The Public Accounts Committee (PAC) has slammed the Cabinet Office for rushing in the current National Cyber Security Strategy without a proper business case and based on weak evidence that has made it difficult for the Cabinet Office to assess whether it will meet all its objectives by 2021.
In early 2016, the Cabinet Office announced that it would invest up to £1.9 billion in its second National Cyber Security Strategy that would entail the creation of a National Cyber Security Centre, develop the UK's sovereign capabilities in cyberspace, ensure the UK remains a safe place to do business, and fundamentally alter the economics of cyber crime against UK citizens and businesses.
In the three years since the implementation of the National Cyber Security Strategy, the government has made visible progress in ensuring the security of the country's digital assets. By February 2018, the NCSC's Active Cyber Defence programme enabled it to block 54 million online attacks and to take down 120,000 fake websites run by cyber criminals.
The programme also helped NCSC remove 121,479 phishing sites hosted in the UK and 18,067 hosted in the rest of the world that spoofed UK government websites. It also blocked a total of 515,658 fake e-mails from bogus ‘@gov.uk’ accounts as well as 4.5 million malicious emails on average every month from reaching end users.
NAO slammed Cabinet office for nearly derailing the National Cyber Security Strategy
However, the euphoria was short-lived. In March this year, the National Audit Office published a damning report explaining how poorly the National Cyber Security Strategy was planned and how its objectives were unclear and unrealistic.
NAO stated that inadequate funding, lack of clarity over the costs involved, and the lack of an adequate framework to assess the performance of the five-year National Cyber Security Programme almost derailed the programme in the first two years of its existence and could even delay the completion of the programme within mandated timelines.
NAO observed that when it was drafting the National Cyber Security Programme prior to its implementation in 2015, the Cabinet Office failed to produce a business case for the Programme and this resulted in HM Treasury having no way to assess how much money it would need.
The Cabinet Office had also not assessed whether the £1.9 billion funding for the National Cyber Security Strategy (which included £1.3 billion of funding for the National Cyber Security Programme) was sufficient to achieve programme goals by 2021. As a result, the Cabinet Office was forced to acknowledge that it could not say for sure if all the cyber security challenges set out in the Strategy will be addressed by 2021.
PAC holds Cabinet Office guilty of not creating a business case for the Strategy
In a fresh report, the parliament's Public Accounts Committee (PAC) has made very similar observations about how the National Cyber Security Strategy was planned and implemented. PAC noted that weak evidence base and lack of business case has prevented the government from making sufficient progress on developing long-term objectives for the National Security Strategy.
"A weak evidence base and the lack of a business case for the National Cyber Security Programme that helps to deliver the Strategy make it difficult for the Department to assess whether it will meet all its objectives by 2021. A lack of a business case also means it is unclear whether the money allocated at the start of the Programme was the right amount, making it more difficult to judge value for money," PAC said in its report.
"As it currently stands, the Strategy is not supported by the robust evidence the Department [Cabinet Office] needs to make informed decisions and accurately measure progress. On top of this, neither the Strategy or the Programme were grounded in business cases – despite being allocated £1.9bn funding," said Meg Hillier MP, Chair of the PAC.
"Looking longer term, we are disappointed that the Department was not able to give us a clear idea of what the Strategy will deliver by 2021. This does not represent a resilient security strategy.
"In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyber-attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money, and strategic outcomes and objectives should be clearly defined," she added.
While noting that the Cabinet Office was not absolutely confident that the £1.9 billion funding for the Strategy was at the right level, PAC added that as much as a third (£169 million) of the Programme’s planned funding for the first two years was either transferred or loaned to support other government national security priorities. £69 million out of the transferred funds will never makt it back to the Programme.
Based on these lessons, PAC recommends that the government must capture the evidence from the 2011–2016 National Cyber Security Strategy to help develop a baseline for the 2016–2021 National Cyber Security Strategy. All decisions in prioritising cyber security work should be based on evidence from previous strategies and programmes.
At the same time, the government should also set out what the existing Strategy and Programme should deliver by March 2021, and the risks around those areas where it will not meet its strategic outcomes and objectives.