NAO slams mismanaged national cyber security programme

The programme has been criticised for failing to meet objectives and running a budget that hasn't been properly calculated

National Audit Office building in London

The Cabinet Office has been mismanaging the country's National Cyber Security Programme since its introduction in 2016 which has forecast the failure to meet its goals, according to a National Audit Office (NAO) report

One year prior to the programme's 2016 implementation, the Cabinet Office agreed to an overall approach on how to tackle cyber security and the spending that should go towards it but failed to make a business case for the programme.

This meant that the 1.9 billion budget allocated to the programme was misguided, according to the NAO report, and the Cabinet Office had no real indication as to how much money it would actually need to fulfil the program's objectives.

Other factors have contributed to the programme's poor performance, the report acknowledges that in the first two years of the programme, resources and funds were allocated away from the programme and directed towards anti-terrorism activities.

Although the wider landscape of national security was improved, it came at the cost of cyber security safety and it delayed the government's understanding of the cyber security threat it faces.

"It is unclear whether the Cabinet Office will achieve the Strategy's wider strategic outcomes by 2021," read the report. "This is partly due to the difficulty of dealing with a complex and evolving cyber threat but also because it has not assessed whether the 1.9 billion of funding was ever sufficient.

"It has acknowledged that it may take longer than 2021 to address all the cyber security challenges set out in the Strategy but does not yet know when these might be achieved."

"In 2016, 1.9 billion may have sounded like a huge financial injection but cyber security needs a constant flow of resources, both people and financial support," said Jake Moore, cyber security specialist at ESET. "If this money were to simply dry up in 2021 then over a short period of time all the good work done thus far could unravel."

It's not all bad, though; the report praises the program in a number of areas, most pertinently its achievement of establishing the hugely successful National Cyber Security Centre (NCSC).

The NCSC's role is to understand the global cyber security climate and offer practical advice to government, businesses and the public regarding how to effectively mitigate the threats faced online.

It has also established the popular Cyber Discovery program in England, Scotland and Northern Ireland which aims to recruit the best 14-18 year-olds and provide them with fun and accessible cyber security activities, promoting career paths in the field.

The NCSC also developed a tool that led to 54.5 million fake emails being blocked in 2017-18 and the UK's share of global phishing attacks falling from 5.3% to 2.2% in two years.

In response to the uncertainty of the program, the Cabinet Office introduced a new, robust assessment framework to make sure it has a better vision of how the programme is performing. It has also asked departments to allocate more funds to ensure it meets its objectives and measures progress adequately.

Although these steps have been taken to improve the programme's effectiveness, these were only made in 2018, so it's too early to see the results of them.

Another blow to the programme is that it seems unlikely, according to the NAO report, that the Cabinet Office will have decided on its overall approach to cyber security before the 2019 Spending Review, which is expected to determine government funding for the next few years.

The report says that because of this, the Cabinet Office runs the risk of repeating the same mistakes it made in 2015 and that the budget for the programme could remain insufficient due to a lack of preparedness.

"Improving cyber security is vital to ensuring that cyber-attacks don't undermine the UK's ability to build a truly digital economy and transform public services," said Amyas Morse, head of the NAO.

"The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. The government needs to learn from its mistakes and experiences in order to meet this growing threat."

The NAO recommends that the Cabinet Office prioritise the programme's best performing aspects and focus most attention and resources there until 2021, as they will have the most positive impact on the country.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
How to wipe a laptop easily and securely
Security

How to wipe a laptop easily and securely

5 Oct 2020