The influential Public Accounts Committee (PAC) has released a report this week criticising the Cabinet Office’s approach to delivering the government’s National Cyber Security Strategy - arguing that a lack of evidence and no business case for the £1.9 billion funding make it hard to measure its success.
The PAC’s report follows recent criticism from the National Audit Office, which stated that it was unclear whether the strategy would achieve its goals because of Cabinet Office failings.
The National Cyber Security Strategy has a three pronged approach - defend, deter and develop - and has seen also seen the launch of the National Cyber Security Centre. It was created with the knowledge that the UK has one of the world’s leading digital economies, making it vulnerable to attack from hostile countries, criminal gangs and individuals.
The Cabinet Office has been responsible for managing two, five year National Cyber Security Strategies. It is in the midst of the second phase, which began in 2016 and will run through to 2021.
However, the PAC states that a weak evidence base and the lack of a business case for the programme that helps to deliver the Strategy make it difficult for the Department to assess whether it will meet all its objectives by 2021. A lack of business case, the PAC adds, also means it is unclear whether the money allocated at the start of the Programme was the right amount, making it more difficult to judge its value.
Chair of the Committee, Meg Hillier, said:
With its world-leading digital economy, the UK is more vulnerable than ever before to cyber-attacks. As the likelihood of these attacks continues to grow, the UK needs to protect itself against the risks created by more and more services going online.
We welcome the National Cyber Security Strategy but are concerned that the Programme designed to deliver it is insufficient. As it currently stands, the Strategy is not supported by the robust evidence the Department needs to make informed decisions and accurately measure progress. On top of this, neither the Strategy or the Programme were grounded in business cases – despite being allocated £1.9bn funding.
Looking longer term, we are disappointed that the Department was not able to give us a clear idea of what the Strategy will deliver by 2021. This does not represent a resilient security strategy.
The Public Accounts Committee has made a number of recommendations off the back of its findings, some of which include:
The government is yet to set out its plans for its approach to cyber security after 2021. The Committee advises that it needs to start planning now and develop a revised approach before the next Spending Review. Beyond 2021, the department is expecting to put together a portfolio business case, rather than replicating its current approach of individual business cases for each of the 12 objectives of the programme.
The Cabinet Offices acknowledges that it cannot be confident that the funding was at the right level and that the estimated funding relied on judgement about the resources required. The department should ensure that, to support any follow on, it produces a properly costed business case.
The PAC notes that the evidence base used to measure progress of the Strategy is weak. The Cabinet Office has admitted that it has ‘low confidence’ in the evidence used to assess progress against half of the Strategy’s 12 strategic outcomes. The Committee has said that the department should write to it by November 2019, setting out what progress it is making in using evidence-based decisions in prioritising cyber security work. This should include plans for undertaking a ‘lessons learnt’ exercise to capture all relevant evidence from the current Strategy to support any future approach.
When the Cabinet Office publishes its costed plan in autumn 2019 for its future approach to cyber security it should also set out what the existing Strategy and Programme should deliver by March 2021, and the risks around those areas where it will not meet its strategic outcomes an objectives.
Finally, the department should also write to the PAC by November 2019 outlining how it intends to influence the different sectors in the economy - for example, retail - to provide consumers with information on their cyber resilience. As part of this it should outline how they intend to measure success in protecting consumers.
PAC chair Meg Hillier added:
“In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyber-attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money, and strategic outcomes and objectives should be clearly defined.