Public Accounts Committee says Cabinet Office has to provide clear plan for NCSC's future efforts
Attempts to strengthen cyber security around government are being hindered by departments’ failures in recording personal data breaches, Parliament’s Public Accounts Committee (PAC) has claimed.
Its new report on the issue, Protecting information across government, also says that moves to pull together the “alphabet soup” of relevant agencies have taken far too long.
"Government has a vital role to play in cyber security across society but it needs to raise its game,” said PAC chair Meg Hillier MP. “Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher threat attacks.
“The threat of cyber crime is ever growing yet evidence shows Britain ranks below Brazil, South Africa and China in keeping phones and laptops secure. In this context it should concern us all that the Government is struggling to ensure its security profession has the skills it needs.”
The report says that processes for departmental personal data breaches are “inconsistent and dysfunctional”, and there is a record of poor reporting of low level breaches
It acknowledges that the recent establishment of the National Cyber Security Centre (NSCS) as a focus for government’s efforts has been a step forward, but says there is a need for the Cabinet Office to provide a detailed plan for improving cyber security by the end of the year. This should explain "who it will support, what assistance it will provide and how it will communicate with organisations needing its assistance".
Lack of clarity
It says the department’s role in protecting information in central government is unclear, there is still no coordination across the wider public sector, and little oversight of the costs and performance of information assurance projects.
Subsequently, the MPs on the committee have found it difficult to feel confident in the Cabinet Office’s ability to protect the country from high threat cyber attacks, and fear that the public sector is struggling to keep up with fast-evolving cyber crime.
Other recommendations include:
- Within six months the Cabinet Office should write to the PAC setting out its findings from a pilot security cluster ̶ an initiative intended to better enable the sharing of scarce skills across central government.
- Government should establish a clear approach for protecting information across the whole of the public sector.
- The Cabinet Office should ensure there is a robust challenge built into developments such as the Government Security Classifications and the Foxhound project for sharing classified information across government. It should also review them regularly and monitor spending.
- It should regularly assess the cost and performance of government information security initiatives, and identify a set of baseline indicators that departments could use in reporting.
- It should work with the Information Commissioner’s Office on a set of reporting guidelines.
“Leadership from the centre is inadequate and, while the NCSC has the potential to address this, practical aspects of its role must be clarified quickly,” Hillier added.
“Government must communicate clearly to industry, institutions and the public what it is doing to maintain cyber security on their behalf and exactly how and where they can find support."
The report has prompted a call from a professional association for the Government to set up a department with the responsibility of coordinating the effort. Professor Will Stewart, vice president of the Institution of Engineering and Technology, said: "Having the plans is not enough – it’s far more important that people at all levels of an organisation, including its leadership, can implement them effectively.
“Setting up a government department with responsibility for cyber security and related issues would be the most effective way of driving forward legislation and governance that can improve awareness of this important subject among businesses and the general public.”