From Cyber Security to Cyber Power: Appraising the Emergence of ‘Responsible, Democratic Cyber Power’ in UK Strategy

Across three successive strategies (2009, 2011 and 2016) ‘cyber security’ was the umbrella concept for United Kingdom (UK) cyber strategy. Conceptual continuity belied changes in substance, as the state played an increasingly active role, particularly domestically. Cyber security remains a top priority in the UK’s most recent (2022) strategy, but it was superseded as the umbrella concept by ‘cyber power’. We argue that this was a deliberate decision, global in outlook, and with complex and contestable strategic implications. The UK’s concept of ‘responsible, democratic cyber power’ (RDCP) responds to significant changes between 2016 and 2022 in the geopolitics and threat environment affecting (but not confined to) cyberspace. The UK’s new cyber strategy promises to align domestic and international actors under an integrated approach, addressing perceived strategic vulnerabilities and exploiting opportunities to pursue national interests. We investigate RDCP’s conceptual coherence and strategic utility, tracking its emergence as UK strategic discourse shifted from one of cyber security to cyber power. RDCP offers one avenue for states to coordinate cyber strategy, integrating the various components branded under ‘cyber’ as an instrument of national strategy – pursuing security, prosperity, and projection of national values and influence. However, there are different potential interpretations of RDCP and an even greater number of potential ways to implement it. In the UK, as elsewhere, effective cyber power requires prioritization about what a state values, whether in developing a resilient and competitive cyber ecosystem or in meeting the challenges and threats posed by systemic competitors. We conclude by reflecting on what it means to be a ‘medium-sized, responsible and democratic cyber power’ in an era of increasing inter-state competition in cyberspace.