NAO slams mismanaged national cyber security programme

The programme has been criticised for failing to meet objectives and running a budget that hasn't been properly calculated

National Audit Office building in London

The Cabinet Office has been mismanaging the country's National Cyber Security Programme since its introduction in 2016 which has forecast the failure to meet its goals, according to a National Audit Office (NAO) report

One year prior to the programme's 2016 implementation, the Cabinet Office agreed to an overall approach on how to tackle cyber security and the spending that should go towards it but failed to make a business case for the programme.

Advertisement - Article continues below

This meant that the 1.9 billion budget allocated to the programme was misguided, according to the NAO report, and the Cabinet Office had no real indication as to how much money it would actually need to fulfil the program's objectives.

Other factors have contributed to the programme's poor performance, the report acknowledges that in the first two years of the programme, resources and funds were allocated away from the programme and directed towards anti-terrorism activities.

Although the wider landscape of national security was improved, it came at the cost of cyber security safety and it delayed the government's understanding of the cyber security threat it faces.

"It is unclear whether the Cabinet Office will achieve the Strategy's wider strategic outcomes by 2021," read the report. "This is partly due to the difficulty of dealing with a complex and evolving cyber threat but also because it has not assessed whether the 1.9 billion of funding was ever sufficient.

Advertisement - Article continues below
Advertisement - Article continues below

"It has acknowledged that it may take longer than 2021 to address all the cyber security challenges set out in the Strategy but does not yet know when these might be achieved."

"In 2016, 1.9 billion may have sounded like a huge financial injection but cyber security needs a constant flow of resources, both people and financial support," said Jake Moore, cyber security specialist at ESET. "If this money were to simply dry up in 2021 then over a short period of time all the good work done thus far could unravel."

It's not all bad, though; the report praises the program in a number of areas, most pertinently its achievement of establishing the hugely successful National Cyber Security Centre (NCSC).

The NCSC's role is to understand the global cyber security climate and offer practical advice to government, businesses and the public regarding how to effectively mitigate the threats faced online.

Advertisement - Article continues below

It has also established the popular Cyber Discovery program in England, Scotland and Northern Ireland which aims to recruit the best 14-18 year-olds and provide them with fun and accessible cyber security activities, promoting career paths in the field.

The NCSC also developed a tool that led to 54.5 million fake emails being blocked in 2017-18 and the UK's share of global phishing attacks falling from 5.3% to 2.2% in two years.

In response to the uncertainty of the program, the Cabinet Office introduced a new, robust assessment framework to make sure it has a better vision of how the programme is performing. It has also asked departments to allocate more funds to ensure it meets its objectives and measures progress adequately.

Although these steps have been taken to improve the programme's effectiveness, these were only made in 2018, so it's too early to see the results of them.

Another blow to the programme is that it seems unlikely, according to the NAO report, that the Cabinet Office will have decided on its overall approach to cyber security before the 2019 Spending Review, which is expected to determine government funding for the next few years.

Advertisement - Article continues below

The report says that because of this, the Cabinet Office runs the risk of repeating the same mistakes it made in 2015 and that the budget for the programme could remain insufficient due to a lack of preparedness.

"Improving cyber security is vital to ensuring that cyber-attacks don't undermine the UK's ability to build a truly digital economy and transform public services," said Amyas Morse, head of the NAO.

"The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. The government needs to learn from its mistakes and experiences in order to meet this growing threat."

The NAO recommends that the Cabinet Office prioritise the programme's best performing aspects and focus most attention and resources there until 2021, as they will have the most positive impact on the country.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020