As part of his ongoing efforts to ensure an economically viable post-Brexit Britain, Secretary of State for International Trade Liam Fox has recently released a new Cyber Security Export Strategy for the UK, targeting the period up to 2021. As the UK has experienced some eventful times since the previous strategy was released in early 2014, this was in principle a welcome move.
However, the strategy lacks convincing substance on the technological side, and targets the wrong countries. Liam Fox apparently does not want to admit that the UK’s largest cyber security export market of all is seriously at risk for multiple reasons.
How much, when, and where?
The numbers bear out that in the five year period up to 2016, the cyber security sector has grown massively. Estimates of the size of the world market have gone from between 35 and 120 billion pounds in 2011 to over 150 billion pounds now. UK exports in cyber security were stated to be some 800 million pounds in 2011, and for 2021 Liam Fox and his team are aiming for £2.6 billion. That sounds like a solid but ambitious target.
The new strategy mentions a number of target markets. Expansion is particularly aimed for in USA, the Gulf states, India, Japan, and South-East Asia. In 2016, these accounted together for less than 40% of the cyber security export market of the UK. Of the total IT and telecommunications export for the UK in 2016, the US took 22%, Gulf states including Saudi Arabia 4%, India 1%, Japan 1%, Singapore 1%. The US is considered a mature rather than developing market, which means it would only ever grow slowly; even doubling the exports to all the other listed countries would increase total exports by only 7%.
So what were the target markets for the 2014 strategy? Has targeting actually worked over the last period? There was special mention for Brazil because of the Olympics, using London 2012 as a cyber showcase for Rio 2016 – but the total share of IT and telecoms UK exports to Brazil is now 0.5%, having dropped dramatically since 2014. (Let’s see if the similar argument made now for Japan and its Olympics works out this time.) Malaysia was also mentioned because of its early identification of cyber security as an issue in the 1990s – in 2016 they were at 0.3% of the UK total IT exports, and slightly below the 2014 level. The Gulf states and India were targets in the previous round, too – with India dipping in recent years on total IT exports. So none of these have contributed much to the near-doubling of UK cyber security exports from £805M in 2011 to £1.5B in 2016.
Don’t mention the EU
With Liam Fox’s position on Brexit all too well-known, maybe it is no surprise that the EU is barely mentioned in the new cyber export strategy. Well – it gets two mentions, both in the context of regulation that the UK is subject to: on weapons exports, and on data protection. We will have to come back to the GDPR later. The importance of the EU to the UK’s cyber exports is evident from the figures. In 2016, the EU-27 counted for well over half of it. Of the total IT exports from the UK, they have been receiving some 40% over the last few years, with otherwise only the US achieving a double figure percentage. With the potential of significant trade barriers between the UK and the EU-27 after Brexit, this market has to be considered at serious risk now. Ironically, if any sector knows that strategy may be about avoiding disasters rather than about sketching rosy futures, it’s cyber security!
Interestingly, the lack of reference to the EU in the cyber export strategy is not a 2018 novelty. The 2014 strategy was also looking the other way – maybe justifiably as trade with Europe in the pre-Brexit days was not really perceived as “export”. So this strategy happily claimed US, China, Japan, and India taking up some 70% of UK cyber security exports between them – which could only be correct if the EU was excluded. Maybe an indication of how things felt only four years ago – exports to the EU running so smoothly that they were hardly noticed.
Next, how can an opinion piece in computing from May 2018 be complete without considering the ominous GDPR? Liam Fox’s advert for his strategy in the New Statesman is probably the exception. At least the export strategy acknowledges that “New regulation such as the EU’s General Data Protection Regulation is driving organisations to build information security into their wider strategy” – in a document which consistently reduces privacy and data protection to just data security.
However, here may be another area in which the strategy fails to consider a risk to the UK’s exports. Post Brexit, the UK will be implementing a new Data Protection Act which despite its faults still closely matches the GDPR. If the UK were still an EU country, this would be enough for UK cyber businesses to be able to process personal data for European customers. However, with Britain outside the EU, an explicit decision on adequacy of the UK legislation will need to be taken, and the outcome is by no means a certainty according to the European Commission. Doubts in this area relate to the wide ranging powers of internet surveillance and retention in the UK, but possibly also to exemptions slipped in to the Data Protection Bill at various stages.
Will this affect UK cyber security businesses? Certainly not all of them – hardware and many kinds of software contain and process no personal data, so such trade is largely impervious to the GDPR. However, where cyber security software overlaps with AI (another of the UK flagship IT industries according to the government line), and in the cyber intelligence analysis industry, where the market is set to grow dramatically, personal data is likely to play a role. An adjudged lack of data protection in the UK may stop UK companies from successfully providing such services to EU customers, for example in the cloud. So it’s not just “no-deal” and other possible trade barriers that contribute a Brexit risk to the UK cyber industry.
So what is in it?
The strategy certainly contains some interesting insights. For example, “the rise in disruptive digital technologies” is held responsible for the discovery of vulnerabilities, when we had been assuming it was due to ancient bugs, badly designed interfaces, and unimaginative attacker models.
Of course it couldn’t avoid mentioning the UK government’s £1.9B investment in cyber security – Fox’s New Statesman piece even took that for its title. We can’t really tell how much of it has been spent already – but given that it was first announced in 2016 we should hope the pot has been emptied somewhat by now. Much of the export strategy reiterates elements of this old overall strategy, including work on the academic research side that has only a very thin connection to exports, and a picture of the shiny new National Cyber Security Centre building.
The Department for International Trade’s main activities will be “Pursue”, “Enable”, and “Respond”. These represent targeting governments with their CNI (critical national infrastructure), bespoke offers in specific sectors (government; finance; automotive; health; energy and CNI; infrastructure), and rebranded marketing with general exporting advice, respectively. None of the export advice sounds revolutionary: regional representatives, trade fairs, and mentored “growth mindsets” for SMEs.
A vision of where the thematic growth in the UK cyber security industry might or should be is mostly lacking, summarised in the document as “The Digitisation of Everything”. There are brief mentions of AI and the recent government initiatives in that area. We are told that blockchain is “entirely web-based”, and has commercially available applications in “personal identification” – the one area where exports indeed had better be outside the EU, as the GDPR precludes its use for personal data.
Overall the UK government is presenting a cyber security export strategy which ignores its main export market despite it being under serious threat. Given that this threat is mostly of the politicians’ own making, the blinkered view of the world was maybe unavoidable. This still should not have stopped them from deepening the thematic vision and long term strategy for the UK cyber industry. Privacy by design, smart cities, assisted living, and internet of things, for example, are all areas with security dimensions and significant potential within the UK that do not even get a mention. Given world-wide growth in demand, cyber security exports outside the EU will likely grow, but it is not clear whether and how this strategy contributes to that.
This blog post was written by Professor Eerke Boiten, Director of the Cyber Technology Institute at De Montfort University.
It was published as “An opinion on the UK’s Cyber Security Export Strategy” in Cyber Security Practitioner 4 (6), http://www.cecileparkmedia.com/cyber-security-practitioner/
 UK Defence and Security Export statistics for 2016, https://www.gov.uk/government/publications/uk-defence-and-security-export-figures-2016/uk-defence-and-security-export-statistics-for-2016
 Office for National Statistics: Trade in services by country and type of service 2014 to 2016, https://www.ons.gov.uk/economy/nationalaccounts/balanceofpayments/adhocs/008172tradeinservicesbycountryandtypeofservice2014to2016
 Cyber Security, the UK’s approach to exports, UKTI, February 2014, https://www.gchq.gov.uk/sites/default/files/Cyber_Security-the_UKs_approach_to_exports.pdf
 New Statesman, Liam Fox MP: Why the UK is investing £1.9bn in cyber security, 4 May 2018, https://www.newstatesman.com/spotlight/cyber/2018/05/why-uk-investing-19bn-cyber-security
 Information Commissioner’s Office, Policy views for parliamentarians and legislators. https://ico.org.uk/about-the-ico/what-we-do/ico-policy-views/
 European Commission, Notice to stakeholders: withdrawal of the United Kingdom and EU rules in the field of data protection, http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=611943