Persistent weaknesses in cyber security posture and policy are imposing costs on the UK’s economy, hampering growth, and exposing critical national infrastructure (CNI) to increasing levels of risk.
As such, the British government must steel itself to get its hands dirty and take a far more interventionist approach to cyber security when it publishes its full National Cyber Action Plan in the coming months, according to experts at the Royal United Services Institute (Rusi).
In a new report published by the Whitehall-based defence and security think tank, titled Rebooting the UK’s Cyber Strategy, research fellows Jamie MacColl and Joseph Jarnecki agree with the government view – outlined last month – that the nation’s current approach to cyber has not kept up with the scale and impact of current threats in spite of “strong institutional foundations and internationally respected policy frameworks”.
Noting an estimated £14.7bn cost to the UK economy every year – according to government stats – and the impact of nationally significant cyber attacks such as the £1.9bn attack on Jaguar Land Rover, the report describes a pattern of “voluntary guidance, fragmented accountability and weak enforcement” that are leaving British organisations dangerously exposed to both financially and politically-motivated security threats.
“Weak cyber security undermines UK growth and national security. A new approach to UK cyber strategy is needed,” said MacColl. “Future economic growth without cyber resilience is built on shaky ground.”
According to MacColl and Jarnecki, it is only by making a decisive shift towards an interventionist strategy that treats resilience as a core component of economic security and not a discretionary technical issue, that the UK as a collective can stand up to these threats.
The report lays out four key recommendations for the government to consider as it works to reframe the national approach to resilience.
- Change the conversation around the UK’s cyber strategy to one that centres economic security and urgency, setting out a clear strategic narrative that properly reflects the consequences of insecurity. MacColl and Jarnecki argue that such a focus will signal that “resilience is a prerequisite for continuity.” Risk should be made foundational to corporate governance with board-level accountability and transparent reporting rules.
- Recognising that a grey zone exists between the two, the government should develop a new, hybrid threat response models that bridges the gap between cyber criminals and nation states.
- Actually hold technology suppliers accountable for insecure products and services. The report sets out a series of misaligned market incentives, limited liability, information asymmetries, different priorities, and private profit that should be addressed.
- Enforce cyber regulations through properly resourced regulators.
The report authors said that the country stood at a crossroads after the tumultuous events of 2025, which exposed the fragility of national resilience, but at the same time elevated cyber in the national and political conscience.
They said the forthcoming Action was a golden opportunity to reduce systemic harms, protect the economy, and strengthen national security, but that it would be of limited use if security was treated as a technical afterthought, or if compliance is made voluntary.
“Instead, government must actively shape markets, enforce standards and embed accountability across both public and private sectors,” they said.
A panel of experts, including the NCSC’s chief technology officer Ollie Whitehouse and the agency’s former head, Ciaran Martin, will be discussing the report’s findings and the future of Britain’s cyber strategy at an event to be held on 10 February.
