National Cyber Security Programme at risk of missing targets

The Cabinet Office dropped the ball when it established the National Cyber Security Programme in the autumn of 2016, and the government now does not know whether it will be able to meet the programme’s goals, or adequately protect UK citizens, businesses and infrastructure from cyber attacks after 2021, according to a report by the National Audit Office (NAO).

Despite some notable successes – such as the establishment of the National Cyber Security Centre (NCSC) in 2017 – the NAO said it was unclear whether or not the programme, which was designed to establish a “focal point” for cyber security activity across government, would achieve any of its wider strategic outcomes by 2021.

This was partly due to the difficultly of dealing with the ever-changing and complex cyber security landscape, but also because the Cabinet Office had not properly assessed whether the £1.3bn of funding – out of £1.9bn of funding allocated to the National Cyber Security Strategy – set aside for the programme was sufficient.

The NAO said that despite agreeing a joined-up approach to security as far back as 2015, the Cabinet Office had not produced a proper business case for the programme, which meant that the HM Treasury had no way to assess its funding levels ahead of time.

Additionally, the programme’s work was delayed after a third of its planned funding was redirected to some of the UK’s wider national security needs, such as counter-terrorist work. This set back crucial work to understand cyber security issues.

“Improving cyber security is vital to ensuring that cyber attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services. The government has demonstrated its commitment to improving cyber security,” said NAO head Amyas Morse.

“However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences to meet this growing threat.”

MP Meg Hillier, chair of the Public Accounts Committee (PAC), said the programme was another example of an important government initiative being launched without getting the basics right.

“There were serious weaknesses in its initial set up, undermining its contribution to government’s overall cyber security strategy,” she said.

“The increasing cyber threat faced by the UK, and events such as the 2017 WannaCry attack, make it even more critical that the Cabinet Office take immediate action to improve its current programme and plan for safeguarding our cyber security beyond 2021.”

The NAO acknowledged the Cabinet Office had introduced a more robust framework to assess the programme’s performance, and asked departments to spend more on measuring their progress against defined objections. However, this was only done in 2018 and it will take time for any benefits to be seen.

Furthermore, the report added, it will be tough for the Cabinet Office to identify what it needs to do to achieve the strategy aims as it only has “high” confidence in the quality of the evidence used to assess progress against one of its 12 strategic outcomes.

The report also said that while the Cabinet Office has started work on defining its future approach to cyber security beyond 2021, it still risked repeating its previous mistakes because it was highly unlikely that the necessary work will be completed before the 2019 Spending Review, which will set government funding for the next few years.

In light of this, the NAO has made a series of recommendations to the Cabinet Office. It suggested the Cabinet Office establishes which areas of the programme are having the most positive impact and are most important to address, and to focus resources over the remaining two years of the scheme, as £648m of funding remains to be spent.

It also recommended that the Cabinet Office begins a wide-ranging consultation and strategic development process for the UK’s cyber security strategy after 2021, setting out what should be centrally funded, what should be down to the private sector, and what should be the core departmental activities; and that it considers more flexible approaches in future that involve shorter, more flexible programmes that enable it to better respond to the changing security landscape.