Work With Us
The UK is not targeted by cybercriminals because it is vulnerable. It is targeted because other states are permissive.
There remains a dangerous asymmetry between the way cyber threats are generated and the way they are understood in development and diplomatic programming. The UK’s risk is increasingly shaped by how other states, many of them recipients of development assistance, govern, regulate, or tolerate illicit digital activity. Yet policy responses too often remain confined to the domestic perimeter, or worse, equate cyber risk with technical deficiency.
This is not simply a gap in cybersecurity strategy. It is a blind spot in how we read geography. The UK needs a framework to assess where risk is being generated abroad, and why.
The concept of criminogenic environments comes from criminology. It describes the conditions that make crime more likely: not just poverty or opportunity, but institutional tolerance, regulatory incoherence, and tacit political bargains that allow criminal enterprise to embed and scale.
When applied to cyber risk, this lens exposes a critical point: cybercriminal economies do not arise from technical failure alone, they grow in places where the state either cannot or will not impose consequences. In other words, where the digital environment is criminogenic.
To make this operational, we propose the Seven-Dimensional Cyber-Criminogenic Assessment Framework, a structured way to evaluate how different geographies contribute to the UK’s external exposure.
| Dimension | What It Captures | Example Indicator or Diagnostic Question |
|---|---|---|
|
1. Shadow
Economies & Corruption |
Normalisation of illicit finance and protection rackets |
Are cybercrime proceeds easily laundered through local systems? |
|
2. Digital-Regulatory Gaps |
Unregulated expansion of digital access without cyber hygiene or enforcement |
Are ISPs, platforms, and data handlers subject to enforceable standards? |
|
3. Legal Ambiguity |
Fragmented or transitional legal frameworks |
Are cyber offences clearly defined and prosecutable under current law? |
|
4. Institutional
Discoordination |
Gaps between cybersecurity, policing, intelligence, and financial oversight bodies |
Are agencies equipped and incentivised to collaborate on cyber threat mitigation? |
|
5. Geopolitical
Hedging |
States balancing between rival power blocs, limiting cooperation with UK agencies |
Does the state avoid intelligence-sharing due to geopolitical ambiguity? |
|
6. Demographic Risk
Pool |
Large youth populations with digital skills but few formal economic opportunities |
Is there a high concentration of digitally skilled but economically idle young men? |
|
7. Cooperation
Deficits |
Absence of effective operational ties with UK or international cybercrime authorities |
Does the state cooperate meaningfully with INTERPOL, Europol, or the UK’s NCA? |
The departure of the United States from its informal role as global guarantor of order has created a strategic vacuum. What emerges is not a symmetrical multipolar world, but a system marked by fragmented authority and functional non-polarity. No state or coalition can credibly enforce cross-border rules on conflict, climate, health, or finance at scale.
As a result, development actors are no longer implementing within a coordinated international architecture. They are operating amid a set of overlapping and often contradictory risk environments, where action is no longer justified on the basis of consensus, but increasingly on the basis of domestic political defensibility.
Consider a hypothetical state in which the following conditions co-exist:
· A vibrant ICT talent pool, largely self-taught and underemployed;
· ISPs operating without meaningful security oversight or data protection regimes;
· Criminal code last updated in the early 2000s, with no cybercrime-specific clauses;
· A national police force that does not coordinate with its computer emergency response team (CERT);
· Leadership engaged in geopolitical hedging between Western alliances and alternative power centres;
· No current cyber cooperation with UK law enforcement or intelligence agencies.
This state has not declared itself a threat. But it is one, indirectly, structurally, and predictably. It functions as a staging ground, logistics base, and laundering zone for cybercriminal activity targeting Western infrastructure, including that of the UK.
This is where cyber risk becomes political. Not because development actors wish to securitise the digital space, but because failing to recognise criminogenic conditions abroad is now a domestic liability.
Despite progress in cyber strategy and international cooperation, UK development and diplomatic tools still tend to approach cybercrime through two limited lenses:
1. Technical Capacity Building Programmes often focus on expanding access, digital skills training, or e-governance, implicitly assuming that inclusion equals resilience. These efforts can be beneficial, but they do not address the institutional and geopolitical enablers of cybercriminality. In fact, expanding digital access without governance oversight may accelerate the growth of permissive cyber economies.
2. Judicial Reform and Rule of Law Support While vital, these programmes often lack the specificity needed to confront cybercriminal structures, especially in jurisdictions where the law is ambiguous, enforcement is selectively applied, or state actors are complicit.
What’s missing is a strategic intelligence-led approach to programming, one that recognises that cyber risk is not abstract. It has geography. It has enablers. And it has consequences.
The UK must do more than “support digital development.” It must map and act upon the conditions that externalise risk into its own systems. This requires alignment between development, diplomacy, and cyber governance arms.
Here’s what that shift might look like:
1. Integrate Criminogenic Analysis into Risk Profiling
Country strategies should include structured assessments of cyber-criminogenic risk, not just cyber readiness or digital access metrics. This is particularly important in countries with fluid legal regimes or political hedging behaviour.
2. Target Strategic Governance Functions
Programming should strengthen the specific institutions that inhibit or enable permissive cyber environments: prosecutors, CERTs, financial intelligence units, telecoms regulators, and cross-border cyber task forces, not just justice ministries or IT trainers.
3. Link Development to UK Strategic Exposure
Funders should prioritise geographies where permissive cyber environments pose credible risk to UK infrastructure, institutions, or citizens. This includes risk to the financial sector, political integrity, online harms, and fraud targeting the UK population.
4. Break Silos Between FCDO, NCSC, and NCA
A whole-of-government approach is essential. Development actors must be brought into strategic conversations around cybercrime trends, offshore jurisdictional risk, and the indirect effects of permissive cyber environments.
5. Engage Diplomatically on Cyber Impunity
Where cooperation is lacking, or intentionally withheld, the UK must be willing to use diplomatic pressure, conditionality, and deterrence. Soft power has limits. Deterrence, backed by intelligence and legal pressure, will increasingly matter.
This is not about abandoning cyber development norms, rights, access, literacy, but about acknowledging that these do not insulate the UK from the political economy of permissive cyber geographies. A rights-based lens without a power-based analysis is insufficient.
The framework proposed here doesn’t call for moral judgement. It calls for strategic awareness. Where risk is generated, programmes must intervene. Where permissiveness is incentivised, through financial opacity, political ambiguity, or institutional drift, the UK must assess its exposure and act accordingly.
The Seven-Dimensional Cyber-Criminogenic Framework is not just an analytical model, it is a tool for strategic selectivity. It helps UK policymakers ask the right questions: not only “how can we help build capacity?” but “what risks does this state’s permissiveness create for us?”
That’s not a shift in values. It’s a shift in perspective, from cyber as a domestic threat to cyber as a geopolitical ecosystem, in which development policy plays an active role.
If the UK is to protect its infrastructure, economy, and democratic resilience, it must think not just about who targets it, but about who enables the targeting.
Work With Us
