The National Audit Office has pulled up the Cabinet Office for failing to produce a business case for its ambitious National Cyber Security Programme ahead of its implementation and for inordinately delaying the setting up of a framework to assess the programme's performance from time to time.
The National Cyber Security Strategy was launched in 2016 with £1.9 billion funding, £1.3 billion of which was to pay for the National Cyber Security Programme 2016-21, the objective of which was to improve cyber-resilience across government and private organisations within the next five years.
As part of its National Cyber Security Strategy, the Cabinet Office also set up the National Cyber Security Centre whose objective was to educate organisations and citizen about cyber-security tools and techniques and to monitor the implementation and progress of the National Cyber Security Programme.
Even though the National Cyber Security Centre has had some notable accomplishments to its name such as the blocking of 54.5 million fake emails in 2017/18 and reducing the UK's share of global phishing attacks from 5.3 percent to 2.2 percent in two years, a recent report from the National Audit Office found glaring errors committed by the Cabinet Office not only during the planning stage but also post the implementation of the National Cyber Security Strategy.
According to the report, even though Cabinet Office, led by Prime Minister Theresa May, agreed to the creation of an overall approach to strengthen the UK's cyber-security during the 2015 Strategic Defence and Security Review and Spending Review, it failed to produce a business case for the National Cyber Security Programme and also did not assess whether the £1.9 billion of funding was enough to support programme goals.
The failure to produce a business case left HM Treasury with no way to assess how much money the Programme would need and the inability to determine how much funding should be dedicated for the Programme led to delays in the work for the Programme over its first two years as a third of funding had to be diverted for counter-terrorist and other national security activities as well.
Because of such delays, the National Audit Office noted that it is unclear if the goals of the National Cyber Security Programme will be met by 2021 and the Cabinet Office itself has acknowledged that it may take longer than 2021 to address all the cyber-security challenges set out in the Strategy.
NAO also noted in its report that the Cabinet Office waited until 2018 to launch a framework to assess both the Programme and Strategy’s performance and to ask departments to spend more money on measuring their progress in meeting objectives. Even though the introduction of the framework is a welcome move, the two-year delay could impact programme deadlines as it will take time for any benefits to materialise.
Considering that the National Cyber Security Programme is already facing delays as well as inadequate funding, NAO recommended that Cabinet Office must establish which areas of the Programme are having the greatest impact and are most important to address and thereafter focus its resources on such areas until 2021.
It added that after 2021, Cabinet Office must develop a fresh cyber security strategy that sets out which work should be centrally-funded, which are private sector responsibilities and which are core departmental activities and should also consider initiating a mixture of shorter programmes that will be easier to measure and achieve.
"Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services. The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences in order to meet this growing threat," said Amyas Morse, the head of the NAO.
Commenting on NAO's findings on how the National Cyber Security Strategy was inadequately planned, funded, and implemented, Andrew Bushby, UK director at Fidelis Cybersecurity, told SC Magazine UK that the UK government cannot afford to sit back and passively wait for adversaries to flex their muscles.
"While there have been improvements made in recent years, it is critical that the state and local government employ stronger detection methods across the kill chain, as well as proactively hunt for threats that bypass legacy prevention and detection tools.
"Moving forward, all branches of government need to adopt a ‘lean-forward’ approach to map their cyber-terrain and understand risks for the most critical services – only then might the UK Government be able to fully deliver on its promise to protect the country’s infrastructure and, ultimately, the safety of the people," he added.
"The fact that £1.3 billion has been allocated to this programme without the basic questions being asked is a damning indictment of the way in which the Cabinet Office is using public funds to improve the state of cybersecurity in the UK," said Paul McKay, senior analyst at Forrester.
"It’s interesting that the programme was funded before a strategy was put in place as understanding the business case for investment in security and measuring these outcomes is a vital activity. In particular, the slow progress of improvements in securing critical national infrastructure against cyber-threats is concerning.
"On a more positive note, the role of the National Cyber Security Centre in implementing much of the new strategy is to be welcomed. Proactive technical steps such as implementing email filtering technologies ....have put it on the right footing to help businesses going forward in the future, though it too suffers from a lack of capacity to meet demand for its expertise.
"We urge the government to act quickly on the recommendations in the NAO report and accelerate plans to close the talent chasm in the industry (which is expected to reach 1.3 million vacancies unfilled by 2021). Without the right level of capacity, the UK government is unlikely to meet the programme's objectives or to be able to proactively plan the next stage of the National Cyber Security Program starting in 2021," he added.