Last week, the Cabinet Office was publicly slammed by the House of Commons Public Accounts Committee for taking too long to consolidate Britain's cyber-security strategy.
In its 69-page report, Protecting Information Across Government, the PAC said the threat from cyber-attacks has been classified as one of the top four risks to UK security since 2010 and yet the Cabinet Office still hasn't consolidated and coordinated the “alphabet soup” of agencies involved in national cyber-security.
This is particularly true within Whitehall where there is a plethora of cyber-security teams working across many departments with little coordination or consistency between them.
The PAC provided the Cabinet Office with six substantive recommendations for upping its game.
As recently as April 2016, there were no fewer than 12 teams and organisations working at the heart of government with a role in protecting information, with little coherence between them, exacerbated by tangled lines of communication.
The National Cyber Security Centre (NCSC) became operational in October 2016 with the remit of providing a unified response to information security for central and local government, the commercial sector and the general public.
However, the PAC notes: “The breadth of the NCSC's role is considerable and it is still unclear which organisations from across the public and private sectors can call on the NCSC for assistance.”
It recommends that the Cabinet Office develop “a detailed plan for the NCSC by the end of the financial year, setting out who it will support, what assistance it will provide and how it will communicate with organisations needing its assistance”.
The PAC also criticised the Cabinet Office for providing too little information to wider society beyond Whitehall, a fact which ultimately damages central government because of its increasing dependency on information flows between government and the rest of society. The committee cited the fact that government relies on 450 arms length bodies through which it spends £250 billion annually as a reason why the government should establish a clear approach for protecting information across the entire public service as well as its delivery partners.
Three projects designed to help government departments secure their information better came under scrutiny from the committee – The Government Security Classifications system (a three-point system to classify information consistently across government), the Public Services Network (a high performance network to allow public sector bodies to share resources securely) and the Foxhound project (a confidential network to allow the sharing of classified information across government).
All three projects have been slow to deliver promised benefits or significant financial savings “due to poor planning”. Overly optimistic assumptions and lack of challenge were cited as fundamental failures early in the projects' life cycles, and in one case the government had no baseline against which to measure the success of the project.
The PAC also slammed the Cabinet Office for its poor attitude to departmental reporting, with a knock-on effect on understanding how well departments are protecting information and at what cost.
The PAC noted wide disparities between departments in their recording of data breaches, noting that on the one hand the HMRC recorded 6038 incidents while the Department for Work and Pensions (DWP), an organisation with a similar level of online activity, recorded none.
The Cabinet Office should work with the Information Commissioner's Office (ICO) to “establish best practice reporting guidelines and issue these to departments to ensure consistent personal data breach reporting from the beginning of the 2017-18 financial year”.
The skills gap, a familiar theme throughout the cyber-security industry, is also an issue within Whitehall, the committee said, but it lambasted the Cabinet Office for failing to identify the nature and scope of the skills gap.
And it noted: “The Cabinet Office is also unwilling to mandate a minimum skills standard for departments in the security profession.”
In addition to establishing the NCSC, the Cabinet Office is also working to amalgamate 40 separate security teams across Whitehall into four clusters. It has established a pilot cluster and has been asked by the PAC to report back on its progress in six months.
SC Media UK asked the Cabinet Office for a detailed response to the criticisms levelled at it by the Public Accounts Committee and received this response:
“The Government has acted with a pace and ambition that has been welcomed by industry and our international partners right across the globe.
“Our comprehensive and ambitious National Cyber Security Strategy, underpinned by £1.9 billion of investment, sets out a range of measures to defend our people, businesses, and assets, deter and disrupt our adversaries and develop capability and skills.
"The National Cyber Security Centre is already working with private and public sector organisations of all sizes to help them protect themselves from cyber-attacks, and will continue to do so."
The Cabinet Office also told us that a National Cyber Security Centre spokesperson said: “The government has been clear that the newly formed NCSC is the UK's definitive authority on cyber-security.
“In the four months since becoming operational, the NCSC has transformed how the UK deals with cyber-security by providing real-time cyber-threat information to 3000 organisations from over 20 different industries, offering incident management handling and fostering technical innovation.
“The UK faces a growing threat of cyber-attacks and we share the [Public Accounts] Committee's determination to make the UK as safe a place as possible to live and do business online.”
Labour MP Meg Hillier, chair of the Public Accounts Committee, said: "Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks.”
And she added: "It should concern us all that the government is struggling to ensure its security profession has the skills it needs."