The UK Government Cyber Security Strategy 2022–2030 is 84 pages long. It mentions offensive cyber capability once, in a subordinate clause, in a focus box, on page 49. The remaining 83 pages describe risk management, asset discovery, vulnerability reporting, supply chain assurance, incident response, workforce development, and the adoption of the Cyber Assessment Framework across the public sector. It is thorough, competent, and well-structured. It is also not a strategy.
Rather than an issue of drafting, the document cannot contain the thing that would make it genuinely strategic, because that thing — the reciprocal logic of state cyber competition, including the UK’s own offensive posture and the adversary intent it provokes — is precisely what politics dictate that a public document must leave out. As such, if you are a practitioner building your cyber defences from this document, that structural gap has consequences you need to understand.
Strategy requires an adversary
A strategy, in any serious usage, is a theory of how applying your means produces a desired effect on an adversary pursuing their own ends. It demands that you understand not just what you are defending, but who is attacking, what they want, and why your organisation matters to them. The UK’s cyber security strategy does none of this. Its five objectives (manage risk, protect, detect, respond, develop skills) are the components of a security operations programme. While they do describe how to administer resilience, they do not link it to the strategic intentions of the actors generating the threat.
The document’s aim is that all government organisations should be resilient to known vulnerabilities and attack methods by 2030. That is a maturity target, and a reasonable one. But a maturity target is to strategy what vehicle maintenance is to a campaign plan. It ensures your equipment works. It does not tell you where to concentrate your forces or why.
In practice, if you are a CISO implementing the Cyber Assessment Framework, you are sizing your defences against a threat profile. But the threat profile describes adversary capabilities and methods, not adversary objectives. It tells you what is being done to you. It cannot tell you why, because answering that question honestly would require the UK government to describe a two-sided strategic contest in which it is an active participant, not a passive recipient. And that is not politically possible.
The adversaries have strategies. You don’t.
The actors referenced obliquely throughout the document — never named, often gestured at — do operate with genuine strategic intent, even if their cyber operations vary enormously in sophistication and purpose. North Korea’s cyber theft programme serves regime survival by generating hard currency that sanctions deny through conventional channels. China’s operations span industrial espionage, domestic surveillance, and the suppression of external dissent, each serving distinct but related political objectives. Russia employs cyber operations as one component of a broader approach to degrading institutional coherence in adversary states. These are necessarily simplified descriptions of complex state behaviours, but they share a common feature: in each case, cyber operations are means directed toward stable, rational and identifiable political ends.
The UK’s published strategy, by contrast, presents the threat environment as something to be endured and managed rather than understood as a competitive interaction. The result is a document that describes the defensive half of a strategic relationship as though it were the whole picture.
Your threat model is incomplete, and the framework cannot fix it
The Cyber Assessment Framework provides tiered profiles matched to threat levels, and organisations assess against the profile that corresponds to their function’s criticality. Sound in principle, but in practice it produces a uniform defensive posture calibrated to adversary capability rather than adversary intent. But the difference between being scanned by an automated botnet and being targeted by a state actor pursuing a specific intelligence requirement is not a difference of degree. It is a difference of kind. The botnet will move on when it encounters adequate defences. The state actor will adapt, persist, and find another way in, because the objective driving the operation has not changed. Achieving your Cyber Assessment Framework (CAF) profile outcomes addresses the first situation. It does not reliably address the second, because the second is shaped by strategic logic your threat profile does not and cannot capture.
The question you need to answer, which the strategy will not answer for you, is: what does my adversary want from me specifically? Not what tools they use. Not what vulnerabilities they exploit. What political or economic objective my organisation’s compromise would serve.
Identify your centre of gravity
This is ultimately a question about your own centre of gravity — the asset, function, or data set whose compromise would cause disproportionate harm and which a strategically motivated adversary would therefore prioritise.
If you are a government department managing classified defence procurement, your centre of gravity is not your email server. It is the data that reveals UK capability trajectories to a competitor. If you manage health infrastructure, your centre of gravity shifts depending on context: during a crisis, it is service continuity; in normal operations, it is patient data at population scale. If you regulate energy, it is the dependency mapping that would allow an adversary to identify cascading failure points across the national grid.
Once you identify what a strategically motivated adversary would actually want from you, your defensive posture should concentrate around that. Not distribute itself uniformly to meet a standardised profile. Compliance with the CAF is necessary. But the gap between compliance and genuine strategic defence is precisely the space the document’s unwritten section would have occupied — the section that explains who is coming for you, what they want, and what that means for where you put your resources.
Reading the silence
The Government Cyber Security Strategy is not a bad document produced by people who don’t understand strategy. It is a public document produced under conditions that make honest strategic disclosure impossible. You cannot publish a candid account of reciprocal cyber competition without exposing capabilities, revealing intelligence sources, and acknowledging that the UK’s own operations shape the threat environment its departments face. The genre of ‘published national cyber strategy’ is therefore structurally evasive, given it must present administrable resilience in place of the adversarial logic that would make it genuinely strategic, because that logic is classified, diplomatically sensitive, or both.
For practitioners, the implication is not that you should disregard the strategy. Implement the CAF. Build shared capabilities. Invest in your workforce and your detection capacity. But do not mistake the document for a complete account of the strategic environment you operate in. It is the publicly sayable portion of a larger contest whose most important dynamics, the ones that determine why you are being targeted and what your adversary considers worth taking, cannot appear in a document with an ISBN number.
The unwritten section is the one that matters most. Plan as though it exists.