Production Perig - stock.adobe.c

National Cyber Security Strategy mostly failing, says PAC report

The Cabinet Office is on track to deliver only one objective of the 12 outcomes initially established in the National Cyber Security Strategy, with value to taxpayers still unclear

The National Cyber Security Strategy (NCSS) is mostly failing, with the Cabinet Office set to achieve only one strategic outcome of the 12 objectives it aimed to deliver by 2021, a damning Public Accounts Committee (PAC) report has found.

According to the report released 5 June, the department has given evidence that it did not intend to achieve all the outcomes outlined in the 2016-2021 strategy, nor was it able to say how many it did intend to achieve.

The 12 outcomes of the NCSS, a five-year, cross-government strategy with a budget of £1.9bn, include cyber crime detection and prevention, managing risk in the critical national infrastructure, and development of cyber security skills.

The single outcome the Cabinet Office will be able to deliver by the end of the current term is incident management, the PAC report said, adding that the department demonstrated low confidence regarding its ability to achieve the other goals.

Incident management, according to the NCSS, is “the management and coordination of activities to investigate, and remediate, an actual or potential occurrence of an adverse cyber event that may compromise or cause harm to a system or network”.

The Cabinet Office has yet to set out its plans for cyber security once the current term ends, the report added, recommending that a long-term approach is put in place well in advance of the end of the current strategy in 2021.

In addition, the Cabinet Office cannot justify the value for taxpayers’ money from the current approach to national security, the PAC report pointed out.

It added that the absence of a business case for the NCSS and the National Cyber Security Programme (NCSP), coupled with the fact that the department did not assess if funding was sufficient for delivery of the initiatives, makes it even harder to assess value for money.

In light of this, the report recommends that a properly costed business case should be produced to support future cyber security work after 2021.

Despite recognising that cyber security is a difficult area for government to influence and regulate, the PAC report acknowledged that the government has made some progress around enhancing cyber security to protect consumers and businesses.

However, it did argue that it is still difficult for consumers to know whether connected devices or online services that hold personal information are safe to use, and highlighted the lack of a traffic light-type system to inform consumer choice.

It also added that government must do more around getting large organisations to take ownership of the issue and encourage smaller and more vulnerable companies within their supply chains to “get their cyber security right”.

Within its recommendations, the PAC report requested a response from the Cabinet Office around how it plans to influence business sectors such as retail to inform consumers about their cyber security readiness and how they plan on measuring success in that area.

Shadow cabinet minister Jo Platt said the report confirms the Conservative party’s “fundamental mishandling” of the UK’s cyber security.

“For the government to fail to achieve 11 of their own 12 strategic outcomes is an admission of their inability to get a grip on the cyber landscape, which we all ultimately pay the price for,” Platt said.

“Whether it’s the syphoning of funding away from the strategy, the failure to promote good cyber practice among consumers or the incompetent management of the strategy, this report serves as a declaration of no confidence in the Conservatives to keep us safe in the digital age,” she added.

Amid her criticisms of the government’s approach to the issue, Platt has argued that the current administration does not provide the leadership that the government and public need around cyber security and has called for the creation of a dedicated ministry.  

The PAC report follows another blistering report by the National Audit Office (NAO) published in March 2019, where concerns were raised about the government’s ability to meet the NCSS goals and protect UK citizens, business and the national infrastructure from cyber attacks.

Similarly, the NAO also touched on the issue of funding allocation and prioritisation around national cyber security work, and said the government “needs to learn from its mistakes and experiences to meet this growing threat”.  

The government view

Lack of updates on progress from the department since the current strategy began, despite pledges to do so annually, is another criticism made in the report, which anticipated that the Cabinet Office would publish its first report in May 2019.

The PAC report also requested a progress update by November 2019, with evidence-based decisions in prioritising cyber security work, including a “robust lessons-learnt exercise”.

Interestingly, the Cabinet Office did release an update outlining the NCSS achievements so far, days before the PAC report was published, on 31 May.

The strategy is based on three pillars: defend, deter and develop. Achievements set out in the department’s report under the defend pillar include partnerships with nearly 600 private and public sector organisations under the Cyber Aware campaign to provide protection guidance, as well as a cyber security guide aimed at small and medium-sized enterprises (SMEs) that has been distributed to “tens of thousands” of businesses.

Under the deter pillar, the Cabinet Office noted it built an international coalition around responding and deterring state-directed cyber attacks and deterring future incidents through the adoption of an EU sanctions regime to directly penalise hackers, freezing their assets and banning them from entering the UK.

Achievements made in the develop workstream cited by the department included the participation of more than 55,000 youngsters in the government’s Cyber Discovery and CyberFirst learning programmes, designed to build a pipeline of expertise in the field.

Updates on progress around the strategic outcomes were provided, and the Cabinet Office stated that it was confident that the government “has made good progress” in delivering on the plan’s objectives overall.  

The department’s report also stated that work is being carried out to look beyond 2021, but accepted that the “government does not have all the answers” when it comes to cyber security.

“Independent reviews of the strategy have rightly said that our approach could benefit from more external expertise, and so we are continuing to engage widely across industry, academia and civil society to help shape our vision for the future,” the report noted.

The Cabinet Office has said there is a “clear desire” for continued leadership from central government on cyber security, and stepping back from that would jeopardise progress made so far. It added that there is a “need for flexibility” to allow government to enhance its approach as work progresses.

The department also noted that the cyber security issue “cannot be addressed by government alone” and that, despite its long-term ambition to make cyber security business as usual, this will take time to achieve.

According to the Cabinet Office, the approach beyond 2021 will shift towards “embedding cyber security into policy making, regulatory frameworks, business practices, research agendas and institutional structures throughout government and society”.

The department argued that as well as a threat, cyber security represents a “significant opportunity” for the UK.

“Better security should go hand in hand with digital transformation, which has the potential to unlock growth and innovation for businesses and citizens across the country,” the report said.

“Our domestic strength and expertise in cyber security allows us to take a leading role setting standards globally and contesting visions of the internet and technology that threaten our values.”

Read more about cyber security in the UK

Read more on IT for government and public sector

Data Center
Data Management