According to the National Audit Office (NAO) the government is struggling with the information protection problem
GCHQ dealt with twice as many national level cybersecurity incidents in 2015 as it did the year before - 200 compared to 100, while the 17 largest bodies in government recorded a total of just under 9,000 data breaches in 2014-15 alone.
The problem is that government doesn’t really have a clear idea as what to do about this risk - with the NAO saying that Cabinet Office has not yet established a “clear role” for itself in co-ordinating and leading the drive for cross-Whitehall security.
While part of its difficulties in doing so stem from the limited information which departments collect on their own information security costs, performance and risks, the twin desire to protect some information but also make it open to the public via new digital services is creating confusion about security at the heart of central government.
And so fuzzy is the real picture about what’s going on that a recent Cabinet Office probe into security costs revealed a cost of £300 million - though it told the NAO the actual costs are ‘several times’ that figure.
Little visibility of risks
The NAO's report, Protecting information across government, takes a hard look at how much progress really is being made in terms of protecting UK HMG information.
“Protecting information while redesigning public services and introducing the technology necessary to support them is an increasingly complex challenge,” warned Amyas Morse, head of the NAO.
“To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.”
On the plus side, NAO notes how UK government has a “strong international reputation” in “some” areas of information security and digital government, and that the Cabinet Office is taking action to improve its support for departments.
But the team there needs to set out how this will be delivered in practice and - what’s much trickier, it notes - deal with what it sees as the blurring of traditional security boundaries.
As accountability for information security is devolved to departments, the study says, government does not currently collect or analyse its overall performance in protecting information on a routine basis. This means it has little visibility of information risks in each department and has limited oversight of the progress ministries are making to better protect their information, it claims.
That’s not helped by - in the public spending watchdog’s eyes, at least - the proliferation of “too many bodies with overlapping responsibilities” in Whitehall about information security. “As at April 2016, at least 12 separate teams or organisations in the centre of government had a role in protecting information, many of whom produce guidance,” it points out.
While the new National Cyber Security Centre (NCSC) will bring together much of government’s cyber expertise, in the NAO’s view “wider reforms will be necessary to further enhance the protection of information” at the heart of the UK state.
Meanwhile, reporting personal data breaches is allegedly “chaotic”, with different mechanisms making cross-governmental comparisons “meaningless”, in its view.
In addition, the Cabinet Office does not have access to robust expenditure and benefits data from departments - in part because they do not always collect or share such data.
Some parts of Whitehall have made significant improvements in information governance, but most have not given it the same attention as other forms of governance, says the report, which also worries that the Cabinet Office does not currently provide a single set of standards for departments to follow, and does not collate or act upon those weaknesses it identifies.
There’s also a capability gap when it comes to security (“In the context of a challenging national picture it has been difficult for government to attract people with the right skills’). There are 73 separate teams covering security in central government departments, with a total of 1,600 protective security staff (information, physical and personnel) in central government departments, says the study, but this does not seem to be a big enough resource.
While welcoming moves to beef up security competence dating back to 2013, the NAO fears that demand for skills and learning across government is growing and is likely to continue to grow. Government plans to work round this by trying to share scarce skills by building more teams may help initially, but will not solve the long term challenge, it notes.
The NAO recommends that to reach a point where it is clearly and effectively coordinating activity across government, the Cabinet Office must further streamline the roles and responsibilities of the organisations involved, deliver its own centrally managed projects cost-effectively and clearly communicate how its various policy, principles and guidance documents can be of most use to departments.
Full NAO report: Protecting information across government
Image: iStock: dra_schwartz