When the Chancellor of the Exchequer, Philip Hammond, unveiled the government’s new £1.9 billion National Cyber Security Strategy back in 2016, he hailed it as a “major step forward in the fight against cyber attacks”. However, today the National Audit Office (NAO) has said that the government does not know whether the programme will meet its goals, because of Cabinet Office failings.
The strategy had a three pronged approach - defend, deter and develop - and also saw the launch of the National Cyber Security Centre, which the NAO did describe as a “notable innovation”.
However, it adds that despite the Cabinet Office agreeing an overall approach to cyber security as part of the 2015 Strategic Defense and Security Review and Spending Review, the department “did not produce a business case for the Programme before it was launched”.
This meant that when HM Treasury set its funding in 2015, it had no way to assess how much money it would need.
The work of the programme was also delayed over its first two years, as a third of planned funding was reallocated to counter-terrorist and other national security activities. And whilst this did contribute to enhanced wider national security, it delayed specific projects such as “elements of work to understand the cyber threat”.
Amyas Morse, the head of the NAO, said today”
“Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services. The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences in order to meet this growing threat.”
What went wrong
The National Audit Office has said that it is unclear whether the Cabinet Office will achieve the Cyber Security Strategy’s wider strategic outcomes by 2021. It notes that whilst this is partly due to the difficulty of dealing with a complex and evolving cyber threat, it is also because the Cabinet Office has not assessed whether the £1.9 billion of funding was ever sufficient.
The Cabinet Office has acknowledged that it may take longer than 2021 to address all the cyber security challenges set out in the Strategy, but it does not yet know how these might be achieved.
The department has introduced a more robust framework since, however, and has asked other departments to spend more money on measuring their progress in meeting objectives. However, this was only done in 2018 and the NAO notes that it will “take time for any benefits to materialise”.
The report out today also highlights that it will be difficult for the Cabinet Office to identify what needs to be done to achieve the aims of the Strategy, as it only has “high confidence” in the quality of the evidence used to assess progress against one of its 12 strategic outcomes.
Also, funding for the programme’s final three years up to 2021 is less than that recommended by the departments responsible for delivering each of the Strategy’s outcomes.
The National Audit Office adds that whilst the Cabinet Office has started preparations for its future approach to cyber security, it “risks repeating previous mistakes”.
The 2019 Spending Review is due soon and will determine government funding for the next few years. The report notes that it seems unlikely that the Cabinet Office will have decided its overall approach to cyber security before then.
The NAO states that this “increases the risk of the Cabinet Office making the same mistake that it did in 2015, when funding was agreed before it published its Strategy outlining the government’s approach to cyber security”.
In terms of recommendations, the NAO said:
“Building on existing work, [the Cabinet Office] should consult widely and develop a strategy for UK cyber security after 2021 which clearly sets out which work should be centrally-funded, which are private sector responsibilities and which are core departmental activities. It should also consider more flexible approaches to cyber security that involve a mixture of shorter programmes, so that it can be more responsive to changing risks.”