Adapting to the Cyber Domain: Comparing U.S. and U.K. Institutional, Legal and Policy Innovations

Prime Minister Boris Johnson made it official in a statement to Parliament on Nov. 19, 2020. “I can announce that we have established a National Cyber Force, combining our intelligence agencies and service personnel,” he proclaimed, adding that it “is already operating in cyberspace against terrorism, organised crime and hostile state activity.”

Public avowal of the National Cyber Force (NCF) came as no great surprise. Plans to take this institutional step had been discussed publicly before, after all. Nonetheless, it was a significant moment in the ongoing process of tailoring U.K. institutions, policies and legal frameworks to suit the evolving nature and scale of cyber domain threats and opportunities. The NCF embodies certain distinctive characteristics of the British system, including flexibility regarding institutional roles in general and the role of intelligence agencies in particular. Much the same can be said, moreover, for another recent British organizational innovation: creation of the National Cybersecurity Centre (NCSC).

The American experience throughout this same period has been analogous in many respects—including the creation of new organizations with defensive and offensive missions—yet it is by no means identical. As we shall see, institutional formalism is far more conspicuous in the American system, and so too are anxieties about the roles of intelligence agencies. Whether these are bugs or features is, perhaps, in the eye of the beholder. The comparison between the U.K. and U.S. models, at any rate, is instructive.