NAO brands Whitehall’s cybersecurity approach ‘confusing and chaotic’
Cabinet Office lacks overall responsibility for IT security, says watchdog
The government's cybersecurity strategy is hamstrung by too many departments issuing conflicting policies and a lack of overall accountability, according to the National Audit Office (NAO).
The spending watchdog accused the Cabinet Office of failing to co-ordinate and lead departments' IT security efforts, and said it is undermined by a lack of data on departmental cybersecurity spending and performance.
At least 12 different Whitehall teams help protect data, and issue guidance to help others do so, the NAO said in its Protecting information across government report.
However, their varying policies make reporting data breaches "chaotic", and leave departments confused about whose advice to follow, according to the watchdog.
There were also 73 separate teams covering security in Whitehall departments, the NAO found, comprising 1,600 staff.
The report said that there was little cohesion between the management layer on top of these teams: "The governance arrangements above them are unclear and fragmented, with no formal links between the three most important information security decision-making bodies in the Cabinet Office."
With departments in charge of their own security policies, government "has little visibility of information risks in each department and has limited oversight of the progress departments are making to better protect their information", the NAO said.
By the Cabinet Office's count, the collective IT security spend of 34 departments is 300 million a year, but it acknowledged that actual costs could be "several times" higher, with departments failing to record this data.
Some departments, like the Ministry of Justice, also struggle to attract people with cybersecurity skills.
A total 8,995 data breaches were recorded by 17 government departments between 2014 and 2015, and while the NAO expects the forthcoming National Cyber Security Centre to provide a central point for some of the government's cyber skills, it called for wider reforms to streamline cybersecurity management.
"However, the scale and pace of the challenges of protecting information are such that these structural changes are unlikely to be sufficient on their own unless Cabinet Office also supports departments in addressing the wider problems set out in this report," the report read.
The NAO also criticised the government's Government Security Classifications (GSC) system, the Public Services Network (PSN) and Foxhound, saying their expected benefits have been slow to materialise.
The PSN in particular promised between 200 million and 400 million savings by 2014, but has delivered just 103.4 million of those, with no further savings expected.
The watchdog called on the Cabinet Office to set out how it will improve cybersecurity support for departments, adding that it should streamline the roles and responsibilities of those involved in forming cybersecurity policies and guidance.
A Cabinet Office spokesman said: "The Cabinet Office conducted its own review of government security in early 2016 and many of our findings are consistent with the NAO report. So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two.
"We have also appointed the government's first ever Chief Security Officer to bring together all disciplines of government security under central leadership.
"The majority of the data breaches cited in this report will be very minor, but right across government we need and must do more. We will respond fully to this report in due course."
What you need to know about migrating to SAP S/4HANA
Factors to assess how and when to begin migrationDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
Testing for compliance just became easier
How you can use technology to ensure compliance in your organisationDownload now
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviourDownload now