[Updated] NAO slams Cabinet Office for lack of leadership in information security

A fresh report from the National Audit Office says the Cabinet Office has failed to get to grips with information security across government departments.

NAO: Overlapping IT allowing security to fall into the gap
NAO: Overlapping IT allowing security to fall into the gap

The NAO has issued a report this morning criticising UK government and the Cabinet Office in particular for failing to coordinate and lead departmental cyber-security efforts.

The National Audit Office report, running to 41 pages, stated that despite an ambition to set the agenda for cyber-security across government, the Cabinet Office had failed to establish a clear role for itself amidst the often confusing government information landscape.

Compounding the problem, the NAO found that the Cabinet Office's role in coordinating security is weakened by the limited information which departments collect on security costs, performance and risks.

Accountability for information security is decentralised so there is no reliable overview of the problem. The reporting of personal data breaches is “chaotic” with different metrics making interdepartmental comparisons meaningless.


Facts and figures from NAO report

  • GCHQ dealt with 200 national cyber security incidents per month in 2015, up from 100 per month in 2014.
  • The number of data breaches recorded by the 17 largest department in 2014-15 was 8995.
  • The Cabinet Office estimates government spends £300 million across 34 departments on cyber-security but this is considered to be a gross underestimate of the actual figure.
  • There are 12 separate organisations at the heart of government with responsibility for protecting some aspect of information.
  • The estimated annual government spend on external IT security is £28 million.
  • There are 73 teams covering security in central government departments, employing 1600 people.

Even collecting data on expenditure is fraught with difficulties as not all departments collect or in some cases share this information, so a recent estimate of £300 million is thought to be a significant underestimate of the true costs.

Also compounding the problem is a shortage of cyber-security talent within government. The report says the government has found it difficult to attract people with the rights skills. Plans to cluster security teams, it said, may address the problem in the short run but will not solve the long-term challenge.

However, the NAO doesn't underestimate the complexity of the task facing departments which must balance data security against the need to make this information available to the public, other public bodies, delivery partners and service users.

“And increasing dependencies between central government and the wider public sector mean that the traditional security boundaries have become blurred,” the NAO said.

Amyas Morse, head of the National Audit Office, said, “Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge. To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.” 

Speaking in May, James Snook, deputy director for business, crime and skills in the Office of Cyber Security and Information Assurance in the Cabinet Office, addressed the issue of cyber-security among UK business.

“The UK economy is significantly advanced. We have some of the best companies in the world who are adept at managing commercial risk and exploiting commercial opportunities,” he said. “With the exception of a few who absolutely do demonstrate best practice and thought leadership in this area, many boards and organisations are not properly managing cyber-risk.”

Regarding government security, he said there were too many organisations within government dealing with cyber-security but said the creation of the National Cyber Security Centre (NCSC) would help fix this problem. 

 

In response to the report, a Cabinet Office spokesperson said: "The Cabinet Office conducted its own review of Government security in early 2016 and many of our findings are consistent with the NAO report.

"So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two. We have also appointed the Government's first ever Chief Security Officer to bring together all disciplines of government security under central leadership.

"The majority of the data breaches cited in this report will be very minor, but right across Government we need and must do more. We will respond fully to this report in due course."

Chief security officer 

Paul Farrington, manager of EMEA solution architects at Veracode said that, for it to work, the government needs to clarify the role of the chief security officer: “Coordination is key to improving the government's ‘dysfunctional' approach to data security. One way of doing this in in clarifying the remit of the chief security officer. Government departments are unlikely to want to have their delivery agendas interfered with by a Cyber Czar, who may not be perceived as holding political influence. As such, there probably needs to be a financial incentive in terms of budget release for departments to play ball with any security officer. That ultimately means that key performance indicators will need to be established to help drive incremental improvement and coherence across Whitehall.”

Fred Svedman, public sector lead at Unisys, said: “The Cabinet Office needs to mandate that all employees involved in public sector data security have a unified breach reporting process to ensure organisations are responding and communicating security incidents in a holistic way. This will speed up reaction ability to combat times, improve confidence in the government and improve transparency for stakeholders. This is really the starting point for the government's journey, and medium to long-term planning must be focused around implementing effective training methods for employees and the development of a unified industry standard across governmental departments, in relation to security protocols and procedures.”

Stuart Facey, International Vice President at Bomgar said, “Education and training of the Government's employees that have data security responsibilities will need to be considered as a longer lead initiative. When educating 73 teams and 1,600 staff a cultural shift must be driven to enable the employees to inherently think about security.”

Kevin Dowd, chairman of the CNS Group, told SCMagazineUK.com: “The comment on the number of organisations and teams involved in information security in central government is surprising and revealing. It is perhaps the nature of a bureaucracy to respond to evolving threats with the creation of a working group or a new organisation (or even an accreditation or standard) but it is not always helpful.

“The call for a more streamlined and effective response is on that should be heeded... Crucially, these organisations should have a broad mandate across the security remit, with no confusion over areas of responsibility, in order that evolving threats and new areas of risk can be met without the creation of new bodies and areas of responsibility.

“It is time to explode the myth that information security risk and controls experts exist at all levels of government (or even in the private sector). The truth is that these individuals are few and far between and that assessing common risks and aligning effective controls to them should be a central function. This doesn't mean being prescriptive in all areas, but rather offering clear and effective solutions to common issues rather than seeking reinvention of these solutions at a departmental level. All the current structure does is ensure variability of effectiveness in response to information security threats.”

Jacob Ginsberg, senior director at Echoworx said, “The NOA report further highlights the hypocrisy surrounding data security in the UK. The government claims that individuals' privacy is of paramount importance – despite its efforts to weaken encryption – yet clearly there are serious failures with its current security setup."