Tombaky - Fotolia

UK government must improve cyber defence efforts, say MPs

Public Accounts Committee sets out six recommendations for the Cabinet Office to address shortcomings in protecting government data as UK defence secretary expresses concern over Russian cyber activity

MPs have called on the Cabinet Office to clarify its role in protecting data within central government and to improve co-ordination of cyber defence efforts across the public sector.

“There is little oversight of the costs and performance of government information assurance projects, and processes for recording departmental personal data breaches are inconsistent and dysfunctional,” the Public Accounts Committee (PAC) said in a report on protecting government information.

“Poor reporting of low-level breaches, such as letters containing personal details being addressed to the wrong person, reduces our confidence in the Cabinet Office’s ability to protect the nation from higher threat cyber attacks,” the report said.

The PAC said increasing dependencies between central government and the wider public sector have blurred traditional security boundaries, and in recent years the threat of electronic data loss from cyber crime, espionage and accidental disclosure have risen considerably.

GCHQ dealt with 200 national cyber security incidents that threatened UK national security every month in 2015, up from 100 a month in 2014, the report revealed.

“Concurrently, personal data breach reporting remains highly variable, with some departments recording thousands of incidents in the 2014-15 financial year and five departments recording none at all,” the report said.

Despite the launch on 1 October 2016 of the National Cyber Security Centre (NCSC) that brings together all the key organisations under a single umbrella, the committee said that in the light of the fact that the threat from cyber attacks has been one of the UK’s top four risks to national security since 2010,  it has taken the government too long to consolidate and co-ordinate its “alphabet soup” of agencies involved in protecting the UK in cyber space.

“The breadth of the NCSC’s role is considerable and it is still unclear which organisations from across the public and private sectors can call on the NCSC for assistance,” the report said. It recommended that the Cabinet Office should develop a detailed plan for the NCSC by the end of the current financial year, setting out who it will support, what assistance it will provide and how it will communicate with organisations that need its assistance.

Clear approach

The PAC said the Cabinet Office’s approach to protecting information places too little emphasis on informing and supporting citizens, service users, and the wider public sector. It recommended the government to establish a clear approach for protecting information across the whole of the public sector and delivery partners – not just central government – and clearly communicate to all these bodies how its various policy and guidance documents can be of most use, including during a data breach incident.

The report highlighted the fact that the government is struggling to ensure its security profession is suitably skilled. The PAC said that although the Cabinet Office established a security profession in 2013 to develop professional learning and career development activities for civil servants working in this field, it remains unclear as to what skills gaps exist and how to fill these in the face of UK-wide skills shortages in this area.

“The Cabinet Office is also unwilling to mandate a minimum skills standard for departments in the security profession,” the report said. “It is planning to amalgamate 40 separate departmental security teams into four larger clusters, and has established the first pilot cluster, to better enable the sharing of scarce skills across central government.”

It recommended that the Cabinet Office should report to the PAC on its findings from the pilot security cluster and what steps it is taking to improve the government’s capability in this area, within the next six months.

The PAC report also recommended that:

  • The Cabinet Office should regularly assess the cost and performance of government information security activities, and identify a set of baseline indicators that departments should report against to support this objective.
  • The Cabinet Office should ensure there is robust challenge built into the design of government information projects and review them regularly. It should monitor spend against budget and be clear that the expected benefits for cyber security are still achievable.
  • The Cabinet Office should consult with the Information Commissioner’s Office to establish best practice in reporting guidelines and issue these to departments to ensure consistent personal data breach reporting from the beginning of the 2017-18 financial year.

A spokesman for the Cabinet Office, reported by the BBC, said: “The government has acted with a pace and ambition that has been welcomed by industry and our international partners right across the globe.

“Our comprehensive and ambitious national cyber security strategy, underpinned by £1.9bn of investment, sets out a range of measures to defend our people, businesses and assets; to deter and disrupt our adversaries; and to develop capability and skills.”

A spokesman for the NCSC said that in the four months the organisation has been operational, it has “transformed how the UK deals with cyber security”.

He said it has provided “real-time cyber threat information to 3,000 organisations from over 20 different industries, offering incident management handling and fostering technical innovation”.

The report warned that use of the internet for cyber crime is evolving fast and the government faces a “real struggle” to find enough public sector employees with the skills to match the pace of change.

Read more about cyber war

The report comes amid growing concern about Russian cyber attacks and the use of cyber weaponry to disrupt critical infrastructure and disable democratic processes. US intelligence agencies attributed to Russia a cyber attack campaign believed to have been aimed at influencing the 2016 US presidential elections.

Citing cyber attacks on Bulgaria in October 2016, on the US presidential election, and parliamentary elections in Montenegro in October 2016, UK defence secretary Michael Fallon said there had been a “concerning step-change in Russian behaviour” in the past year.

“Meanwhile, the head of the German BfV intelligence agency warned that the Kremlin is ‘seeking to influence public opinion and decision-making processes’ ahead of this year’s German elections,” Fallon said in a speech at St Andrews University.

He said Russia is clearly testing Nato and the West. “Therefore it is in our interest and Europe’s to keep Nato strong and to deter and dissuade Russia from this course,” he said.

“All [Nato] members need to step up to ensure Nato fulfils its role as the cornerstone of the West’s defence as effectively as possible.

“This means supporting reform to make Nato more agile, resilient and better configured to operate in the contemporary environment, including against hybrid and cyber attacks.

“Cyber defence is now part of Nato’s core task. Nato must defend itself as effectively in the cyber sphere as it does in the air, on land and at sea, so adversaries know there is a price to pay if they use cyber weapons.”

Read more on Hackers and cybercrime prevention