Initial response to the Integrated Review Refresh (IR2023)
In this blogpost, Katie Barnes, Executive Director of the National Preparedness Commission, reflects on the government’s refresh of the 2021 Integrated Review of Defence, Development and Foreign Policy, with its key pillars and priorities for building the UK’s resilience and preparedness, from the perspective of NPC, and our research and engagement with stakeholders.
Earlier this month the Government published a refresh to the 2021 Integrated Review of Security, Defence, Development and Foreign Policy. The refresh was prompted largely by Russia’s invasion of Ukraine, and rightly set out to re-assess the UK’s position in the context of what it describes as a more volatile and contested world. Working from an overarching conclusion that democracies like the UK need to build our resilience, out-cooperate and out-compete those driving instability; the refreshed Review (known as IR2023) outlines a four-pillared strategy to:
1. Shape the international environment.
2. Deter, defend and compete across all domains.
3. Address vulnerabilities through resilience.
4. Generate strategic advantage.
As might be expected, it is the third of these pillars that most interests the National Preparedness Commission (NPC), and we welcome the commitment to resilience as a core pillar to the strategy. Of course, the four pillars do not work in isolation of each other – they are intricately connected and infinitely interdependent. Before commenting in detail on Pillar 3, it is therefore worth touching on the other three pillars from a preparedness perspective.
Pillar 1 – Shaping the international environment
A common thread across NPC publications and events is recognition that the world has changed, and that change is both accelerating and becoming more complex. Clearly, the UK needs to participate actively in shaping the international environment. However, we must be prepared to plan on the basis that the future which actually emerges may be significantly different from what we might have wished.
We should be cognisant that, as the UK seeks to ‘shape, balance, cooperate and compete’ wherever we are active, so too do all other actors on the international stage. IR2021 emphasised that traditional multilateral approaches and defending ‘rules-based international system’ were no longer sufficient. Seeking to rebalance the geopolitical landscape is undoubtedly an important priority, and we do have to take account of, or engage with, those who do not naturally align to our values and ambitions. However, an objective and continuing assessment of the performance of such international activity must be reflected in the UK’s risk assessment activity, including the monitoring of ‘weak signals’ that may indicate subtle shifting of the sands on which such activities are grounded. It would make good sense to broaden the ambition, ensuring that – wherever possible – investment in reshaping the international environment can be leveraged into building a capacity for flexibility, adaptability and resourcefulness in a fragmented and turbulent environment.
The commitment to development is welcome, and the thematic priorities of tackling climate change, environmental damage and biodiversity loss, as well as the commitment to supporting sustainable development, are important. However, it is not clear from IR2023 how the implications of efforts to address these global challenges are incorporated into our shared understanding of the risks facing the UK.
Pillar 2 – Deter, defend and compete across all domains
The aspiration to invest 2.5% of GDP on defence ‘as fiscal and economic circumstances allow’ reflects the defence needs of a more volatile context than that to which we have become accustomed in recent decades. However, we must continue to carefully judge the trade-offs in budget allocations if the expenditure is to realise the expected outcomes. For example, headline expenditure on assets and resources must extend to the cost of implementation or bringing modern capabilities into service. Lessons learnt (including those from the Ukraine conflict) are only valuable insofar as they can be adapted and integrated into the UK context.
Changes to the defence architecture and expenditure will undoubtedly have resilience implications. Again, we expect that such changes will be routinely fed through into the National Security Risk Assessment (NRSA) and the public-facing National Risk Register (NRR), but it is not clear how this will happen. That said, we are supportive of the continued work to break down siloes within departments and to collaborate on building threat-agnostic capabilities.
Pillar 4 – Generate strategic advantage
IR2023 sets out some of the strengths and assets that deliver strategic advantage in today’s world. It is helpful to see these recognised, however, they should neither be taken for granted (cutting BBC budgets is unlikely to enhance its global reputation) nor be elevated to the detriment of strengths or assets that may be needed in the future.
Science and technology are noted as being central to national power in the decades ahead, however, the prioritisation of five key areas may be too rigid a limitation. Science and technology capabilities need, simultaneously, to generate strategic advantage internationally and to build core resilience domestically – notably in public health, environmental health and ‘future-fit’ Critical National Infrastructures. Creating strategic advantage in science and technology relies on participation and collaboration in international research programmes, and our status in this regard is currently unclear, and actively increases risk to this strategy.
Of course, resilience comes not just through strategic advantage but also through being prepared to take advantage tactically or opportunistically. In times of upheaval or instability, the ability to pivot resource to capitalise on opportunities (which may be transformative, as the mission-focussed response to Covid-19 treatment, testing and vaccination capability has shown) as well as communication, alignment, and even collaboration between departments responsible for setting and delivering against national strategies is critical; as well as the capability to work in real time with those at the delivery end of the strategy. In this context, we welcome the announcement of a focus – through the new National Protective Security Authority (NPSA) – to provide an interface between government and UK businesses, building on the commitments outlined in the UK Government Resilience Framework (UKGRF) to work more closely with partners, and move towards a ‘whole of society’ resilience model.
Pillar 3 – Address vulnerabilities through resilience
The clear focus on resilience is extremely helpful, particularly in recognising that the UK, like most countries, has vulnerabilities to both known and unknown risks. Adding the concept of vulnerability to the traditional risk management dimensions of impact and likelihood has been a recurring recommendation in the NPC’s work, including in the evidence we gave to the December 2021 report from the Special Select Committee of the House of Lords on Risk Assessment and Risk Planning. (“Preparing for Extreme Risks: Building a Resilient Society”).
The assessment of national vulnerabilities announced in the Refresh is welcomed – such an assessment being an essential prerequisite for a holistic and comprehensive resilience strategy. It is to be hoped that this process is integrated with the refreshed approach to the NSRA/NRR, and that it is an iterative process, not a one-off exercise. Vulnerability/resilience indicators across all core capabilities and infrastructures should be inferred from the assessment, and used as a basis for reporting under the annual resilience statement to Parliament, committed to in the UKGRF.
The methodological change – separating acute and chronic risks – is logical and ensures that due attention is paid to each category. However, attention should also be paid to the interaction of chronic and acute risks, threats or stressors which can lead to new or deepening vulnerabilities. A sound methodology is required for understanding the critical resilience factors needed to withstand acute risks, and for monitoring any negative impact on those factors that chronic risks may bring about. Resilience needs to be understood as being multi-dimensional: built, maintained and assured over multiple timeframes; emergent from the interactions of multiple systems; and able to deal with more than one threat at a time.
The Refresh introduces five priority areas of vulnerability, to be addressed in the immediate term, and the first of these – energy security – exemplifies this multidimensional approach. The measures outlined to improve resilience against manipulation by hostile actors and market volatility make sense, however the UK must also be prepared for these measures to underperform. Testing the nation’s capability for dealing with a future energy crisis would de-risk the vulnerability even further.
We welcome the measures related to climate adaptation and sustainable food production, as outlined in the 2022 Food Strategy. This is an important area of focus, since without reliable access to affordable and nutritious food, the underlying physical resilience of the British people is threatened, leading to further pressures on our health and welfare systems. The NPC has commissioned research into this theme, and will be publishing findings this winter.
The second priority is to protect the UK’s economic security, combining an enhanced capability for more precise and targeted economic sanctions with strategies to protect economic activity, including supply chains and technologies. Such measures are both helpful and necessary – malicious activity must be prevented or, at least, swiftly curtailed. Supply chains and secured access to critical raw materials can be expected to be a more contested activity, however, as all nations seek to shorten supply chains and bid for their share of finite resources. Alongside these measures the UK needs to be planning for how to thrive during supply interruptions or even a cessation of supply.
The third priority – democratic and social resilience – is, we feel, underplayed in IR2023 and it is clear that more work remains to be done to ensure that democracy is understood in a far broader context than the electoral systems and infrastructure. The DSIT Counter Disinformation Unit, for example, should be working to rebalance the asymmetry of voice within the wider system, in which social and digital media – a haven for AI-powered bots, and conspiracy and extremist groups – has the effect of de-legitimising the core electoral system and democratic institutions in the eyes of certain groups in society.
The fourth priority of cyber security and resilience is welcome, however, work by the NPC and BCS (Elephant in the Room) highlights a wider vulnerability to software risks, not limited to cyber attacks. The skills needed to counter cyber vulnerabilities are also deployable against other software risks (e.g., the system ‘getting it wrong’, software failures compromising critical services or infrastructure, legacy or ‘black box’ systems being poorly understood and managed, leading to vulnerabilities). We see a clear need and compelling argument for drastically increasing cyber and software literacy at all levels of society – harnessing the eyes and ears of all users into the security effort.
The fifth priority is to strengthen UK borders, to ‘reduce the UK’s vulnerability to threats from terrorists, criminals and state actors, prevent illicit goods from reaching the UK, stop illegal migration, and protect the UK’s biosecurity’. The announcement of strategies and enhanced penalties send a strong message, however borders are, by their nature, porous and those who want to broach them are unfailingly innovative. The reality is that we are far from having the physical capability to enforce these in light of the vast volumes of traffic through our land, sea and air ports. The UK will need to take a considered view of how much risk it is prepared to tolerate, weighed against the implications (delays, complexity, barriers to trade) that could be entailed. Agreed risk tolerances will be a critical tool in the day-to-day implementation of the UK’s strategic intent.
IR2023 introduces a number of new units, departments or Centres of Excellence within government, and references a plethora of related strategies – each focussed on a particular strand of resilience-building. A proliferation of new entities, in and of itself, has the potential to introduce new vulnerabilities, and we would be keen to see more information on how necessary links, inter-dependencies and intelligence-sharing are to be managed. In particular, care needs to be taken to transfer institutional knowledge and expertise from units to be retired or replaced so that it is not lost. It is not clear whether some of the entities referenced in IR2023 are simply new names for existing or evolving units. The Centre for National Security (CfNS), for example, reported to be ‘launching and delivering the first UK National Security Curriculum’ may or not be part of the Emergency Planning College (EPC) (and its successor, the UK Resilience Academy (UKRA)) announced in the UKGRF.