Government’s chief auditor has urged the Cabinet Office to rethink how it implements the National Cyber Security Programme (NCSP).
The National Audit Office (NAO) has published a report on the programme pointing to failings in the way it has been delivered and warning that the Government does not know whether it will meet its goals.
It recommends that the Cabinet Office should establish which areas of the programme are having the greatest impact or are most important to address, and that the work should feed into a strategy for after 2021.
The report advocates two elements for this. One is that a new strategy should clearly set out a future division of labour, pointing to which activities should be centrally funded, which are core activities of government departments and which are the responsibility of the private sector.
The other is that the Cabinet Office should consider a more flexible programmatic approach to cyber security. This would involve a mixture of shorter programmes to be more responsive to changing risks and longer term investment in areas such as skills.
The NCSP received £1.3 billion in funding as part of the National Cyber Security Strategy, which was launched in 2016, and has provided a focal point for cyber activity across government.
The NAO acknowledges that it has produced some positive achievements, notably in the creation of the National Cyber Security Centre (NCSC) and reducing the UK’s vulnerability to specific attacks. It points to the development of a tool that led to 54.5 million fake emails being blocked in 2017-18, and a reduction in the UK’s share of global phishing attacks from 5.3% to 2.2% over two years.
In addition, it says lead departments are largely on track to deliver against their objectives as part of the programme.
But it also highlights a number of shortcomings. These include that the Cabinet Office did not produce a business case for the programme, meaning there was no way to assess how much funding was required. Also, it does not have sufficient evidence to prioritise the activities that make the biggest impact or address the greatest need.
As a result, it is unclear whether the Government will achieve the outcomes of the national strategy, and it may take until beyond 2021 to address all the complex cyber security challenges set out. Also, the Cabinet Office has “low confidence” in the evidence to support half of the strategic outcomes, and currently only expects to achieve one – in incident management – by 2021.
The report also warns that weaknesses in programme management are likely to hamper delivery of the strategy up 2021, and that, while the Cabinet Office has begun preparations for approaching cyber security after that year, it risks repeating previous mistakes.
Question of value
The overall picture is that, with two years to run, it is hard to say whether the NCSP will deliver value for money. All this prompts the NAO to make the recommendations for a change in approach.
Amyas Morse (pictured), head of the NAO, said: “Improving cyber security is vital to ensuring that cyber attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services.
“The Government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences in order to meet this growing threat.”
An even more critical response came from Meg Hillier MP, chair of Parliament’s Public Accounts Committee. She said: “Government’s £1.3 billion flagship cyber security programme is yet another example of an important government programme launched without getting the basics right.
“There were serious weaknesses in its initial set up, undermining its contribution to government’s overall cyber security strategy.
“The increasing cyber threat faced by the UK, and events such as the 2017 WannaCry attack, make it even more critical that the Cabinet Office take immediate action to improve its current programme and plan for safeguarding our cyber security beyond 2021.”