Cabinet Office blasted for lack of long-term thinking on cyber security
The UK is at risk with officials on course to achieve just one of 12 strategic outcomes by 2021
The government must urgently establish a long-term strategy to combat burgeoning cyber threats as there is currently none in place for the next decade once current arrangements expire in 2021.
According to according to a report by the Public Accounts Committee (PAC), not only has the Cabinet Office neglected to justify how its approach to cyber security is delivering value for money, but the department lacks the evidence-base to make informed decisions and measure its successes.
Alarmingly, the Cabinet Office has also not been clear what its current National Cyber Security Strategy (NCSS), which lasts between 2016 and 2021, will actually deliver, noted the PAC.
Moreover, the Cabinet Office is only expected to complete a single strategic outcome of the current five-year plan, of the 12 aims in total, and has not published any updates on progress since the strategy began.
"With its world-leading digital economy, the UK is more vulnerable than ever before to cyber-attacks," said PAC chair Meg Hillier MP. "As the likelihood of these attacks continues to grow, the UK needs to protect itself against the risks created by more and more services going online.
"We welcome the National Cyber Security Strategy but are concerned that the Programme designed to deliver it is insufficient.
"As it currently stands, the Strategy is not supported by the robust evidence the Department needs to make informed decisions and accurately measure progress. On top of this, neither the Strategy or the Programme were grounded in business cases - despite being allocated 1.9bn funding."
Decisions over how to use this funding, allocated in 2015, were not based on any business case, including the 1.3 billion reserved for the National Cyber Security Programme which was devised to deliver the five-year-strategy. This means the department didn't know whether this was even the right amount needed at the time.
The Cabinet Office hasn't done enough to raise awareness around good cyber security practices among different sectors in the economy and their customers. This includes getting people to question whether Internet of Things (IoT) devices are holding their data securely, for example.
Examples of successes in this area include the National Cyber Security Centre (NCSC) promoting two-factor authentication (2FA), and the organisation also working with the Bank of England to build better security standards in general.
However, the government should outline how it aims to persuade different kinds of businesses, such as those in the retail sector, to educate their customers about cyber security.
Among the most serious issues highlighted by the report is the lack of any long-term approach to fighting the cyber threats the UK faces beyond 2021 when the current strategy expires. The current strategy is the second five-year plan, following the first NCSS between 2011 and 2016, and is expected to be followed with another five-year plan lasting to 2026.
"Looking longer term, we are disappointed that the Department was not able to give us a clear idea of what the Strategy will deliver by 2021," Hillier continued. "This does not represent a resilient security strategy.
"In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyber-attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money, and strategic outcomes and objectives should be clearly defined."
The PAC has recommended the department ensure the Cabinet Office starts planning immediately and develops a revised approach to cyber security before the next spending review. This is set to be announced in autumn 2019.
By this stage, the Cabinet Office should also set out what progress it's making in using evidence to make their decisions, including plans to undergo a 'lessons learnt' exercise to capture evidence from the current strategy.
David Mount, director for Europe at Cofense said the PAC's findings underline the very real target on UK organisations' heads from cyber attackers across the world.
"Email phishing attacks are still one of the most prevalent attack forms -- and despite significant investments in next-gen technologies, these threats continue to become more sophisticated and effective.
"If we are to successfully defend ourselves against this global threat, we need to put people in the driving seat, educating them on the dangers out there and trusting in their ability to help defend against these actors."
The National Audit Office (NAO) also critiqued the Cabinet Office's handling of the UK's cyber security programme in March, claiming the five-year strategy has been mismanaged since its start in 2016.
"The UK is safer since the launch of our cyber strategy in 2015," a Cabinet Office spokesperson said.
"We have set up the world leading National Cyber Security Centre, taken down 140,000 scam websites in the last year, and across government have helped over a million organisations become more secure."