Whitehall slammed for poor cyber security coordination and 'dysfunctional' breach reporting

Written by Rebecca Hill on 3 February 2017 in News
News

The government has taken too long to consolidate and coordinate the “alphabet soup” of cyber security agencies and faces “a real struggle” to find staff with the right skills to tackle threats, MPs have said.

As global cyber threats increase, PAC says UK needs to up its game - Photo credit: Pixabay

The criticisms come in the Public Accounts Committee’s report Protecting Information Across Government, which was published today.

In it, the MPs note the ever-increasing number of cyber attacks faced by governments across the world, and say the UK government’s poor past performance on cyber security “reduces our confidence” for the future.

“Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks,” said committee chairwoman Meg Hillier.


Related content

“Active cyber defence”: UK’s first National Cyber Security Centre chief sets out strategy
UK cyber security centre promises to boost local government focus
Are we entering a 'cognitive era'?


Echoing the analysis of central government coordination and leadership made in September 2016 by the National Audit Office, the MPs’ report said that the Cabinet Office’s role in protecting information “remains unclear within central government”.

The committee said that, despite being aware of the problem posed by multiple agencies dealing with cyber security, the government still had too many lines of accountability “with little coherence between them”.

It acknowledged that the creation of the National Cyber Security Centre, which was officially opened in summer last year, aimed to bring the disparate groups working on cyber intelligence and security across the country together but that more details of its work were needed quickly.

“The breadth of the NCSC’s role is considerable and it is still unclear which organisations from across the public and private sectors can call on the NCSC for assistance,” the report said.

It called on the government to publish a detailed work plan for the centre by the end of this financial year, covering who the centre will support, what assistance it will provide and how it will communicate with organisations.

“Government must communicate clearly to industry, institutions and the public what it is doing to maintain cyber security on their behalf and exactly how and where they can find support,” said Hillier.

The report also said that there was too little emphasis on informing and supporting the wider public sector, and a lack of coordination with other public bodies – something that has been raised repeatedly by local authorities, which have said they are concerned about being the “weak link” in UK cyber security efforts.

This lack of coordination “is of particular concern, given the government’s extensive reliance on arm’s length bodies to deliver core public services and functions, with more than 450 arm’s length bodies through which the government spends around £250 billion annually”, the MPs said.

Instead of relying on those organisations to resolve security issues themselves, and to know when the risk is significant enough to contact the NCSC, the committee said government should work to ensure that there is more information and support available to those bodies.

Central government reporting processes also came under fire in the report, which branded those for recording departmental personal data breaches “chaotic”, “inconsistent and dysfunctional”.

The report pointed to “major and unexplained variations” in the extent to which departments report them: of the 8,981 non-reportable incidents that were recorded by the 17 largest departments, 67% were recorded by HMRC and 31% by the Ministry of Justice.

"The Cabinet Office’s ability to make informed information security decisions is undermined by inconsistent and chaotic processes for recording personal data breaches"

The remaining 15 departments – including the large and digitally-active Department for Work and Pensions – recorded just 145 between them.

The MPs argued that encouraging a culture of recording of incidents would help departments identify threats early on, and said the Cabinet Office should work with the Information Commissioner’s Office to establish best practice reporting guidelines for departments.

Meanwhile, the committee raised concerns that the government was “struggling to ensure its security profession has the skills it needs” to match the rapid and changing landscape of cyber security.

It said that, although a security profession was established in 2013, it was unclear what skills gaps still exist and how they could be filled when there was a UK-wide skills shortage in the field, and urged the government to focus on identifying and filling those gaps.

The MPs also called for the Cabinet Office to report the results of a pilot scheme that will see 40 separate departmental security teams being brought into four large clusters to the committee within six months.

A further criticism levelled at the government was that it had failed to properly manage central government information projects, saying that they were not delivering as planned and needed to be challenged and reviewed on a more regular basis.

For instance, it said, there has never been a detailed financial business case produced for the Government Security Classifications system – a three-point system to classify information consistently across government – meaning there is no baseline against which to judge its progress or potential savings.

Finally, the Cabinet Office was told to do more to assess the cost and performance of government information security activities. The committee said that its failure to mandate how departments should report on the costs and benefits of their information protection efforts has made it hard to tell which projects are providing value for money. 

The government last year published its national cyber security strategy, which focused on defence, deterrence and innovation, along with commitments to greater international cooperation to deal with global threats, and is to be funded with the £1.9bn cyber investment first announced in the 2015 spending review.

Share this page

Tags

Categories

Comments

Geoff Duke (not verified)

Submitted on 3 February, 2017 - 11:37
Reporting lacking due to unwillingness to be a focal point for something bad - so as not to be blamed or associated - political choice to say nothing and not report seems to be order of the day. Overall cost, performance, business case scenario absolutely reeks of a lack of fundamental risk management. Cybersecurity should be deemed as part of risk management but if risk managment is lacking to start with then there is little basis for critical thinking.

Add new comment

Related Articles

UPDATED: General election 2017: Manifesto round-up
17 May 2017

After the Tories released their manifesto,PublicTechnology takes a look at the three main parties' plans for digital and technology ahead of next month's general election.

Election 2017: Party manifestos urged to focus on IT systems for Brexit and championing digital leadership
2 May 2017

As parliament dissolves and the date of the poll marches closer, parties of all colours are working up their manifestos...

Public safety ‘imperilled’ by lack of interoperable police ICT network
24 April 2017

2016 State of Policing report calls for a single decision-making mechanism for ICT to bring forces into the...

Theresa May announces plan to hold early general election
18 April 2017

The prime minister’s announcement of a general election on 8 June comes as influential House of Commons committee urges...

Related Sponsored Articles