Cabinet Office blasted for lack of long-term thinking on cyber security

The UK is at risk with officials on course to achieve just one of 12 strategic outcomes by 2021

The London skyline depicted as if suffering a cyber attack

The government must urgently establish a long-term strategy to combat burgeoning cyber threats as there is currently none in place for the next decade once current arrangements expire in 2021.

According to according to a report by the Public Accounts Committee (PAC), not only has the Cabinet Office neglected to justify how its approach to cyber security is delivering value for money, but the department lacks the evidence-base to make informed decisions and measure its successes.

Advertisement - Article continues below

Alarmingly, the Cabinet Office has also not been clear what its current National Cyber Security Strategy (NCSS), which lasts between 2016 and 2021, will actually deliver, noted the PAC. 

Moreover, the Cabinet Office is only expected to complete a single strategic outcome of the current five-year plan, of the 12 aims in total, and has not published any updates on progress since the strategy began.

"With its world-leading digital economy, the UK is more vulnerable than ever before to cyber-attacks," said PAC chair Meg Hillier MP. "As the likelihood of these attacks continues to grow, the UK needs to protect itself against the risks created by more and more services going online.

"We welcome the National Cyber Security Strategy but are concerned that the Programme designed to deliver it is insufficient.

Advertisement
Advertisement - Article continues below

"As it currently stands, the Strategy is not supported by the robust evidence the Department needs to make informed decisions and accurately measure progress. On top of this, neither the Strategy or the Programme were grounded in business cases - despite being allocated 1.9bn funding."

Advertisement - Article continues below

Decisions over how to use this funding, allocated in 2015, were not based on any business case, including the 1.3 billion reserved for the National Cyber Security Programme which was devised to deliver the five-year-strategy. This means the department didn't know whether this was even the right amount needed at the time.

The Cabinet Office hasn't done enough to raise awareness around good cyber security practices among different sectors in the economy and their customers. This includes getting people to question whether Internet of Things (IoT) devices are holding their data securely, for example.

Examples of successes in this area include the National Cyber Security Centre (NCSC) promoting two-factor authentication (2FA), and the organisation also working with the Bank of England to build better security standards in general.

However, the government should outline how it aims to persuade different kinds of businesses, such as those in the retail sector, to educate their customers about cyber security.

Advertisement - Article continues below

Among the most serious issues highlighted by the report is the lack of any long-term approach to fighting the cyber threats the UK faces beyond 2021 when the current strategy expires. The current strategy is the second five-year plan, following the first NCSS between 2011 and 2016, and is expected to be followed with another five-year plan lasting to 2026.

"Looking longer term, we are disappointed that the Department was not able to give us a clear idea of what the Strategy will deliver by 2021," Hillier continued. "This does not represent a resilient security strategy.

"In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyber-attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money, and strategic outcomes and objectives should be clearly defined."

The PAC has recommended the department ensure the Cabinet Office starts planning immediately and develops a revised approach to cyber security before the next spending review. This is set to be announced in autumn 2019.

Advertisement - Article continues below

By this stage, the Cabinet Office should also set out what progress it's making in using evidence to make their decisions, including plans to undergo a 'lessons learnt' exercise to capture evidence from the current strategy.

David Mount, director for Europe at Cofense said the PAC's findings underline the very real target on UK organisations' heads from cyber attackers across the world.

"Email phishing attacks are still one of the most prevalent attack forms -- and despite significant investments in next-gen technologies, these threats continue to become more sophisticated and effective.

"If we are to successfully defend ourselves against this global threat, we need to put people in the driving seat, educating them on the dangers out there and trusting in their ability to help defend against these actors."

The National Audit Office (NAO) also critiqued the Cabinet Office's handling of the UK's cyber security programme in March, claiming the five-year strategy has been mismanaged since its start in 2016.

Advertisement - Article continues below

"The UK is safer since the launch of our cyber strategy in 2015," a Cabinet Office spokesperson said.

"We have set up the world leading National Cyber Security Centre, taken down 140,000 scam websites in the last year, and across government have helped over a million organisations become more secure."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020