Perspectives on the Next UK National Cyber Strategy

28 Aug 2025 11:44 AM

Publishing a new cyber strategy before the end of 2025, the UK Government has a lot to consider to move beyond past initiatives.

Chancellor of the Duchy of Lancaster Pat McFadden delivers a keynote speech to the CyberUK conference in Manchester, 7 May, 2025.

At this year’s CyberUK conference, the Chancellor of the Duchy of Lancaster announced that the UK government would publish a new National Cyber Strategy before the end of 2025. As part of an ongoing research project on UK cyber strategy, the RUSI Cyber and Tech research group brought together six experts from industry and civil society to offer their perspectives on the key issues and interventions the UK government should consider.

Saying Goodbye to ‘Cyber Power’

Conrad Prince

A cyber strategy refresh is an opportunity to rethink how the 2022 strategy framed the challenge. The last strategy embodied the then government’s attachment to the concept of ‘cyber power’. The term, with its militaristic overtones and slightly bombastic feel, divides opinion and has sometimes been a distraction, diverting focus from the fundamental need for the UK to get better at cyber resilience.

The 2022 strategy became a ‘national cyber strategy’, not just about cyber security but trying to integrate thinking on both cyber security and offensive cyber. In practice though, they are largely quite different issues. Cyber security is a complex, highly challenging and wide-reaching resilience issue for the UK. Offensive cyber is a bespoke operational capability. It has some narrow relevance to cyber security but can be deployed against a wide range of threats the UK faces, well beyond disrupting hostile cyber actors. It needs its own separate strategic framing, as has already started.

So, it would be good to see the strategy refresh refocusing on cyber security and resilience alone, moving on from ‘cyber power’ and allowing the separate issue of the UK’s offensive cyber strategy to be handled in other ways.

Creating a Strategic Framework to Link Together UK Government Codes of Practice, Guidance and Standards

Carla Baker

The UK Government has come a long way since the publication of the first Cyber Security Strategy in 2010. This journey has included the establishment of the National Cyber Security Centre and National Cyber Force, a strong focus on developing cyber skills and capabilities, and integrating data and cyber responsibilities within the Department of Science, Innovation & Technology (DSIT).

This evolution has seen a proliferation of cyber security guidance, certifications and frameworks. Recent years have seen the introduction of the App Security Code of Practice, the Code of Practice for Consumer IoT Security, the Code of Practice for the Cyber Security of AI, the Software Security Code of Practice and the Telecommunications Vendor Security Assessment. Beyond product-specific requirements, organisations are also encouraged to adopt certifications like Cyber Essentials, while defence suppliers face the new Defence Cyber Certification. Furthermore, industry also needs to consider the NCSC Cyber Assessment Framework, and the NCSC Principles Based Assurance framework, alongside forthcoming requirements in the Cyber Security & Resilience Bill and proposed ransomware incident reporting requirement.

Under a new National Cyber Strategy, the UK has the potential to make a significant – though uncostly – shift, by developing a more nuanced threat model

Nikita Shah

While these efforts are positive, they arguably represent a patchwork of advice, rather than a cohesive strategy, and result in overlapping requirements. For example, the AI and software codes both address secure deployment, maintenance and vulnerability management.

To address this fragmentation, the government should develop an overarching framework that clearly links existing codes, certification and frameworks. This framework should provide a clear ‘user journey’, guiding vendors and users on achieving different levels of assurance, from baseline security to higher standards. It would also benefit from a dedicated section on international alignment and collaboration, helping organisations navigate EU requirements such as the EU Cyber Resilience Act and US schemes such as the Secure by Design Pledge. Furthermore, if the government develops further product specific guidance, then it must consider developing a more modular approach. For example, the Software Security Code of Practice should function as the fundamental security baseline, with additional, specific requirements for AI or enterprise IoT built upon it. This would simplify adherence for industry, reduce redundancies, and ultimately contribute towards a more efficient and effective national security posture.

A New Cyber Threat Model for the UK

Nikita Shah

The UK has long-relied upon a threat model that has become out-of-touch with the cyber threat landscape. This model comprises neat categories of different threat actors in cyberspace: state actors; cyber criminals; cyber hacktivists; and ‘cyber terrorists’. Yet, this approach has become outdated and siloed, placing actors into tightly-defined buckets that hold up poorly against adversaries’ actual behaviour. The last 5-10 years of cyber attacks have shown that the landscape is much messier than this model allows, with significant crossovers between different types of threat actors – especially state and criminal – including their methodsmotivations, and technical capabilities. These crossovers have only become even more prominent with the emergence of recent geopolitical conflicts; a surge of hacktivists affiliated with different states has further blurred these lines.

Under a new National Cyber Strategy, the UK has the potential to make a significant – though uncostly – shift, by developing a more nuanced threat model. This should address three factors:

  1. Articulating crossovers between threat actors, including the different degrees of affiliation with state entities.
  2. Recognising the role of enabling technologies that lower the barrier to entry for malicious cyber actors, including commercially-available capabilities, or AI.
  3. Reflecting adversary doctrine amongst states such as RussiaChina, and Iran, which do not separate out cyber from information operations.

Click here for the full press release