Site navigation

National Cyber Security Strategy Falling Short, Says PAC Report

Dominique Adams


cyber security pad lock

The report criticises the UK Government’s National Cyber Security Strategy for not doing enough to protect consumers, businesses and critical infrastructures from cyber attacks. 

A Public Accounts Committee (PAC) report states that the National Cyber Security Strategy (NCSS) has shown that it did not intend to meet all its outcomes set out in the 2016-2021 strategy, and was unable to say how many it would achieve.

With a budget of £1.9 billion, the value it is delivering to the taxpayer is unclear. Cyber crime detection and prevention, managing risk in the critical national infrastructure, and development of cyber security skills, are among the 12 objectives outlined in the strategy. However, the only outcome it will be able to deliver by the end of the current term is incident management.

The NCSS defines incident management as “the management and coordination of activities to investigate and remediate an actual or potential occurrence of an adverse cyber event that may compromise or cause harm to a system or network”.


According to the report, the department had very low confidence in its ability to achieve its other targets, and was not able to demonstrate the value for taxpayers’ money with its current approach.

The PAC report said it was very difficult to asses value for money in regards to the strategy as there was no business case for the NCSS and the National Cyber Security Programme (NCSP).

In addition, the department had not assessed whether the funding was sufficient to deliver on its objectives. To support future cyber security work, the report has recommended that a properly costed business case be produced.

While the report is critical, it does acknowledge that cyber security is a hard area for the Government to influence and regulate and notes that the government has made progress in improve cyber security to protect consumers and businesses.

An area that requires greater effort, the report said, is Internet of Things (IoT) safety, highlighting the lack of a traffic light-type system to inform consumer choice.

The report added that the Government needs to do more to get large organisations to comprehend the risks of poor cyber security, and to encourage SMEs to “get their cyber security right” within their supply chains.

Shadow Cabinet Minister Jo Platt said: “For the Government to fail to achieve 11 of their own 12 strategic outcomes is an admission of their inability to get a grip on the cyber landscape, which we all ultimately pay the price for.

“Whether it’s the syphoning of funding away from the strategy, the failure to promote good cyber practice among consumers or the incompetent management of the strategy, this report serves as a declaration of no confidence in the Conservatives to keep us safe in the digital age.”

Asserting that the current Government is failing to provide the necessary leadership and protection needed around cyber security, she has called for the setting up of a dedicated ministry.

Committee Chair Meg Hillier MP commented on the findings of the report, saying: “In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyber-attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money, and strategic outcomes and objectives should be clearly defined.”

This is not the first instance when the strategy has come under fire. In March 2019, the National Audit Office (NAO) published a report voicing concerns about the governments ability to meet the NCSS goals.

Echoing the PAC report, NAO also highlighted issues with the allocation of funding and prioritisation around national cyber security work, saying the Government “needs to learn from its mistakes and experiences to meet this growing threat”.

Dominique Profile Picture

Dominique Adams

Staff Writer, DIGIT

Latest News

%d bloggers like this: