UK’s Cybersecurity Cannot Protect Critical Infrastructure, Says Audit Office
The Government does not know where it should concentrate efforts to “make the biggest impact or address the greatest need,” the NAO concluded.
There are “failings” in the way the UK Government plans to protect the nation’s critical infrastructure from cyber attacks, the National Audit Office (NAO) has warned.
NAO’s assessment was detailed in its latest report, which examined the UK’s national cyber-defence plan.
UK businesses and citizens increasingly operate online to deliver economic, social and other benefits, making the country more and more dependent on the internet.
However, the internet is inherently insecure, according to the NAO, and attempts to exploit its weaknesses continue to increase and evolve. While departments and public bodies are responsible for safeguarding their own information, since 2010, the UK Government has decided that it needed centrally driven strategies and programmes to ensure the UK effectively manages its exposure to these risks.
The Cabinet Office leads this work, through successive National Cyber Security Strategies published in 2011 and 2016; and separate National Cyber Security Programmes designed to help deliver each Strategy between 2011–2016 and 2016–2021 (the Programme).
The 2016 National Cyber Security Strategy’s focuses on the steps government will take to make the UK more secure online, covering the overarching themes of Deter, Defend and Develop across 12 strategic outcomes. It is designed to be a cross‑government approach, with specific departments responsible for each of the Strategy’s 12 strategic outcomes (plus a thirteenth – the overarching governance as managed by the Cabinet Office). The Strategy’s 12 strategic outcomes are regarded as equally important and are not prioritised.
The Strategy includes £1.3 billion for the Programme. The Cabinet Office uses a range of metrics to assess progress against the objectives and the strategic outcomes. The Programme has a broad scope, from developing cyber skills in the UK to technical measures to defend attacks, to considering how to incentivise organisations to make their digital systems more secure.
The NAO’s audit sought to answer the question: “Is the Cabinet Office effectively coordinating the 2016–2021 National Cyber Security Programme?”
An office spokesperson said: “By refreshing its National Cyber Security Strategy in 2016 the Government has shown an important commitment to improving cyber security. Such an approach is vital to ensure that the rapidly evolving risk from cyber-attacks does not undermine the UK’s ambition of building a digital economy and transforming public services.”
The National Cyber Security Programme has provided a focal point for cyber activity across government and has already led to some notable innovation, they noted, such as the establishment of the National Cyber Security Centre.
“However, despite recent improvements in the Programme’s management and delivery record, it was established with inadequate baselines for allocating resources, deciding on priorities or measuring progress effectively,” the spokesperson explained.
The report noted, for example, that less than 80% of cybsersecurity projects intended to protect power plants and hospitals would be completed on time.
“With two years of the Programme still to run this makes it hard to say whether it will provide value for money,” the spokesperson said. “Ultimately, the Cabinet Office can best demonstrate value for money if the Programme’s objectives are delivered by 2021 and can then be shown to have maximised their contribution to the wider Strategy.
“Looking ahead to the UK’s longer-term position, the Cabinet Office needs to build on its current work to ensure there is adequate planning for what activity government might undertake after the existing Programme ends.