Copyright newstatesman
Cybersecurity has shifted from a niche tech concern to a national growth issue. The stability of the systems that power Britain’s economy – its energy grids, payment networks, and public services – now underpins the government’s wider ambitions for innovation and prosperity. But the UK continues to face a rising tide of cyber attacks, and questions remain about whether policy, industry and infrastructure are keeping pace. That challenge was at the centre of a panel discussion on the fringe of the Labour Party Conference, hosted by the New Statesman, in partnership with Fortinet. The event brought together voices from politics, research, and industry to examine how the UK can build a digital economy that is both secure and innovative. The consensus was clear: Britain needs to stop treating cybersecurity as a specialist concern and start viewing it as a condition for growth. That means strengthening basic standards, making collaboration between government and business real, and ensuring leadership and accountability reach board level. Matt Western MP, who chairs parliament’s Joint Committee on the National Security Strategy, warned that the political system has yet to grasp the scale of the threat. “I hope we don’t need an Estonia-style jolt before we act,” he cautioned, alluding to the major cyberattacks that crippled Estonia’s government and infrastructure in 2007. Western argued for stronger incentives – and penalties – to raise cyber maturity across sectors, alongside a clearer national picture of how attacks unfold and where systems remain vulnerable. Jamie MacColl, senior research fellow in cyber and tech at RUSI, described the past year as one of the most expensive for UK cyber incidents on record. Yet, he said, political and policy attention remain “minimal”. “Most cyber crimes are committed the same way they have been for years,” he noted. “It’s our inability to do the basics that holds us back.” Those basics, set out by the National Cyber Security Centre through its Cyber Essentials scheme, include multi-factor authentication, sound access controls and secure data backups. The challenge is less about technology, MacColl said, and more about ensuring every organisation meets the same minimum standard. Western agreed that government has to play a more active role. “Carrots will help, especially for smaller firms,” he said. “But it’s too expensive not to act.” He suggested audit-style reporting on cyber resilience, akin to health and safety disclosures, and expressed surprise that some major manufacturers still lack cyber insurance despite the risk of supply-chain disruption. Vinous Ali of the Startup Coalition argued that innovation must be part of the answer. Investment is flowing into cybersecurity and defence technology, she said, yet the state still struggles to buy from early-stage firms quickly enough. “In a field so fast-moving, relying on incumbents to keep innovating is difficult,” she said. Startups also need clearer incentives, such as tax credits, to invest in secure-by-design systems, and more consistent government messaging on priorities such as end-to-end encryption. “Mixed signals confuse both founders and customers,” she warned. Dan Kendall, Fortinet’s public-sector CTO for the UK and Ireland, described an escalating contest. “If some are not using AI, our adversaries certainly are,” he said. Criminal groups are now operating at industrial scale, forcing defenders to work faster and smarter rather than simply spending more. Kendall stressed the importance of consolidation, reducing duplication in security tools and using automation to augment human judgement. He also underlined the continuing role of human error: “The overwhelming majority of breaches start with phishing.” Awareness, he said, needs to begin early through initiatives such as NCSC’s recent CyberFirst[CP1] programme in schools. Even small design changes, such as adding friction or prompts before users take risky actions, can make a difference. When discussion turned to leadership, the panel agreed that cybersecurity must be seen as a strategic risk, not an IT line item. “Boards often rank cyber as their top threat,” Kendall said, “but they rarely translate that into sustained investment.” Quantifying risk in financial terms – downtime, reputational damage, loss of production – can help release funds and focus attention on prevention. Ali added that transparency is essential. Too few organisations disclose what has gone wrong or what lessons have been learned. MacColl pointed to the government’s loan guarantee to Jaguar Land Rover after its cyber incident: “That kind of public support should come with an obligation to share insights so others can learn.” For the UK more broadly, MacColl argued, momentum has slowed. “The EU has become far more interventionist on resilience. If the UK continues to rely on voluntary measures, it risks falling behind.” Ali agreed that in fields like cybersecurity, closer alignment with international standards – particularly the EU’s product and data regulations – could strengthen export potential and raise baseline safety. The discussion also looked to emerging threats. Kendall noted that the “edge” – the growing number of connected devices from EV chargers to home sensors – represents a new frontier. Many are built without adequate safeguards. He welcomed new NCSC guidance for connected devices but said it will only help if it is widely adopted and enforced. Western meanwhile endorsed the potential of a secure digital ID system, already common in other countries, provided it is introduced transparently and backed by robust safeguards. Ali and MacColl cautioned that the coming challenge may be proving not just identity but humanity, as AI agents begin to act on users’ behalf. Throughout the session, one theme recurred: partnership. Effective cybersecurity depends on a steady alliance between government, regulators, industry and users. The forthcoming Cyber Security and Resilience Bill should provide the legal foundation, the panellists agreed, but collaboration must move faster than legislation. The tools exist: clear minimum standards, better reporting and threat-sharing mechanisms such as the Cyber Threat Alliance, where competitors exchange intelligence for collective defence. The task is to make them work in practice, ensuring that what “good” looks like on paper is reflected in real-world resilience. The message from Liverpool was not alarmist but pragmatic. Cybersecurity is no longer a separate technical field; it is part of the UK’s economic infrastructure. Growth, innovation and investment all rely on confidence that the systems underpinning daily life are secure. Building that confidence will take more than slogans about resilience. It will require sustained attention, from boardrooms and ministers alike, to the professional, essential work of getting the fundamentals right.
