Inadequate funding, lack of clarity over the costs involved, and the lack of an adequate framework to assess the performance of the five-year National Cyber Security Programme almost derailed the programme in the first two years of its existence and could even delay the completion of the programme within mandated timelines.
This was revealed by a report from the National Audit Office which stated that even though the National Cyber Security Centre, which was set up under the National Cyber Security Strategy to make the UK more secure online, has achieved several landmarks since 2016, improper planning and inadequate funding so far has delayed the progress of the National Cyber Security Programme.
NAO observed that when it was drafting the National Cyber Security Programme prior to its implementation in 2015, the Cabinet Office failed to produce a business case for the Programme and this resulted in HM Treasury having no way to assess how much money it would need.
Cabinet Office didn't know if £1.9 billion was enough
The Cabinet Office had also not assessed whether the £1.9 billion funding for the National Cyber Security Strategy (which included £1.3 billion of funding for the National Cyber Security Programme) was sufficient to achieve programme goals by 2021. As a result, the Cabinet Office recently acknowledged that it can not say for sure if all the cyber security challenges set out in the Strategy will be addressed by 2021.
"The work of the Programme was delayed over its first two years as a third of planned funding was reallocated to counter-terrorist and other national security activities. Although this reallocation contributed to enhancing wider national security, it delayed specific projects such as elements of work to understand the cyber threat," NAO observed.
It added that even though the Cabinet Office has introduced a new framework to assess real-time performance of both the National Cyber Security Strategy and the Programme, the framework was introduced only in 2018 and it will take time for any benefits to materialise.
"It will also be difficult for the Cabinet Office to identify what needs to be done to achieve the aims of the Strategy as it only has ‘high’ confidence in the quality of the evidence used to assess progress against one of its 12 strategic outcomes. Funding for the Programme’s final three years up to 2021 is less than that recommended by those departments responsible for delivering each of the Strategy’s strategic outcomes.
"It seems unlikely that the Cabinet Office will have decided on its overall approach to cyber security before the 2019 Spending Review, which is expected to determine government funding for the next few years. This increases the risk of the Cabinet Office making the same mistake that it did in 2015, when funding was agreed before it published its Strategy outlining the government’s approach to cyber security," it added.
National Cyber Security Programme needs a new approach
Commenting on the National Audit Office's findings, Amyas Morse, the head of the NAO, said that even though the government has demonstrated its commitment to improving the UK's cyber security, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021.
Concluding that there is no way the government will be able to address all cyber security issued highlighted in the National Cyber Security Strategy by 2021, the NAO had recommended that the government should determine which areas are having the greatest impact and are most important to address and should dedicate all its resources to such areas.
At the same time, NAO recommended that post-2021, the government should clearly set out which work should be centrally-funded, which are private sector responsibilities and which are core departmental activities. It should also break-up programme goals into a mixture of shorter programmes to respond better to changing risks.