Tag: defence

The UK Government Cyber Security Strategy 2022–2030 is 84 pages long. It mentions offensive cyber capability once, in a subordinate clause, in a focus box, on page 49. The remaining 83 pages describe risk management, asset discovery, vulnerability reporting, supply chain assurance, incident response, workforce development, and the adoption of the Cyber Assessment Framework across the public sector. It is thorough, competent, and well-structured. It is also not a strategy.

Rather than an issue of drafting, the document cannot contain the thing that would make it genuinely strategic, because that thing — the reciprocal logic of state cyber competition, including the UK’s own offensive posture and the adversary intent it provokes — is precisely what politics dictate that a public document must leave out. As such, if you are a practitioner building your cyber defences from this document, that structural gap has consequences you need to understand.

Strategy requires an adversary

A strategy, in any serious usage, is a theory of how applying your means produces a desired effect on an adversary pursuing their own ends. It demands that you understand not just what you are defending, but who is attacking, what they want, and why your organisation matters to them. The UK’s cyber security strategy does none of this. Its five objectives (manage risk, protect, detect, respond, develop skills) are the components of a security operations programme. While they do describe how to administer resilience, they do not link it to the strategic intentions of the actors generating the threat.

The document’s aim is that all government organisations should be resilient to known vulnerabilities and attack methods by 2030. That is a maturity target, and a reasonable one. But a maturity target is to strategy what vehicle maintenance is to a campaign plan. It ensures your equipment works. It does not tell you where to concentrate your forces or why.

In practice, if you are a CISO implementing the Cyber Assessment Framework, you are sizing your defences against a threat profile. But the threat profile describes adversary capabilities and methods, not adversary objectives. It tells you what is being done to you. It cannot tell you why, because answering that question honestly would require the UK government to describe a two-sided strategic contest in which it is an active participant, not a passive recipient. And that is not politically possible.

The adversaries have strategies. You don’t.

The actors referenced obliquely throughout the document — never named, often gestured at — do operate with genuine strategic intent, even if their cyber operations vary enormously in sophistication and purpose. North Korea’s cyber theft programme serves regime survival by generating hard currency that sanctions deny through conventional channels. China’s operations span industrial espionage, domestic surveillance, and the suppression of external dissent, each serving distinct but related political objectives. Russia employs cyber operations as one component of a broader approach to degrading institutional coherence in adversary states. These are necessarily simplified descriptions of complex state behaviours, but they share a common feature: in each case, cyber operations are means directed toward stable, rational and identifiable political ends.

The UK’s published strategy, by contrast, presents the threat environment as something to be endured and managed rather than understood as a competitive interaction. The result is a document that describes the defensive half of a strategic relationship as though it were the whole picture.

Your threat model is incomplete, and the framework cannot fix it

The Cyber Assessment Framework provides tiered profiles matched to threat levels, and organisations assess against the profile that corresponds to their function’s criticality. Sound in principle, but in practice it produces a uniform defensive posture calibrated to adversary capability rather than adversary intent. But the difference between being scanned by an automated botnet and being targeted by a state actor pursuing a specific intelligence requirement is not a difference of degree. It is a difference of kind. The botnet will move on when it encounters adequate defences. The state actor will adapt, persist, and find another way in, because the objective driving the operation has not changed. Achieving your Cyber Assessment Framework (CAF) profile outcomes addresses the first situation. It does not reliably address the second, because the second is shaped by strategic logic your threat profile does not and cannot capture.

The question you need to answer, which the strategy will not answer for you, is: what does my adversary want from me specifically? Not what tools they use. Not what vulnerabilities they exploit. What political or economic objective my organisation’s compromise would serve.

Identify your centre of gravity

This is ultimately a question about your own centre of gravity — the asset, function, or data set whose compromise would cause disproportionate harm and which a strategically motivated adversary would therefore prioritise.

If you are a government department managing classified defence procurement, your centre of gravity is not your email server. It is the data that reveals UK capability trajectories to a competitor. If you manage health infrastructure, your centre of gravity shifts depending on context: during a crisis, it is service continuity; in normal operations, it is patient data at population scale. If you regulate energy, it is the dependency mapping that would allow an adversary to identify cascading failure points across the national grid.

Once you identify what a strategically motivated adversary would actually want from you, your defensive posture should concentrate around that. Not distribute itself uniformly to meet a standardised profile. Compliance with the CAF is necessary. But the gap between compliance and genuine strategic defence is precisely the space the document’s unwritten section would have occupied — the section that explains who is coming for you, what they want, and what that means for where you put your resources.

Reading the silence

The Government Cyber Security Strategy is not a bad document produced by people who don’t understand strategy. It is a public document produced under conditions that make honest strategic disclosure impossible. You cannot publish a candid account of reciprocal cyber competition without exposing capabilities, revealing intelligence sources, and acknowledging that the UK’s own operations shape the threat environment its departments face. The genre of ‘published national cyber strategy’ is therefore structurally evasive, given it must present administrable resilience in place of the adversarial logic that would make it genuinely strategic, because that logic is classified, diplomatically sensitive, or both.

For practitioners, the implication is not that you should disregard the strategy. Implement the CAF. Build shared capabilities. Invest in your workforce and your detection capacity. But do not mistake the document for a complete account of the strategic environment you operate in. It is the publicly sayable portion of a larger contest whose most important dynamics, the ones that determine why you are being targeted and what your adversary considers worth taking, cannot appear in a document with an ISBN number.

The unwritten section is the one that matters most. Plan as though it exists.

Is the Strategic Defence Review an Engineered Response? Rethinking UK Defence in an Age of Bricolage

By Matthew

On June 9, 2025

In Strategy

Abstract

Looking at the situation, the United Kingdom’s 2025 Strategic Defence Review (SDR) projects a confident rationality: an “Integrated Force” designed to deter, fight, and win through “constant innovation at wartime pace” (Ministry of Defence, 2025, p. 14). Yet Moscow’s conduct in Ukraine has revealed a profoundly different strategic grammar. Russia behaves, in Ondřej Ditrych’s terms, as a bricoleur – an opportunistic tinkerer that stitches together ad hoc “assemblages” while actively cultivating contradictions to wrong-foot a rule-bound opponent (Ditrych, 2024, p. 2). This article argues that a defence posture optimised for elegant integration may prove brittle when confronted by such an adversary. It posits that Russia’s dialectical approach is designed to exploit the very linear logic that underpins Western military planning. By contrasting the systemic fragility of Russian bricolage, vividly exposed by the Wagner Group’s implosion, with the SDR’s search for institutional longevity, this analysis suggests that effective deterrence now requires the UK to supplement integration with a capacity for institutionalised improvisation. This ‘controlled bricolage’ is presented as a form of adaptive power, essential for reassuring allies and succeeding in an era of disorderly, attritional conflict.

1. A Strategy of Contradiction

To understand the contemporary threat is to look beyond conventional military net assessment and into an opponent’s strategic culture. Ondřej Ditrych (2024, p. 3) characterises the Russian state not as a grand strategist but as a bricoleur, a tinkerer that improvises solutions from a limited repertoire of available parts. This is more than mere opportunism; it is a dialectical method. It is comfortable with, and indeed actively cultivates, the very contradictions that would paralyse a Western staff college. Russia’s strategy often appears to be a pastiche of mutually exclusive signals: complaining of encirclement while expanding its territory, invoking international law while flouting it, and deploying high-tech weaponry alongside crudely adapted civilian technologies. This is not strategic incoherence but a feature designed to create a chaotic information environment, wrong-footing an adversary who seeks clarity and predictability.

The Wagner Group was, perhaps, the ultimate expression of this method. It was a composite entity that simultaneously functioned as a proxy military force, a resource-extraction enterprise, a political influence operation, and a vehicle for plausible deniability (Ditrych, 2024, p. 3). It allowed Moscow to project power into Africa and the Middle East in ways that circumvented the rules of state-on-state competition. Yet this bricolage has a breaking-point. Such ad hoc structures lack institutional resilience. Wagner’s spectacular implosion following Yevgeny Prigozhin’s 2023 mutiny was not the result of external pressure but of the unbearable internal frictions of the system that created it (Ditrych, 2024, p. 4). This reveals the core vulnerability of the bricoleur: a reliance on improvised, personality-driven structures that can shatter under systemic stress, a stark contrast to the West’s enduring, if cumbersome, search for institutional longevity.

2. The Limits of an Engineered Deterrence

The SDR’s answer to this disorderly world is a renewed drive for rational integration. It proposes a force “integrated by design” (Ministry of Defence, 2025, p. 15-16), directed by a new Military Strategic Headquarters and equipped via a streamlined Defence Investment Plan. The document is, in itself, a signal of intent, a blueprint for a logical, legible, and thereby deterring military machine. However, in applying this lens, it arguably misreads the nature of the challenge. As the RAND Corporation’s work on national power suggests, military effectiveness is not simply a function of material capabilities– the ships, tanks, and aircraft a nation possesses. It depends equally on the efficiency of the conversion process that turns those national resources into usable military power (Treverton and Jones, 2005, p. 18). Russian bricolage is, in essence, a high-speed, high-risk conversion strategy. The UK’s SDR, with its focus on creating new bureaucratic structures and processes, risks optimising its inventory of capabilities while neglecting the need for a truly agile conversion mechanism.

This creates a deterrence paradox, which plays out for multiple audiences. The first, and most obvious, is the adversary. As Keir Giles argues, Russia often discounts material symbols of Western strength, focusing instead on a perceived lack of political will and a hesitation to accept risk (Torun, 2024, p. 667, summarising Giles). A bricoleur state, seeking seams to exploit, is unlikely to be deterred by a show of conventional force that it believes will never be used in the ambiguous ‘sub-threshold’ where it prefers to operate. The second, and equally critical, audience is domestic and allied. Effective deterrence requires not only a credible threat but also the reassurance of one’s own public and partners that the nation can withstand and respond to shocks. This requires a resilient defence industrial base capable of surging production. The SDR acknowledges this, noting that a nation’s Armed Forces are only as strong as the industry behind them (Ministry of Defence, 2025, p. 7), but the deep-seated challenge of moving from peacetime efficiency to wartime industrial mass remains a critical constraint on the UK’s own risk appetite and, therefore, its credibility.

3. Towards an Elastic Architecture: Institutionalising Bricolage

If Russia’s strategic advantage lies in its tolerance for disorder, then an effective counter-strategy cannot lie solely in the imposition of a more perfect order. The UK must learn to fight fire with fire, supplementing its integrated blueprint with a capacity for institutionalised improvisation. This means cultivating a form of ‘controlled bricolage’ as a source of adaptive power. Treverton and Jones (2005, p. 11) noted two decades ago how the information technology revolution would inevitably move action away from slow-moving governments and “toward nimbler organisations.” The SDR’s proposal for an “expert Digital Warfighters group” (Ministry of Defence, 2025, p. 47-49) is a promising, if nascent, step in this direction. For this to become a genuine source of advantage, however, it must be treated not as a specialist enclave but as a guiding ethos for the entire force, empowering small teams at the tactical edge to experiment, adapt, and exploit opportunities at a speed the adversary cannot match.

This, in turn, requires a fundamental shift in the Ministry of Defence’s culture of procurement and risk. It necessitates an embrace of “good-enough” solutions that can be fielded rapidly, with iterative upgrades baked into the process, rather than pursuing perfect capabilities that risk arriving too late. Such an approach accepts that in a state of constant technological flux, some failure is inevitable and should be treated as an opportunity for accelerated learning. This is the logic behind the Royal Navy’s planned regulatory “sandbox” for autonomous systems (Ministry of Defence, 2025, p. 105-106), a concept that must be expanded across all domains. An elastic and adaptive force, capable of improvising under pressure, offers a more credible deterrent to a bricoleur than a rigid one, however powerful. It signals a capacity to endure, to adapt, and to respond effectively amid the very chaos the adversary seeks to create.

4. Conclusion

Arguably, a rationally designed and integrated force remains indispensable for the enduring demands of high-intensity warfare. Integration alone, however, is no longer sufficient. The central insight for UK defence is that an over-optimisation for elegant, systemic coherence can itself become a vulnerability when facing an opponent whose strategy is to weaponise disorder. Power in the 21st century is increasingly a function of adaptability. The challenge, therefore, is to create an architecture that is not only strong but also elastic; one that can, when necessary, fracture gracefully into many semi-autonomous nodes, each authorised to improvise within the commander’s intent. Deterrence means more than pure strength, it is the ability to adapt one’s defence to the changing strategic landscape.

Bibliography

Ditrych, O. (2024). DECONSTRUCTING RUSSIA’S BRICOLAGE TACTICS: Strategic insights for defeating the Kremlin. EUISS Brief 18. Paris: European Union Institute for Security Studies.

Ministry of Defence. (2025). Strategic Defence Review 2025: Making Britain Safer, Secure at Home, Strong Abroad. London: HM Government.

Torun, Z. (2024). Review of ‘Russia’s War on Everybody. And What it Means for You’, by Keir Giles. Europe-Asia Studies, 76(4), pp. 667-668.

Treverton, G. F. and Jones, S. G. (2005). Measuring National Power. Santa Monica, CA: RAND Corporation.

Matthew Toy

Strategist

Strategic leader with a passion for applying digital innovation to solve complex challenges in the public sector and regulated industries. With over 20 years' experience, I specialise in leadership, digital transformation, and building high-performing teams to deliver impactful outcomes. My expertise encompasses programme delivery, regulatory governance, and future-oriented strategic analysis, informed by ongoing study in International Affairs (Cybersecurity) and practical experience as a Special Sergeant in policing. I am driven by a commitment to public service and leveraging technology to enhance strategic decision-making and deliver positive societal impact.

LinkedIn Profile

Thoughts, reflections and experiences