the access to that technology and its intellectual property. Coming from a foreign policy and national security background, I just don’t think you can see these things in isolation.”
Of course, it’s important to note that not all technology is the same when it comes to power and influence. There is the positive side of proactively shaping the world and claiming a stake in it, and then there is also the aspect of countering the narrative and technological threat from other nations. Middleton says that these aspects amount to two sides of the same coin.
“It starts with an understanding of the critical technologies that the UK needs over the next 20 years or so,” he explains. “From that flows how diverse the market is in those technologies and how vulnerable we are if one part of that market fails.”
He is keen to stress that this does not amount to the UK moving to a protectionist stance where it seeks to own every technology under the sun, but more about the realisation that some technologies – quantum computing, semi-conductors and aspects of artificial intelligence, for example – are likely to be critical to the UK’s national security.
“If the market for these key technologies is diverse, open and secure, then there’s no need for the UK to own all these capabilities itself,” he adds. “But it may be there are some aspects of these supply chains where we need greater security.”
Looking to the future
It is clear that in our 30-minute chat we’ve only managed to touch on the sheer variety of tasks facing Middleton and his team. However, it is equally apparent that his is a role underpinned by some big ambitions in what is a very nebulous area (not just cyber, but international relations is itself anything but black and white). Amidst this grey zone of uncertainty, he requires a clear vision of what his key goals are.
For example, one issue likely to loom large over his immediate horizon is the need to construct a modern deterrence policy for cyber space. “This is a big challenge and we’ve done an awful lot over the years in this space but it’s still ongoing,” admits Middleton.
“Our integrated approach means we can benefit from the domestic capabilities that place us ahead of others around the world in being able to detect cyber attacks. But what we want to do now is construct a global policy as countries are now more willing to speak out against cyber attacks – both state and non-state.”
Cyber governance, too, is another priority. “The IR is clear in saying that we will shape a new international order to respond to future challenges and this signals a more activist account which applies in cyber space as well,” he adds. Buttressing this goal is cyber’s newfound role at the heart of government and while this means an intensifying spotlight, Middleton is not flinching from the challenge.
“One of the good things about the next Cyber Strategy, which we’re finalising at the moment, is that the international pillar is much more central,” he says. Middleton’s enthusiasm is palpable and he is now gearing up to take this new strategy and cascade it through the FCDO’s global overseas network.
“For me, success is not just building up a specialist cadre of global cyber experts, it’s actually making sure the heads of our embassies and high commissions understand these issues and understand how they can contribute,” he concludes. “This is the prize because our overseas network gives us enormous reach and influence and that, for me, will mean that we have truly mainstreamed this policy area.”
It’s a prize which is fast turning from theory into reality.
About the author
Miriam Howe is a Cyber Security SME at BAE Systems Applied Intelligence
- Conflict in the grey zone: Preparing ourselves against cyber opponents. When it comes to the cyber arms race, Miriam Howe says that preparation, collaboration and adaptability are critical
- Stepping up on Cyber Defence. Christine Maxwell is a woman on a mission – a cyber mission. She tells Mivy James about overseeing the ever evolving challenge of Cyber Defence and Risk at the UK’s Ministry of Defence
- The Cyber Threat: before, during and after lockdown. No sector of society has proved immune to the spiralling effect of Covid-19 – and that includes cyber security. With the kaleidoscope shaken and pieces still in flux, Adrian Nish examines its impact so far
- How to stay ahead in the cyber arms race. With many countries moving significant funding towards developing offensive cyber capability, Dr Mary Haigh examines what needs to be done to stay ahead of adversaries
- Rising to the cyber challenge. How is the UK responding to the myriad cyber challenges and opportunities which pockmark today’s global landscape? In this guest blog, Dr Henry Pearson, the UK’s Cyber Security Ambassador talks priorities, plans and progress
- Bringing data to the party. Caroline Bellamy is on a mission to transform how the UK Ministry of Defence uses data. She tells Mivy James about her 30-year career in industry and why data holds the key to smarter and faster decision-making across Defence