Matthew Toy

Thoughts, reflections and experiences

icy banner

Tag: UK

The Missing Adversary: What the UK’s Cyber Security Strategy Leaves Out

By

On April 12, 2026

In Strategy

The UK Government Cyber Security Strategy 2022–2030 is 84 pages long. It mentions offensive cyber capability once, in a subordinate clause, in a focus box, on page 49. The remaining 83 pages describe risk management, asset discovery, vulnerability reporting, supply chain assurance, incident response, workforce development, and the adoption of the Cyber Assessment Framework across the public sector. It is thorough, competent, and well-structured. It is also not a strategy.

Rather than an issue of drafting, the document cannot contain the thing that would make it genuinely strategic, because that thing — the reciprocal logic of state cyber competition, including the UK’s own offensive posture and the adversary intent it provokes — is precisely what politics dictate that a public document must leave out. As such, if you are a practitioner building your cyber defences from this document, that structural gap has consequences you need to understand.

Strategy requires an adversary

A strategy, in any serious usage, is a theory of how applying your means produces a desired effect on an adversary pursuing their own ends. It demands that you understand not just what you are defending, but who is attacking, what they want, and why your organisation matters to them. The UK’s cyber security strategy does none of this. Its five objectives (manage risk, protect, detect, respond, develop skills) are the components of a security operations programme. While they do describe how to administer resilience, they do not link it to the strategic intentions of the actors generating the threat.

The document’s aim is that all government organisations should be resilient to known vulnerabilities and attack methods by 2030. That is a maturity target, and a reasonable one. But a maturity target is to strategy what vehicle maintenance is to a campaign plan. It ensures your equipment works. It does not tell you where to concentrate your forces or why.

In practice, if you are a CISO implementing the Cyber Assessment Framework, you are sizing your defences against a threat profile. But the threat profile describes adversary capabilities and methods, not adversary objectives. It tells you what is being done to you. It cannot tell you why, because answering that question honestly would require the UK government to describe a two-sided strategic contest in which it is an active participant, not a passive recipient. And that is not politically possible.

The adversaries have strategies. You don’t.

The actors referenced obliquely throughout the document — never named, often gestured at — do operate with genuine strategic intent, even if their cyber operations vary enormously in sophistication and purpose. North Korea’s cyber theft programme serves regime survival by generating hard currency that sanctions deny through conventional channels. China’s operations span industrial espionage, domestic surveillance, and the suppression of external dissent, each serving distinct but related political objectives. Russia employs cyber operations as one component of a broader approach to degrading institutional coherence in adversary states. These are necessarily simplified descriptions of complex state behaviours, but they share a common feature: in each case, cyber operations are means directed toward stable, rational and identifiable political ends.

The UK’s published strategy, by contrast, presents the threat environment as something to be endured and managed rather than understood as a competitive interaction. The result is a document that describes the defensive half of a strategic relationship as though it were the whole picture.

Your threat model is incomplete, and the framework cannot fix it

The Cyber Assessment Framework provides tiered profiles matched to threat levels, and organisations assess against the profile that corresponds to their function’s criticality. Sound in principle, but in practice it produces a uniform defensive posture calibrated to adversary capability rather than adversary intent. But the difference between being scanned by an automated botnet and being targeted by a state actor pursuing a specific intelligence requirement is not a difference of degree. It is a difference of kind. The botnet will move on when it encounters adequate defences. The state actor will adapt, persist, and find another way in, because the objective driving the operation has not changed. Achieving your Cyber Assessment Framework (CAF) profile outcomes addresses the first situation. It does not reliably address the second, because the second is shaped by strategic logic your threat profile does not and cannot capture.

The question you need to answer, which the strategy will not answer for you, is: what does my adversary want from me specifically? Not what tools they use. Not what vulnerabilities they exploit. What political or economic objective my organisation’s compromise would serve.

Identify your centre of gravity

This is ultimately a question about your own centre of gravity — the asset, function, or data set whose compromise would cause disproportionate harm and which a strategically motivated adversary would therefore prioritise.

If you are a government department managing classified defence procurement, your centre of gravity is not your email server. It is the data that reveals UK capability trajectories to a competitor. If you manage health infrastructure, your centre of gravity shifts depending on context: during a crisis, it is service continuity; in normal operations, it is patient data at population scale. If you regulate energy, it is the dependency mapping that would allow an adversary to identify cascading failure points across the national grid.

Once you identify what a strategically motivated adversary would actually want from you, your defensive posture should concentrate around that. Not distribute itself uniformly to meet a standardised profile. Compliance with the CAF is necessary. But the gap between compliance and genuine strategic defence is precisely the space the document’s unwritten section would have occupied — the section that explains who is coming for you, what they want, and what that means for where you put your resources.

Reading the silence

The Government Cyber Security Strategy is not a bad document produced by people who don’t understand strategy. It is a public document produced under conditions that make honest strategic disclosure impossible. You cannot publish a candid account of reciprocal cyber competition without exposing capabilities, revealing intelligence sources, and acknowledging that the UK’s own operations shape the threat environment its departments face. The genre of ‘published national cyber strategy’ is therefore structurally evasive, given it must present administrable resilience in place of the adversarial logic that would make it genuinely strategic, because that logic is classified, diplomatically sensitive, or both.

For practitioners, the implication is not that you should disregard the strategy. Implement the CAF. Build shared capabilities. Invest in your workforce and your detection capacity. But do not mistake the document for a complete account of the strategic environment you operate in. It is the publicly sayable portion of a larger contest whose most important dynamics, the ones that determine why you are being targeted and what your adversary considers worth taking, cannot appear in a document with an ISBN number.

The unwritten section is the one that matters most. Plan as though it exists.

Digital Union Jack / Tank and Drone

Is the Strategic Defence Review an Engineered Response? Rethinking UK Defence in an Age of Bricolage

By

On June 9, 2025

In Strategy

Abstract

Looking at the situation, the United Kingdom’s 2025 Strategic Defence Review (SDR) projects a confident rationality: an “Integrated Force” designed to deter, fight, and win through “constant innovation at wartime pace” (Ministry of Defence, 2025, p. 14). Yet Moscow’s conduct in Ukraine has revealed a profoundly different strategic grammar. Russia behaves, in Ondřej Ditrych’s terms, as a bricoleur – an opportunistic tinkerer that stitches together ad hoc “assemblages” while actively cultivating contradictions to wrong-foot a rule-bound opponent (Ditrych, 2024, p. 2). This article argues that a defence posture optimised for elegant integration may prove brittle when confronted by such an adversary. It posits that Russia’s dialectical approach is designed to exploit the very linear logic that underpins Western military planning. By contrasting the systemic fragility of Russian bricolage, vividly exposed by the Wagner Group’s implosion, with the SDR’s search for institutional longevity, this analysis suggests that effective deterrence now requires the UK to supplement integration with a capacity for institutionalised improvisation. This ‘controlled bricolage’ is presented as a form of adaptive power, essential for reassuring allies and succeeding in an era of disorderly, attritional conflict.

1. A Strategy of Contradiction

To understand the contemporary threat is to look beyond conventional military net assessment and into an opponent’s strategic culture. Ondřej Ditrych (2024, p. 3) characterises the Russian state not as a grand strategist but as a bricoleur, a tinkerer that improvises solutions from a limited repertoire of available parts. This is more than mere opportunism; it is a dialectical method. It is comfortable with, and indeed actively cultivates, the very contradictions that would paralyse a Western staff college. Russia’s strategy often appears to be a pastiche of mutually exclusive signals: complaining of encirclement while expanding its territory, invoking international law while flouting it, and deploying high-tech weaponry alongside crudely adapted civilian technologies. This is not strategic incoherence but a feature designed to create a chaotic information environment, wrong-footing an adversary who seeks clarity and predictability.

The Wagner Group was, perhaps, the ultimate expression of this method. It was a composite entity that simultaneously functioned as a proxy military force, a resource-extraction enterprise, a political influence operation, and a vehicle for plausible deniability (Ditrych, 2024, p. 3). It allowed Moscow to project power into Africa and the Middle East in ways that circumvented the rules of state-on-state competition. Yet this bricolage has a breaking-point. Such ad hoc structures lack institutional resilience. Wagner’s spectacular implosion following Yevgeny Prigozhin’s 2023 mutiny was not the result of external pressure but of the unbearable internal frictions of the system that created it (Ditrych, 2024, p. 4). This reveals the core vulnerability of the bricoleur: a reliance on improvised, personality-driven structures that can shatter under systemic stress, a stark contrast to the West’s enduring, if cumbersome, search for institutional longevity.

2. The Limits of an Engineered Deterrence

The SDR’s answer to this disorderly world is a renewed drive for rational integration. It proposes a force “integrated by design” (Ministry of Defence, 2025, p. 15-16), directed by a new Military Strategic Headquarters and equipped via a streamlined Defence Investment Plan. The document is, in itself, a signal of intent, a blueprint for a logical, legible, and thereby deterring military machine. However, in applying this lens, it arguably misreads the nature of the challenge. As the RAND Corporation’s work on national power suggests, military effectiveness is not simply a function of material capabilities– the ships, tanks, and aircraft a nation possesses. It depends equally on the efficiency of the conversion process that turns those national resources into usable military power (Treverton and Jones, 2005, p. 18). Russian bricolage is, in essence, a high-speed, high-risk conversion strategy. The UK’s SDR, with its focus on creating new bureaucratic structures and processes, risks optimising its inventory of capabilities while neglecting the need for a truly agile conversion mechanism.

This creates a deterrence paradox, which plays out for multiple audiences. The first, and most obvious, is the adversary. As Keir Giles argues, Russia often discounts material symbols of Western strength, focusing instead on a perceived lack of political will and a hesitation to accept risk (Torun, 2024, p. 667, summarising Giles). A bricoleur state, seeking seams to exploit, is unlikely to be deterred by a show of conventional force that it believes will never be used in the ambiguous ‘sub-threshold’ where it prefers to operate. The second, and equally critical, audience is domestic and allied. Effective deterrence requires not only a credible threat but also the reassurance of one’s own public and partners that the nation can withstand and respond to shocks. This requires a resilient defence industrial base capable of surging production. The SDR acknowledges this, noting that a nation’s Armed Forces are only as strong as the industry behind them (Ministry of Defence, 2025, p. 7), but the deep-seated challenge of moving from peacetime efficiency to wartime industrial mass remains a critical constraint on the UK’s own risk appetite and, therefore, its credibility.

3. Towards an Elastic Architecture: Institutionalising Bricolage

If Russia’s strategic advantage lies in its tolerance for disorder, then an effective counter-strategy cannot lie solely in the imposition of a more perfect order. The UK must learn to fight fire with fire, supplementing its integrated blueprint with a capacity for institutionalised improvisation. This means cultivating a form of ‘controlled bricolage’ as a source of adaptive power. Treverton and Jones (2005, p. 11) noted two decades ago how the information technology revolution would inevitably move action away from slow-moving governments and “toward nimbler organisations.” The SDR’s proposal for an “expert Digital Warfighters group” (Ministry of Defence, 2025, p. 47-49) is a promising, if nascent, step in this direction. For this to become a genuine source of advantage, however, it must be treated not as a specialist enclave but as a guiding ethos for the entire force, empowering small teams at the tactical edge to experiment, adapt, and exploit opportunities at a speed the adversary cannot match.

This, in turn, requires a fundamental shift in the Ministry of Defence’s culture of procurement and risk. It necessitates an embrace of “good-enough” solutions that can be fielded rapidly, with iterative upgrades baked into the process, rather than pursuing perfect capabilities that risk arriving too late. Such an approach accepts that in a state of constant technological flux, some failure is inevitable and should be treated as an opportunity for accelerated learning. This is the logic behind the Royal Navy’s planned regulatory “sandbox” for autonomous systems (Ministry of Defence, 2025, p. 105-106), a concept that must be expanded across all domains. An elastic and adaptive force, capable of improvising under pressure, offers a more credible deterrent to a bricoleur than a rigid one, however powerful. It signals a capacity to endure, to adapt, and to respond effectively amid the very chaos the adversary seeks to create.

4. Conclusion

Arguably, a rationally designed and integrated force remains indispensable for the enduring demands of high-intensity warfare. Integration alone, however, is no longer sufficient. The central insight for UK defence is that an over-optimisation for elegant, systemic coherence can itself become a vulnerability when facing an opponent whose strategy is to weaponise disorder. Power in the 21st century is increasingly a function of adaptability. The challenge, therefore, is to create an architecture that is not only strong but also elastic; one that can, when necessary, fracture gracefully into many semi-autonomous nodes, each authorised to improvise within the commander’s intent. Deterrence means more than pure strength, it is the ability to adapt one’s defence to the changing strategic landscape.

Bibliography

Ditrych, O. (2024). DECONSTRUCTING RUSSIA’S BRICOLAGE TACTICS: Strategic insights for defeating the Kremlin. EUISS Brief 18. Paris: European Union Institute for Security Studies.

Ministry of Defence. (2025). Strategic Defence Review 2025: Making Britain Safer, Secure at Home, Strong Abroad. London: HM Government.

Torun, Z. (2024). Review of ‘Russia’s War on Everybody. And What it Means for You’, by Keir Giles. Europe-Asia Studies, 76(4), pp. 667-668.

Treverton, G. F. and Jones, S. G. (2005). Measuring National Power. Santa Monica, CA: RAND Corporation.

Europe's Leadership Vacuum in the Shadow of Russia and America

Europe’s Leadership Vacuum in the Shadow of Russia and America

By

On March 6, 2025

In Strategy

The concept of ‘strategic culture’ as critiqued in Hew Strachan’s “The Direction of War: Contemporary Strategy in Historical Perspective” emphasises continuity and a nation’s resistance to change, shaped historically and geographically. Strategic culture includes historical memory, institutional norms, core national values, and collective threat perceptions, all contributing to a nation’s strategic posture. This comprehensive framework is valuable when examining Europe’s contemporary security challenges, specifically the strategic vacuum highlighted by the ongoing war in Ukraine and America’s ongoing withdrawal from global leadership.

Europe’s Strategic Culture

European strategic culture, forged during the Cold War, assumed stability through American military and diplomatic leadership. Strachan argues convincingly that such cultural assumptions hinder strategic flexibility, creating vulnerabilities when geopolitical realities shift dramatically, as they have since Russia’s invasion of Ukraine in 2022.

NATO-centric thinking, predicated on the guarantee of American power projection, has revealed problematic inertia… European states, notably the UK and the EU members, have found themselves scrambling to define a coherent, autonomous response.

America’s Strategic Shift from Protector to Competitor

America’s strategic withdrawal from Europe, evidenced by Obama’s pivot to Asia, that accelerated by Trump V1.0’s transactional approach, Biden’s reticence and culminating with Trump 2.0’s recent dramatic geopolitical hand grenades. This reflects not merely a change in policy but a radical break from previous expectations. This withdrawal is a revolutionary, not evolutionary, shift in global strategy, shattering Europe’s assumption of guaranteed U.S. engagement.

Strategically, this creates immediate tensions:

  • The U.S. increasingly frames its engagement with Europe as transactional and conditional upon shared responsibilities, as demonstrated by U.S. ambivalence toward NATO under Trump and Biden’s conditional engagement in Ukraine.
  • Simultaneously, Russia’s aggression has starkly shown that the belief in a diminished threat from inter-state warfare, fashionable among policymakers since the Cold War’s end, is dangerously misplaced. Strachan’s scepticism about overly optimistic predictions of war’s obsolescence resonates strongly here, given recent events.

This combination reveals Europe’s strategic culture as critically unprepared for the harsh geopolitical realities of the 21st century.

Europe’s Strategic Awakening

Europe has not been entirely inactive. The EU’s Strategic Compass, adopted in 2022, and the UK’s Integrated Review Refresh in 2023 demonstrate genuine acknowledgment of new realities. These documents move beyond purely reactive policies and represent Europe’s incremental shift towards strategic autonomy:

  • Increased defence expenditure: Germany’s Zeitenwende is a prime example.
  • Increased EU defence coordination, exemplified by the European Peace Facility funding Ukraine’s defence.
  • Renewed commitment to territorial defence and enhanced military deployments in Eastern Europe.

Yet, despite these efforts, the doctrinal and strategic mindset change has been incomplete. European policies continue to implicitly rely on the assumption of sustained U.S. involvement, despite public and political statements affirming Europe’s need for self-sufficiency.

Russia and America as Mirrors

The actions of Russia and the retreat of America each independently expose the inadequacies of Europe’s current strategic posture:

Russia’s Actions: Highlighted Europe’s continuing strategic vulnerability, emphasising weaknesses in rapid military deployment, critical capability gaps (such as long-range precision munitions and air defence), and dependence on U.S. logistical, intelligence, and strategic capabilities.

America’s Pivot Away: Underscores that strategic autonomy isn’t merely desirable but imperative. Starting with Biden administration’s reluctance to escalate beyond certain lines in Ukraine and Washington’s growing Indo-Pacific focus expose a stark misalignment between European expectations and American strategy. The most recent signals from Trump are an unequivocal message to Europe: unless there is something in it for America, you are on your own.

The Limits of Integration and NATO

While deeper European integration and renewed commitment to NATO might appear sufficient, these solutions alone are inadequate. Integration without clear autonomous capabilities risks perpetual dependency, and NATO’s structure, inherently reliant on American leadership, cannot compensate for America’s strategic reorientation. As Strachan underscores, relying purely on continuity without adaptability is strategically naive.

From Reactive Culture to Proactive Realism

Europe’s security doctrine requires nuanced recalibration rather than wholesale abandonment. The gap is not merely military, it is doctrinal, conceptual, and philosophical. A robust European strategic doctrine should:

  1. Recognise NATO’s Limitations: Explicitly acknowledge NATO’s limitations without undermining its centrality to European defence.
  2. Embed Strategic Autonomy: Clearly outline Europe’s independent capabilities and strategic objectives, moving beyond rhetoric to practical operational frameworks. Europe must realistically assess scenarios in which it may need to act without guaranteed American backing.
  3. Rethink Strategic Culture: Move beyond traditional assumptions of continuity—what previously seemed unthinkable, such as large-scale inter-state conflict, must become integral to planning and preparedness again.

Engaging Broader Perspectives

Drawing briefly from constructivist insights, strategic culture is not immutable but socially constructed, implying that European nations have the agency to reshape it consciously. Additionally, realist thinkers like John Mearsheimer caution against complacency in alliance politics, reinforcing the need for independent European capabilities.

Rethinking Doctrine for Strategic Resilience

The UK’s Integrated Review and the EU’s Strategic Compass represent valuable first steps toward a more strategic and independent Europe. However, they still fall short of addressing the fundamental gap that Russia’s aggression and America’s strategic recalibration have exposed.

Addressing Europe’s leadership vacuum demands overcoming historical and cultural inertia. It requires strategic humility: recognising that the stability provided by Cold War-era assumptions no longer applies, that threats are tangible, and that peace through strength must be anchored not in external assurances, but in Europe’s credible, independently sustainable power.

Europe must confront this reality head-on, accepting change not merely rhetorically but operationally, doctrinally, and culturally. Only then will Europe secure genuine strategic autonomy, prepared not just for today’s threats but also for tomorrow’s inevitable uncertainties.

Bibliography

  • Strachan, Hew. The Direction of War: Contemporary Strategy in Historical Perspective. Cambridge University Press, 2013.
  • European Union. “Strategic Compass for Security and Defence.” 2022.
  • United Kingdom Government. “Integrated Review Refresh.” 2023.
  • Mearsheimer, John J. The Tragedy of Great Power Politics. W. W. Norton & Company, 2001.
  • Smith, Rupert. The Utility of Force: The Art of War in the Modern World. Penguin, 2005.

Powered by WordPress & Theme by Anders Norén