Government £1.3bn National Cyber Security Programme undermined by ‘serious weaknesses’ – NAO
Initial set-up meant investment required was unknown and objectives may not be achieved
The National Audit Office has claimed that the government’s £1.3bn National Cyber Security Programme has been undermined by serious weaknesses in its set-up and has failed to get even the basics right.
The programme forms part of a wider National Cyber Security Strategy which was established in 2016 with a planned government investment of £1.9bn, including of which £1.3bn was reserved for the programme between 2016 and 2021.
NAO’s report, published today, assessed progress just beyond the mid-point of the five year programme, and found that failings in the way the Cabinet Office established the programme mean the government does not know whether it will be able to meet its goals.
- Cyber security centre reveals active defence of government tech
- Why cybersecurity would lead a Labour government’s digital transformation agenda
- How can the public sector manage cyberthreats?
It said that despite agreeing to an overall approach to cyber security as part of the 2015 Strategic Defence and Security Review and Spending Review, the Cabinet Office did not produce a business case for the programme before it was launched. This meant that when HM Treasury set its funding in 2015, it would not have been able to reasonably assess how much money it would require – and therefore the amount it has ploughed into the programme may just have been based on guesswork. According to the NAO, this means it is unclear whether the funding was ever sufficient enough for the Cabinet Office to achieve the wider strategic outcomes by 2021.
The Cabinet Office has acknowledged that it could take longer than 2021 to address all the cyber security challenges presented in the strategy but has not confirmed a date when these will be achieved.
The report found that the programme was also delayed over its first two years as a third of its planned funding had been relocated to counter-terrorist and other national security activities.
While the NAO acknowledged that the Cabinet Office had introduced a more robust framework to assess the strategy and programme’s performance, and had also asked departments to invest more in measuring their progress in meeting objectives, it said that these were only established in 2018 and would therefore take some time before any benefits were to materialise.
Auditors also warned that the Cabinet Office could risk repeating previous mistakes as it is unlikely that an approach to cyber security has been considered before the 2019 Spending Review. They recommended that the Cabinet Office establish which areas of the programme are having the most impact and are most important to address, and focus its resources on these until 2021.
Thereafter, it should consult widely and develop a strategy for beyond 2021, which makes clear which work should be government-funded, private sector responsibilities and departmental activities. It suggests that shorter programmes could also help the government to be more responsive to changing risks.
Responding to the report, Public Accounts Committee chair Meg Hillier said: “Government’s £1.3bn flagship cyber security programme is yet another example of an important government programme launched without getting the basics right.
“There were serious weaknesses in its initial set up, undermining its contribution to government’s overall cyber security strategy.
“The increasing cyber threat faced by the UK, and events such as the 2017 WannaCry attack, make it even more critical that the Cabinet Office take immediate action to improve its current programme and plan for safeguarding our cyber security beyond 2021.”
Responding to the report, a Cabinet Office spokesperson said: "The UK is safer since the launch of our cyber strategy in 2015. We have set up the world leading National Cyber Security Centre, taken down 140,000 scam websites in the last year, and across government have helped over a million organisations become more secure.
"We recognise that there is always more to do, and are pleased that the NAO has endorsed our plans for the future through their recommendations."
European certification scheme recently came into effect
Department seeks leaders in the areas of digital enablement and cyber risk
Department looks to cultivate ‘modern security stack’
Service aims to work with other public bodies to identify citizens in most need of risk assessment