NAO brands Whitehall’s cybersecurity approach ‘confusing and chaotic’

Cabinet Office lacks overall responsibility for IT security, says watchdog

The government's cybersecurity strategy is hamstrung by too many departments issuing conflicting policies and a lack of overall accountability, according to the National Audit Office (NAO).

The spending watchdog accused the Cabinet Office of failing to co-ordinate and lead departments' IT security efforts, and said it is undermined by a lack of data on departmental cybersecurity spending and performance.

Advertisement - Article continues below

At least 12 different Whitehall teams help protect data, and issue guidance to help others do so, the NAO said in its Protecting information across government report.

However, their varying policies make reporting data breaches "chaotic", and leave departments confused about whose advice to follow, according to the watchdog.

There were also 73 separate teams covering security in Whitehall departments, the NAO found, comprising 1,600 staff.

The report said that there was little cohesion between the management layer on top of these teams: "The governance arrangements above them are unclear and fragmented, with no formal links between the three most important information security decision-making bodies in the Cabinet Office."

With departments in charge of their own security policies, government "has little visibility of information risks in each department and has limited oversight of the progress departments are making to better protect their information", the NAO said.

Advertisement - Article continues below

By the Cabinet Office's count, the collective IT security spend of 34 departments is 300 million a year, but it acknowledged that actual costs could be "several times" higher, with departments failing to record this data.

Advertisement - Article continues below

Some departments, like the Ministry of Justice, also struggle to attract people with cybersecurity skills.

A total 8,995 data breaches were recorded by 17 government departments between 2014 and 2015, and while the NAO expects the forthcoming National Cyber Security Centre to provide a central point for some of the government's cyber skills, it called for wider reforms to streamline cybersecurity management.

"However, the scale and pace of the challenges of protecting information are such that these structural changes are unlikely to be sufficient on their own unless Cabinet Office also supports departments in addressing the wider problems set out in this report," the report read.

The NAO also criticised the government's Government Security Classifications (GSC) system, the Public Services Network (PSN) and Foxhound, saying their expected benefits have been slow to materialise.

The PSN in particular promised between 200 million and 400 million savings by 2014, but has delivered just 103.4 million of those, with no further savings expected. 

Advertisement - Article continues below

The watchdog called on the Cabinet Office to set out how it will improve cybersecurity support for departments, adding that it should streamline the roles and responsibilities of those involved in forming cybersecurity policies and guidance.

A Cabinet Office spokesman said: "The Cabinet Office conducted its own review of government security in early 2016 and many of our findings are consistent with the NAO report. So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two.

"We have also appointed the government's first ever Chief Security Officer to bring together all disciplines of government security under central leadership.

"The majority of the data breaches cited in this report will be very minor, but right across government we need and must do more. We will respond fully to this report in due course."




HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020
internet security

Mozilla fixes two Firefox zero-days being actively exploited

6 Apr 2020

Most Popular

application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
operating systems

17 Windows 10 problems - and how to fix them

26 Mar 2020