The National Audit Office (NAO) has revealed failings in the way the Cabinet Office established its current cyber security programme, with the government unclear whether it will meet programme objectives along with issues surrounding its cyber-attack strategy after 2021.
The UK has one of the world’s leading digital economies, the report asserts, making it more vulnerable to cyber-attacks from hostile countries, criminal gangs and individuals, which continue to increase and evolve as it becomes easier and cheaper to launch attacks.
The National Cyber Security Strategy 2016 (the Strategy) outlines how the government aims to make the UK more secure online. The £1.9 billion Strategy includes £1.3 billion of funding for the National Cyber Security Programme 2016-21 (the Programme) and the NAO report assesses progress just beyond the mid-point of the five-year Programme.
The Programme provides a focal point for cyber activity across government and has already led to some notable innovation, such as the establishment of the National Cyber Security Centre (NCSC).
The Programme has also reduced the UK’s vulnerability to specific attacks. For example, the NCSC developed a tool that led to 54.5 million fake emails being blocked in 2017-18 and the UK’s share of global phishing attacks falling from 5.3% to 2.2% in two years.
However, despite agreeing an overall approach to cyber security as part of the 2015 Strategic Defence and Security Review and Spending Review, the NAO says the Cabinet Office did not produce a business case for the Programme before it was launched.
The NAO says it is unclear whether the Cabinet Office will achieve the Strategy’s wider strategic outcomes by 2021. This is partly due to the difficulty of dealing with a complex and evolving cyber threat but also because it has not assessed whether the £1.9 billion of funding was ever sufficient. It has acknowledged that it may take longer than 2021 to address all the cyber security challenges set out in the Strategy but does not yet know when these might be achieved.
The NAO recommends that, going forward, the Cabinet Office establishes which areas of the Programme are having the greatest impact and are most important to address, and focuses its resources there until 2021. Building on existing work, it should consult widely and develop a strategy for UK cyber security after 2021 which clearly sets out which work should be centrally-funded, which are private sector responsibilities and which are core departmental activities. It should also consider more flexible approaches to cyber security that involve a mixture of shorter programmes, so that it can be more responsive to changing risks.
“Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services,” said Amyas Morse, Head of the NAO.
“The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences in order to meet this growing threat.”