News

When Defence Spending Becomes a Cyber Security Problem

Paul Maxwell

9 min read
When Defence Spending Becomes a Cyber Security Problem

The UK government wants to hit 3% of GDP on defence by 2029, several years earlier than originally planned. That's an additional £17.3 billion a year by 2029/30 on the OBR-based estimate that’s been widely cited.

No formal decision has been taken yet and the Treasury is reportedly cautious, but the direction is clear. At the Munich Security Conference Starmer said “we are going to have to spend more, faster”.

I've spent 30 years in cyber and information security, including time in the Royal Navy. And I've watched what happens when organisations spend big on capability without funding the boring stuff underneath it. The people, the hygiene, the practised recovery.

You end up scaling complexity faster than you scale resilience. And that gap is where attackers live.

Where the money doesn't go

Defence spending conversations are about platforms, munitions, headcount. The big visible stuff. That's what gets funded because that's what fits on a slide.

But the thing that actually makes all of it work is the plumbing. The networks, the patching, the access controls, the identity management. Nobody wants to fund that because it's not exciting and it doesn't photograph well.

Then someone walks through an unpatched test environment or a third-party connection nobody's monitoring. And suddenly the expensive kit doesn't work the way it's supposed to.

That's not a hypothetical. It's the reason the MOD brought in things like Defence Cyber Certification and Secure by Design style thinking. They've seen what happens when the supply chain isn't held to the same standard as the front-line systems.

The supply chain gap

Defence contractors handle cyber security for their core IT. That's the basics. But they miss consistency across engineering teams, field support, contractors, test environments, legacy platforms, third-party connections. That's where attackers actually get in.

The numbers back this up. Only one in ten UK businesses review the risks from their immediate suppliers. For the wider supply chain it drops to 7%. Cyber Security Breaches Survey 2025 (UK Government)

Russian military intelligence actors have repeatedly used credential-harvesting and fake login pages as part of their playbook, including spearphishing that routes victims to fake login pages impersonating government entities and cloud providers. CISA / NSA / partners advisory (May 2025)

They don’t need to break “the front door”. They look for the joins. And engineering supply chains are full of joins: SaaS platforms, tooling, third parties, remote access, contractors, and updates that nobody wants to treat as a high-risk pathway until it’s too late.

The MOD’s own core networks are heavily defended and continuously targeted. But the supply chain around them is a different picture.

The SSCL breach

In May 2024 the MOD revealed that payroll provider SSCL had been breached. A malign actor gained access to part of the armed forces payment network, affecting data tied to around 270,000 personnel. Hansard statement (7 May 2024)

Bad enough. But the real failure was the timeline. Public reporting said SSCL became aware in February and didn’t inform government for months. The Guardian (10 May 2024)

Think about that. A supplier handling payroll for a quarter of a million military personnel sat on a known breach for months.

The MOD ordered a full review, and there was cross-government scrutiny because SSCL operated across government departments. The Guardian (10 May 2024)

This is the thing I keep coming back to with clients. Either the supplier didn't know they'd been breached, which means their detection is broken. Or they knew and didn't escalate, which means the relationship is broken. Both are bad. But the second one is worse because you can't fix it with technology.

And there's a legal dimension. Under UK GDPR you're required to report a personal data breach to the ICO within 72 hours of becoming aware. ICO guidance When the MOD found out, they reported it within that window. They did what they were supposed to. The issue is what happened before government even knew it existed.

So now you've got a supplier who failed operationally, failed to escalate, and left the MOD exposed to a data protection situation that wasn't of their making. That's the supply chain risk in one example.

What actually saves you

Most of the defence supply chain treats security as a paperwork exercise. You document your controls, you pass your audit, you file it and move on. And if something goes wrong you can point at the folder and say "we had a policy."

That's not the same as being able to respond.

I helped build out an online healthcare service for a company contracted to deliver it for DWP. Sensitive personal data, a government department as the client, real delivery obligations. We didn't just write the incident response plan. We ran it. We tested who made what call, who talked to DWP, who shut what down and in what order.

That's what I mean by practising recovery. Not reading the plan. Running through a scenario where you don't know what's coming, the pressure is real, and you find out whether your escalation path works or falls apart.

It costs you a morning. Maybe a day. That's nothing compared to finding out your plan doesn't work when you're three hours into a real incident and the client is on the phone.

What a breach actually costs you

When suppliers look at DCC they see the cost of getting certified. The time, the paperwork, the effort. That's what they focus on.

They're looking at the wrong number.

The cost that matters is what happens to your contracts and your reputation if you get breached. Not the recovery cost. The trust cost.

Look at what happened with M&S. They said the incident would cost around £300 million in lost operating profit and their online operation was disrupted for weeks. Reuters (May 2025)

Then the UK Business and Trade Committee wrote to Tata Consultancy Services asking about incidents affecting Jaguar Land Rover, M&S, and Co-op, and to explain its role and findings. Committee letter (PDF, 26 Sept 2025)

TCS denied responsibility. But M&S later ended its helpdesk contract with them, and Parliamentary scrutiny intensified. Financial Times (Oct 2025)

Whether or not a supplier is technically at fault, the perception of being the common link across multiple public incidents causes real commercial damage.

That's the supply chain risk playing out in public. And that's a global outsourcing firm with the resources to absorb the hit.

Now imagine you're a £30M defence supplier and the same thing happens. You probably don't survive it.

For smaller suppliers in the defence chain, there's often no second chance. Defence primes and government departments are under pressure to lock down their supply chains. If you're the company that got breached, you're a risk. It doesn't matter that you met every technical requirement on the tender.

The NCSC handled 204 nationally significant cyber incidents in the year to September 2025, up from 89 the year before. NCSC (Oct 2025) This isn't theoretical. It's the environment you're operating in.

DCC isn't mandatory yet. That's the point.

Defence Cyber Certification isn't required for every MOD contract right now. But it's heading that way. And the MOD has been pretty clear about it. Their own guidance says suppliers should align to DefStan and take supply chain cyber seriously. Def Stan 05-138 (Issue 4) on GOV.UK

Some MOD tenders already specify DCC at a certain level. Where they do, you need it. Where they don't, being certified still helps because it gives the buyer one less thing to worry about.

What I see with a lot of the companies I work with is that they're already doing most of the right things. They just aren't documenting it in a way that counts as evidence. DCC expects evidence. Without it you end up repeating work you've already done, which is frustrating and expensive.

DCC builds on DefStan 05-138, which sets out the controls. What DCC adds is a consistent way of proving those controls are actually in place and working. IASME: DefStan is the cornerstone

The certificate lasts three years, with annual attestation and continued Cyber Essentials (or Plus, depending on level). IASME DCC FAQs

The bit that catches people out is subcontractors. If you're using subs who aren't used to MOD work, validating their security is now your responsibility. That's a conversation most suppliers haven't had yet.

The NATO spending problem

At the 2025 NATO summit, members agreed to spend at least 3.5% of GDP on core defence by 2035, plus up to 1.5% on security infrastructure including protecting critical infrastructure, defending networks, and civil preparedness. That's 5% of GDP total. NATO: The Hague Summit Declaration (25 June 2025)

On paper it looks like a coordinated plan. In practice, interoperability is where this falls apart.

Working together across NATO requires trust. Trust means agreeing on minimum security controls, agreeing on what counts as evidence, agreeing on who makes decisions when something goes wrong. And those are exactly the things that start slipping when everyone's under pressure to spend fast and show results.

From my time in the Navy I saw how difficult joint operations are even when everyone's on the same side and supposedly working to the same standards. I was on the SOSUS ranges doing sonar trials and we had all sorts of fun converting metric to imperial for our hosts. That's a trivial example but it stuck with me. If you can't seamlessly agree on units of measurement during peacetime trials, think about what happens when you're trying to align cyber incident reporting across 32 nations under pressure.

An attacker doesn't need to break the front-line capability. They need to get into the supply chain, the logistics, the identity management that makes everything else work. That's easier when the joins between allies aren't properly secured.

And it gets worse the deeper you go. Most organisations don't have visibility of their supply chain beyond the first tier. Third, fourth tier suppliers? Nobody's checking those.

What to do this quarter

If you're running a company turning over £10M to £100M and you want to work in defence, DCC and DefStan 05-138 are how you meet the bar. Get certified, get the evidence together, get it documented. That's the entry ticket.

But what actually wins trust is showing you can operate under pressure. That your people know who does what when something goes wrong. That you can contain an incident, communicate clearly, and recover without losing days arguing about who's responsible for what.

So here's one thing I'd tell you to do this quarter. Block out 90 minutes. Run an incident response scenario. Don't script it. Don't tell people what's coming. Make it feel real.

You'll find out very quickly whether your escalation path actually works. You'll find out who takes charge and who disappears. You'll find out whether the plan you wrote six months ago survives contact with a room full of people under pressure.

That 90 minutes will tell you more about your actual security posture than any audit report.

The bigger picture

Defence programmes now make up 41% of unfunded projects, up from 16% in 2024 (EY-Parthenon, Mind the (Investment) Gap 2025). EY newsroom summary (and report PDF)

The Strategic Defence Review is blunt about the threat, including “hybrid threats” like cyber attacks and sabotage, and the need for “total deterrence”. UK Government announcement (25 Feb 2025)

There's a lot of money coming and not much time.

Fast procurement means corners get cut. Corners in cyber mean gaps. And gaps in the defence supply chain aren't a commercial problem. They're a national security problem.

If you're a supplier in this space, the practical question is straightforward. Get DCC certified now while it's still voluntary and you have time to do it properly. Run your incident response exercises. Get your evidence together. Sort out your subcontractors.

The companies that do this before the spending wave hits will be the ones trusted with the work. The ones who wait will be trying to catch up under pressure, and that's when mistakes happen.

Sources