Cabinet Office blasted for lack of long-term thinking on cyber security

The UK is at risk with officials on course to achieve just one of 12 strategic outcomes by 2021

The London skyline depicted as if suffering a cyber attack

The government must urgently establish a long-term strategy to combat burgeoning cyber threats as there is currently none in place for the next decade once current arrangements expire in 2021.

According to according to a report by the Public Accounts Committee (PAC), not only has the Cabinet Office neglected to justify how its approach to cyber security is delivering value for money, but the department lacks the evidence-base to make informed decisions and measure its successes.

Alarmingly, the Cabinet Office has also not been clear what its current National Cyber Security Strategy (NCSS), which lasts between 2016 and 2021, will actually deliver, noted the PAC. 

Moreover, the Cabinet Office is only expected to complete a single strategic outcome of the current five-year plan, of the 12 aims in total, and has not published any updates on progress since the strategy began.

Advertisement - Article continues below
Advertisement - Article continues below

"With its world-leading digital economy, the UK is more vulnerable than ever before to cyber-attacks," said PAC chair Meg Hillier MP. "As the likelihood of these attacks continues to grow, the UK needs to protect itself against the risks created by more and more services going online.

"We welcome the National Cyber Security Strategy but are concerned that the Programme designed to deliver it is insufficient.

"As it currently stands, the Strategy is not supported by the robust evidence the Department needs to make informed decisions and accurately measure progress. On top of this, neither the Strategy or the Programme were grounded in business cases - despite being allocated 1.9bn funding."

Decisions over how to use this funding, allocated in 2015, were not based on any business case, including the 1.3 billion reserved for the National Cyber Security Programme which was devised to deliver the five-year-strategy. This means the department didn't know whether this was even the right amount needed at the time.

The Cabinet Office hasn't done enough to raise awareness around good cyber security practices among different sectors in the economy and their customers. This includes getting people to question whether Internet of Things (IoT) devices are holding their data securely, for example.

Examples of successes in this area include the National Cyber Security Centre (NCSC) promoting two-factor authentication (2FA), and the organisation also working with the Bank of England to build better security standards in general.

Advertisement - Article continues below

However, the government should outline how it aims to persuade different kinds of businesses, such as those in the retail sector, to educate their customers about cyber security.

Among the most serious issues highlighted by the report is the lack of any long-term approach to fighting the cyber threats the UK faces beyond 2021 when the current strategy expires. The current strategy is the second five-year plan, following the first NCSS between 2011 and 2016, and is expected to be followed with another five-year plan lasting to 2026.

"Looking longer term, we are disappointed that the Department was not able to give us a clear idea of what the Strategy will deliver by 2021," Hillier continued. "This does not represent a resilient security strategy.

"In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyber-attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money, and strategic outcomes and objectives should be clearly defined."

Advertisement - Article continues below

The PAC has recommended the department ensure the Cabinet Office starts planning immediately and develops a revised approach to cyber security before the next spending review. This is set to be announced in autumn 2019.

By this stage, the Cabinet Office should also set out what progress it's making in using evidence to make their decisions, including plans to undergo a 'lessons learnt' exercise to capture evidence from the current strategy.

Advertisement - Article continues below

David Mount, director for Europe at Cofense said the PAC's findings underline the very real target on UK organisations' heads from cyber attackers across the world.

"Email phishing attacks are still one of the most prevalent attack forms -- and despite significant investments in next-gen technologies, these threats continue to become more sophisticated and effective.

"If we are to successfully defend ourselves against this global threat, we need to put people in the driving seat, educating them on the dangers out there and trusting in their ability to help defend against these actors."

The National Audit Office (NAO) also critiqued the Cabinet Office's handling of the UK's cyber security programme in March, claiming the five-year strategy has been mismanaged since its start in 2016.

"The UK is safer since the launch of our cyber strategy in 2015," a Cabinet Office spokesperson said.

"We have set up the world leading National Cyber Security Centre, taken down 140,000 scam websites in the last year, and across government have helped over a million organisations become more secure."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020