Some senior figures have argued cybersecurity should have a dedicated cabinet minister, while others claim that a cross-cutting issue ought not be siloed. PublicTechnology editor Sam Trendall examines the issue.
Almost five years ago a parliamentary committee, chaired by former foreign secretary Dame Margaret Beckett, recommended the establishment of a clear cabinet-level ministerial role with responsibility for matters of cybersecurity.
Beckett said members of the Joint Committee on National Security Strategy – including a crossbench collection of both MPs and peers – were “struck by the absence of political leadership at the centre of government in responding to this top-tier national security threat” and considered the nomination of a minister “a matter of real urgency”.
After half a decade that has seen an explosion of online disinformation, numerous highly destructive attacks attributed to Russia, and a recent trend of supply-chain breaches that have imperilled sensitive public sector data, the issue can hardly seem less urgent.
The Home Office-based role of security minister – currently held by Tom Tugendhat, who also sits on the joint committee – has attended cabinet for the last year.
But his brief contains only the narrowly defined issue of “cybercrime” – alongside all other economic and serious or organised crime, as well as counter-terrorism activities and work related to other national threats. It would be understandable if the cyber portion of his brief was occasionally somewhat squeezed out.
Elsewhere in government, the portfolio of the chancellor of the duchy of Lancaster Oliver Dowden contains “national security, including cybersecurity” – but, again, this is just one line on a lengthy list that begins with the rather time-consuming duties of “driving delivery of government’s priorities” and “oversight of all Cabinet Office policy”.
The five-strong ministerial team at the Department for Science, Innovation and Technology – led by secretary of state Michelle Donelan – all also have some stake in the cyber landscape.
Since 2016 the UK has had a National Cyber Security Centre, which supports and coordinates response to the most severe attacks, as well as to helping promote cyber skills and awareness across the UK’s public sector and commercial landscape.
The NCSC sits under the jurisdiction of the signals intelligence agency GCHQ – which makes the cyber hub part of the purview of the Foreign, Commonwealth and Development Office. None of the department’s ministers have the word ‘cyber’ included in their list of responsibilities.
The diverse and diffuse nature of government’s stake in the cyber landscape could be seen as a reason not to have a dedicated minister for the area – much less a Department for Cyber which, it could be argued, would restrict a crucial, cross-cutting issue to its own bunker.
But a dedicated centre of focus and excellence need not be mutually exclusive with a spread of crucial expertise throughout government.
“But, even if the cybersecurity had ever been mostly about the tech and the techies – which, in any case, it has not – it quite clearly is about so much more than that now. It is about turning on the TV or paying for your shopping. And it is about war, statecraft and geopolitics. And everything in between.”
The Government Digital Service and the Central Digital and Data Office provide important technical leadership, support, and direction for the use of technology and data throughout departments. But the workforce of the two Cabinet Office entities is now far exceeded – as it should be – by in-house digital teams at the largest ministries, such as HM Revenue and Customs, the Department for Work and Pensions, and the Ministry of Justice.
Similarly, the Crown Commercial Service provides major national agreements and central leadership on issues of procurement – but commercial professionals across the public sector make the key on-the-ground decisions, informed by institutional knowledge.
Perhaps it precisely because cybersecurity can no longer be confined to its own silo that it requires more visible leadership.
When the concept of ‘cybersecurity’ is invoked, many people may still call to mind images of hackers – and the IT geeks working to keep them out – hunched over a keyboard, with the two parties probably differentiated only by the adequacy of their lighting and the colour of their hoodies.
But, even if the cybersecurity had ever been mostly about the tech and the techies – which, in any case, it has not – it quite clearly is about so much more than that now. It is about turning on the TV or paying for your shopping. And it is about war, statecraft and geopolitics. And everything in between.
As a journalist, I am certainly guilty of illustrating the concept with those awfully tired old images of the ill-lit cyber baddies. And I cannot promise, when up against a particularly tough publication deadline, that I will not do so again.
But the fact is that any story about ‘cybersecurity’ now written could be accurately represented by someone attending a doctor’s appointment, making a bank payment, or watching a film – as it could by a soldier fighting on the front line, or a politician campaigning on someone’s doorstep.
Alongside the prime minister and the chancellor, two of this country’s four great offices of state are the secretaries of state for home affairs and foreign affairs.
The ubiquity and importance of cyber is such that such a top-level dedicated minister could justifiably be called the secretary of state for everything-and-everywhere affairs.
Which sounds a vacancy it would be a good idea to fill.