NAO details progress and challenges of UK cyber security strategy

The UK government’s strategy for cyber security is delivering benefits even in its early stages, according to the National Audit Office (NAO)

The UK government’s strategy for cyber security is beginning to deliver benefits despite still being in its early stages, according to a review by the independent National Audit Office (NAO).

The UK Cyber Security Strategy, published in November 2011, set out how the government planned to deliver the National Cyber Security Programme until 2015.

To support this programme, the government committed £650m in additional funding. But collaboration with business and citizens and addressing the shortage of cyber skills remain crucial to success, the NAO report warned.

The report highlighted several areas of initial progress, including:

  • The take-down of 36 website domains that were selling compromised credit card and financial data in 2012 by the by the Serious Organised Crime Agency (Soca), preventing more than £500m in fraud;
  • In the past year, the public reported to Action Fraud over 46,000 incidents of cyber crime, representing £292m in attempted fraud;
  • The Police Central e-crime Unit, with other international agencies, suspended over 15,000 websites engaged in fraud;
  • Intelligence agency GCHQ and CPNI launched the cyber incident response pilot scheme to provide links to organisations certified to deal with cyber security attacks;
  • GCHQ launched a scheme to certify information assurance and cyber security professionals in the UK and a programme to develop cyber security talent in schools and universities;
  • The first eight UK universities have been awarded “Academic Centre of Excellence in Cyber Security Research” status.

However, the NAO identified six key challenges to implanting the government’s cyber security strategy:

  • Forming effective partnerships with industry to reach a common understanding of risks and share the costs of protecting UK;
  • Addressing the UK’s current and future ICT and cyber security skills gap;
  • The need to increase awareness so that people are not the weakest link;
  • Tackling cyber crime and enforcing the law at home and abroad;
  • Getting government to be more agile and joined-up;
  • Demonstrating value for money.

The NAO report expresses particular concern about the lack of cyber talent, leaving the UK vulnerable to attack. The shortage of cyber ICT skills “hampers the UK’s ability to protect itself in cyberspace and promote the use of the internet both now and in the future,” the report said.

UK cyber security strategy aims

  • Tackle cyber crime and make the UK one of the most secure places in the world to do business;
  • Make the UK resilient to cyber attack and be better able to protect its interests in cyberspace;
  • Help shape an open, stable and vibrant cyberspace which the UK public can use safely;
  • Build the UK’s knowledge, skills and capability to underpin all cyber security objectives.

Costs and benefits

The NAO recognised some challenges in establishing the value for money of the cyber security strategy.

The report noted that, if cyber attacks do not occur, it will be difficult to establish the extent to which that was down to the success of the strategy.

There was also the challenge of determining the relative contribution to overall success or otherwise of different components of the strategy.

And there was the challenge of assigning a value to the overall outcome to set against the cost of the strategy, the NAO report said.

However, the NAO notes that government has work underway to measure the benefits of the strategy.

Amyas Morse, head of the NAO, said the threat to cyber security is persistent and continually evolving.

“Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack,” Morse said.

Morse said although it is good that the government has articulated what success would look like at the end of the programme, it was crucial to have some way of measuring progress towards those goals and assessing value for money.

Public Accounts Committee concerns

The NAO said the report is designed to set the scene in an area likely to be of continuing interest to the Public Accounts Committee (PAC).

Although the PAC has not specifically examined the issue of cyber security, it has raised concerns about cyber security in relation to the government’s plans for smart meters, which will enable energy suppliers to collect meter readings over the internet.

The PAC has also expressed concern about a lack of detail on cyber security plans in the government’s 2011 ICT strategy.

The NAO report stresses that government must work hand-in-glove with people and businesses to build awareness, knowledge and skills, said Margaret Hodge MP, chair of the PAC.

“With this government committing £650m additional funding to cyber security, my committee will want to ask how the action of the fifteen government organisations involved in delivering the strategy is being properly co-ordinated and what progress has been made,” Hodge said.

Commercial benefits

Hodge noted that safe and secure use of the internet is increasingly essential for UK businesses to flourish and for society to function.

“The value of the UK’s internet-based economy stood at an estimated £121bn in 2010, some 8% of the UK’s GDP, which is a greater share than for any other G20 country,” she said.

The use of the internet for commerce and communication is a force for good, said Hodge, but it also poses new and growing threats that government, businesses and individuals cannot ignore.

“With around 80% of the internet in private hands, crossing international boundaries and spanning different jurisdictions, the government cannot approach internet security in isolation," said Hodge.

“Having a robust and well thought-through strategy is crucial if the government is to respond effectively to cyber threats.”

Nominet – the independent registrar for the .uk internet domain – released a statement to coincide with the publication of the NAO report.

UK partnership approach

“The government’s approach of partnership with industry is more proactive than other methods, for example the European Commission’s proposals for mandatory reporting and fines, and should therefore bring more effective results,” said Alex Blowers, director of legal and policy at Nominet.

“Simply setting standards and measuring compliance is a very limited method of assessing cyber security as the source and type of threat can change very quickly. So sharing information and rapid reactions in the way suggested in the report are key to cyber security and a step in the right direction,” Blowers said.

While government is doing a good job to highlight the issue, said Blowers, the responsibility should lie with all internet stakeholders to commit resources to continuously work together to develop security policies and strategy.

Read more on Hackers and cybercrime prevention