The government recently launched a "Call for Evidence" as part of its review of cyber security initiatives and regulation to understand the barriers which prevent organisations from improving their cyber security, to gauge the effectiveness of existing cyber security regulations, and to develop a range of policy proposals to address any gaps in its National Cyber Security Strategy.
Organisations belonging to all sectors and of all sizes across the UK are being encouraged to respond to the government's call of evidence either by completing an online survey or by emailing comments, documents, or suggestions to the government on or by 20 December 2019.
The government's review of cyber security initiatives and regulation, of which the feedback process is a part, is an exercise in support of it's National Cyber Security Strategy 2016-2021 whose objective is to make the UK the safest place to live and do business online.
"Good cyber security is an absolute necessity but recent research shows less than a fifth of company Boards understand the impact associated with cyber threat. I hope this review will encourage the industry to think about what government could do to help and what incentives might encourage firms and businesses to manage their cyber risk," said Digital Minister Matt Warman.
"By driving cyber security improvements across the whole economy we can help make the UK the safest place to live and do business online."
Through its online survey, the government is seeking opinion and feedback from organisations, membership bodies, consultancies, auditors, insurers, investors, corporate and risk governance bodies, regulators and professional associations on the barriers to taking action on cyber security, and what more the government and regulators can do to stimulate more effective cyber risk management.
National Cyber Security Strategy lacks a proper business case & is based on weak evidence
The launch of the "Call for Evidence" comes not long after the Public Accounts Committee (PAC) slammed the Cabinet Office for rushing in the current National Cyber Security Strategy without a proper business case and based on weak evidence that has made it difficult for the Cabinet Office to assess whether it will meet all its objectives by 2021.
In a report published in June this year, PAC noted that weak evidence base and lack of business case has prevented the government from making sufficient progress on developing long-term objectives for the National Security Strategy. It was also unclear if the £1.9 billion funding for the National Cyber Security Strategy was sufficient to achieve programme goals by 2021.
"In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyber-attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money, and strategic outcomes and objectives should be clearly defined," said Meg Hillier MP, Chair of the PAC.
While noting that the Cabinet Office was not absolutely confident that the £1.9 billion funding for the Strategy was at the right level, PAC added that as much as a third (£169 million) of the Programme’s planned funding for the first two years was either transferred or loaned to support other government national security priorities. £69 million out of the transferred funds will never make it back to the Programme.
Based on these lessons, PAC recommended that the government must capture the evidence from the 2011–2016 National Cyber Security Strategy to help develop a baseline for the 2016–2021 National Cyber Security Strategy. All decisions in prioritising cyber security work should be based on evidence from previous strategies and programmes.
At the same time, the government should also set out what the existing Strategy and Programme should deliver by March 2021, and the risks around those areas where it will not meet its strategic outcomes and objectives.