The world has changed, so says the UK government, in its recently published Strategic Defence Review (SDR). Daily cyber attacks are only one part of the threats nation states face in this new terrain of digital warfare, and the plan – which includes a £1 billion ($1.36 billion) investment in a new 'Digital Targeting Web' – is designed to put cybersecurity and digital operations at the forefront of defense.
The crown jewels of this new approach will take the shape of a new Cyber and Electromagnetic (CyberEM) Command, which the Ministry of Defence (MoD) plans to launch by the end of the year. The CyberEM Command will integrate new capabilities from various disparate organizations that already form the UK's defensive fabric to command defensive cyber operations, set new demands for offensive cyber operations, and coordinate contributions to activity in the wider domain.
"The SDR rightfully highlights the rapidly changing nature of threats faced by the UK, namely in the cyber domain, and the proliferation of electronic warfare activity on the battlefields of Eastern Europe – all of which will require rapid capability development across defence," says Will Ashford-Brown, director of strategic insights at Heligan Group.
Ashford-Brown, who previously served in the British Army as a secure communications capability manager and team leader, adds that businesses positioned to counter the emerging cyber threats stand to gain, as the MoD increasingly looks to adopt innovative technologies.
But how exactly will these new operations benefit the countless digital-facing and cybersecurity businesses in the UK? With a massive amount of investment on the table, businesses should be alert as to how they can play a role in this shifting landscape, and the shifting defensive approach, as the new CyberEM Command and the broader digital strategy get up and running.
What is the new CyberEM Command?
The CyberEM Command, which will be based at MoD Corsham, Wiltshire, will offer a new forum for organizations that are currently disconnected to collaborate, co-operate, and share capabilities in the interests of safeguarding UK assets and citizens. This includes defensive and offensive cyber capabilities, with the public sector, national allies, as well as private sector players all involved in this joint, cohesive effort. The key to its role will be in developing electronic warfare capabilities, which will be the focal point for MoD and private sector interaction.
CyberEM Command will be the operational core of this new integrated force, a security expert and partner at Avella Security, Ben Harris, tells ITPro. Rather than functioning as a force execution unit, it will instead be a strategic nerve center of sorts to integrate different domains, operations and capabilities into a standardized and cohesive approach.
"It constitutes a pivotal moment for the UK's cybersecurity ecosystem, particularly for companies with military lineage or dual-domain expertise, to become strategic enablers of future warfighting capability,” Harris says. “In a battlespace where cyber and electromagnetic threats occur daily, whether through espionage, disruption, or advanced persistent threats, CyberEM emerges not merely as another command, but as the backbone of digital-era warfare and national resilience."
What does the SDR mean for businesses?
With plenty of money on the table – and a new strategic vision to follow – there will inevitably be a role for the private sector to play in execution. But not all experts can agree on what that role is yet, nor whether it has been properly defined in the announcement. As Keystone Law technology partner James Tumbridge explains: "There are potentially huge advantages, but the only clear government announcement is investment".
"It is hard to say until we can look back at actual activity," Tumbridge tells ITPro. "The government is keen for private sector engagement but that does not mean MoD civil servants have plans and intent to ensure it happens or happens with ease. There is a need for innovation and the MoD now holds valuable learnings from the Ukraine war, but we still must wait to see how far it invites private sector involvement."
Harris is more bullish on what the new announcements might mean for businesses after the MoD called for "direct industry engagement". He explained that this presents a unique and high-value opportunity for UK firms to co-create secure, agile and resilient platforms that are tailor-made for warfare in the 21st century. The key focus, for Harris, is on "human capital" and skills.
"Recognizing that the greatest concentration of cyber expertise lies within the civilian sector, the MoD mandates a "whole force" composition for CyberEM Command, blending civilian experts, reservists, and regular military personnel," says Harris. "The proposed creation of a Digital Warfighter Group offers fertile ground for industry to contribute to skills development through secondments, training programmes, or embedded expertise.
Companies with previous MoD experience, especially those employing veterans transitioning into cyber roles, are uniquely equipped to serve as operational-technical translators. These firms can play a key role in accelerating the retirement of vulnerable legacy systems while advancing open architectures, universal standards, and secure by design approaches that underpin interoperability and mission resilience."
The integration of emerging technologies like AI and quantum computing as well as autonomous systems, will demand that the industry contributes vision – not just tools. Harris predicts that cybersecurity companies stand to gain by integrating these technologies into live operations. The new processes would include real-time data processing, assured communications, and resilient cloud-based command environments.
How businesses can get a foot in the door
But how exactly can businesses begin to approach this? The gravity of this moment, says Ashford-Brown, demands that organizations take matters into their own hands. "In order to take advantage of these emerging opportunities, businesses should be proactively engaging with the MoD, such as gaining accreditation on the various MoD procurement frameworks required for certain contracts," he explains. "As part of this activity, gaining the necessary security clearances will be essential to do business in this sector."
Among the businesses Ashford-Brown highlights as capable of making a direct impact now are those able to help boost skills and expertise, as well as instill new ways of thinking and doing in others. Training delivery, in particular, is an excellent business opportunity, with the demand to upskill existing military personnel – and rapidly – a massive demand.
"The door is open for involvement in doctrine shaping, policy formulation, and standard setting, allowing industry to help steer the trajectory of force development in alignment with national and allied objectives," Harris says.
Fundamentally, however, we still lack the necessary detail to determine exactly how businesses can step up without the government doing its bit and making it clear exactly what it is looking for from the private sector, Tumbridge says. There is, however, grounds for educated speculation, as the experts ITPro consulted have been doing. Beyond this announcement, it follows that private enterprise can bid for procurement opportunities, "but until we see what the MoD ask for, we don’t know the extent of opportunities," Tumbridge adds.
What more does the industry need from the government?
It's clear the government will need the private sector – and the cybersecurity industry especially – to play a more active role in defensive (and offensive) capabilities. This is especially true for critical national infrastructure (CNI), which continues to be a target.
This, incidentally, is something the CyberEM Command will assist with by coordinating with the National Protective Security Authority (NPSA) and the National Cyber Security Centre (NCSC). Ashford-Brown sees this as an additional opportunity for the government to engage with the private sector to seek solutions to the ongoing and rising challenges.
But it's also fair to ask what the cybersecurity industry, and digital-facing businesses, might need more of from the government. Carla Baker, senior director of UK policy at Palo Alto Networks, says that cybersecurity is not fully highlighted as an enabler in the SDR – and critiques the extent to which it is being incorporated into the core thinking.
"Good cyber hygiene and resilience with an efficient sensor and enforcement architecture can ensure that vulnerabilities are addressed via a defence in-depth approach rather than the older bastion model," Baker tells ITPro. "The MoD needs to start embracing cybersecurity as an integral part of the digital ecosystem that can drive value and enable secure outcomes of transformation programs, rather than treat it as a standalone or 'fifth domain'."
Dominic Trott, director of strategy and alliances, UK, at Orange Cyberdefense, agrees with the sentiment. Trott is delighted and encouraged by the momentum building behind cyber resilience in the UK, but wants to see more in the future. "The market would react positively to additional investment that could genuinely support the transfer of – for example – R&D insights from public agencies such as GCHQ to energize the UK cyber sector," he noted.
Ultimately, Baker points out that effectively deploying the new capabilities mentioned in the SDR will be reliant on continued good relations with the MoD's industrial base – and extending this to new businesses.
"Enhanced relationships with its supply base is not just about procuring goods and services, it is also about creating strategic alliances that can drive innovation, improve efficiency, and enhance the overall security and effectiveness of defence operations," Baker explains. "The MoD should build on its supplier relationship and leverage industrial capabilities (human and technological) to address specific challenges when in crisis or enhanced operations.
"[The] MoD tends to take a ‘build it first’ approach and use its existing scarce resources to address a specific challenge, whereas industry may already have a solution that would suffice. The focus should be on supplementing resources into MoD in response to specific events or challenges, rather than go it alone."
