The Government has not made sufficient progress on developing long-term objectives for the National Security Strategy, which has been hampered by a weak evidence base and the lack of a business case. That’s the view of the Public Accounts Committee in Parliament, as espoused in the Committee’s latest detailed report.
The UK has one of the world’s leading digital economies, designed to exploit the benefits of the Internet, but this also makes it vulnerable to attack from hostile countries, criminal gangs and individuals. In order to counter this threat, and also to continue supporting the UK’s digital Government and economy as a whole, ever since 2011 the Cabinet Office has managed two five-year national cyber security strategies.
The Department is beginning to make progress in meeting the strategic outcomes of the current 2016-2021 National Cyber Security Strategy after a poor start. However, a weak evidence base and the lack of a business case for the National Cyber Security Programme that helps to deliver the Cyber Security Strategy make it difficult for the Department to assess whether it will meet all of its objectives by 2021.
The lack of a business case also means it’s unclear whether the money allocated at the start of the National Cyber Security Programme was the right amount, making it more difficult to judge value for money.
Digital technology and online services are fast-moving areas and constantly evolving. The Public Accounts Committee in Parliament is concerned that consumers don’t know how safe the websites or Internet-enabled products they use are in real terms. According to the Committee, there’s clearly more that the Government needs to do to make progress in this area.
Public Accounts Committee chair Meg Hillier stated: “With its world-leading digital economy, the UK is more vulnerable than ever before to cyber attacks. As the likelihood of these attacks continues to grow, the UK needs to protect itself against the risks created by more and more services going online. We welcome the National Cyber Security Strategy, but are concerned that the National Cyber Security Programme designed to deliver it is insufficient. As it currently stands, the National Cyber Security Strategy isn’t supported by the robust evidence the Cabinet Office needs to make informed decisions and accurately measure progress. On top of this, neither the Strategy nor the Programme were grounded in business cases despite being allocated £1.9 billion of funding.”
Hillier continued: “Looking longer term, we’re disappointed that the Cabinet Office wasn’t able to give us a clear idea of what the National Cyber Security Strategy will deliver by 2021. This doesn’t represent a resilient security strategy. In the interest of national security, the Cabinet Office needs to take a long-term approach towards protecting against the risk of cyber attacks. Future plans should be based on strong evidence. Business cases should be rigorously costed to ensure value for money, while strategic outcomes and objectives should be clearly defined.”
Vulnerable to cyber attacks
As one of the world’s leading digital economies and a global leader when it comes to putting Government systems online, the UK is especially vulnerable to cyber attacks. The National Cyber Security Centre has dealt with over 1,100 cyber security incidents since it was established in October 2016. The cyber attack threat is evolving fast and becoming technically more complex, with the boundaries between state-orchestrated attacks and those of cyber criminals now increasingly blurred.
The Government has yet to set out its plans for its approach to cyber security after 2021. According to the Public Accounts Committee, it needs to start planning now and develop a revised approach before the next Spending Review, which should be announced as part of the 2019 Autumn Budget. The Cabinet Office should ensure that another long-term co-ordinated approach towards cyber security is put in place well in advance of the current Cyber Security Strategy finishing in March 2021.
The £1.9 billion funding for the Cyber Security Strategy, including £1.3 billion for the National Cyber Security Programme, was allocated via the 2015 Spending Review. The Cabinet Office didn’t develop a business case for either, although teams that manage each of the 12 objectives that make up the National Cyber Security Programme do produce their own annual business cases. This means that the Cabinet Office didn’t assess at the start whether £1.3 billion was the right amount needed to deliver the National Cyber Security Programme and makes it more challenging to assess value for money.
The Cabinet Office acknowledges that it wasn’t absolutely confident the funding was at the right level, and that the estimated funding relied on a judgement about the resources required, the level of risk involved and the impact intended. It asserts that, as its approach was cutting-edge, there was no existing approach or model for building a national strategy or programme on which the Cabinet Office could base its assessment. The Cabinet Office is nonetheless unable to explain what proportion of the overall Cyber Security Strategy the National Cyber Security Programme itself is expected to deliver.
In addition, a third (ie £169 million) of the latter’s planned funding for the first two years was either transferred or loaned to support other Government national security priorities, such as counter-terrorism activities. Some £69 million of this funding will not be returned to the National Cyber Security Programme, which according to the Committee seems to be at odds with the Government’s claim that cyber security is a priority.
The Cabinet Office should ensure that, in order to support any follow on long-term and co-ordinated approach to cyber security, it produces a properly-costed business case.