NAO brands Whitehall’s cybersecurity approach ‘confusing and chaotic’

Cabinet Office lacks overall responsibility for IT security, says watchdog

The government's cybersecurity strategy is hamstrung by too many departments issuing conflicting policies and a lack of overall accountability, according to the National Audit Office (NAO).

The spending watchdog accused the Cabinet Office of failing to co-ordinate and lead departments' IT security efforts, and said it is undermined by a lack of data on departmental cybersecurity spending and performance.

Advertisement - Article continues below

At least 12 different Whitehall teams help protect data, and issue guidance to help others do so, the NAO said in its Protecting information across government report.

However, their varying policies make reporting data breaches "chaotic", and leave departments confused about whose advice to follow, according to the watchdog.

There were also 73 separate teams covering security in Whitehall departments, the NAO found, comprising 1,600 staff.

The report said that there was little cohesion between the management layer on top of these teams: "The governance arrangements above them are unclear and fragmented, with no formal links between the three most important information security decision-making bodies in the Cabinet Office."

With departments in charge of their own security policies, government "has little visibility of information risks in each department and has limited oversight of the progress departments are making to better protect their information", the NAO said.

Advertisement
Advertisement - Article continues below

By the Cabinet Office's count, the collective IT security spend of 34 departments is 300 million a year, but it acknowledged that actual costs could be "several times" higher, with departments failing to record this data.

Advertisement - Article continues below

Some departments, like the Ministry of Justice, also struggle to attract people with cybersecurity skills.

A total 8,995 data breaches were recorded by 17 government departments between 2014 and 2015, and while the NAO expects the forthcoming National Cyber Security Centre to provide a central point for some of the government's cyber skills, it called for wider reforms to streamline cybersecurity management.

"However, the scale and pace of the challenges of protecting information are such that these structural changes are unlikely to be sufficient on their own unless Cabinet Office also supports departments in addressing the wider problems set out in this report," the report read.

The NAO also criticised the government's Government Security Classifications (GSC) system, the Public Services Network (PSN) and Foxhound, saying their expected benefits have been slow to materialise.

The PSN in particular promised between 200 million and 400 million savings by 2014, but has delivered just 103.4 million of those, with no further savings expected. 

Advertisement - Article continues below

The watchdog called on the Cabinet Office to set out how it will improve cybersecurity support for departments, adding that it should streamline the roles and responsibilities of those involved in forming cybersecurity policies and guidance.

A Cabinet Office spokesman said: "The Cabinet Office conducted its own review of government security in early 2016 and many of our findings are consistent with the NAO report. So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two.

"We have also appointed the government's first ever Chief Security Officer to bring together all disciplines of government security under central leadership.

"The majority of the data breaches cited in this report will be very minor, but right across government we need and must do more. We will respond fully to this report in due course."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/security/cyber-attacks/356417/trump-confirms-cyber-attacks-on-russia-election-trolls
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020