Ben Birchall - WPA Pool / Getty Images
show image

Government failed to produce business case for £1.9bn cyber security strategy, says NAO

The government cannot say whether the £1.9bn National Cyber Security Strategy will meet its targets because of failings in the way it was set up, according to a damning report by the UK’s public spending watchdog.

An investigation by the National Audit Office (NAO) revealed that the Cabinet Office failed to produce a business case for the strategy before it was established, preventing Treasury officials from assessing how much it would cost. Unanswered funding questions led to delays over the first two years of the programme, which was launched in 2016, as funds were reallocated to other security initiatives.

The Cabinet Office’s failure to assess whether £1.9bn would be sufficient for the project means it remains unclear if the strategy’s targets will be met, the NAO found.

However, the report did acknowledge that the National Cyber Security Centre has made strides in cracking down on the cyber threat. “The NCSC developed a tool that led to 54.5 million fake emails being blocked in 2017-18 and the UK’s share of global phishing attacks falling from 5.3% to 2.2% in two years,” the NAO stated.

In light of concerns about a lack of accountability, the Cabinet Office has introduced more stringent measures to assess the performance of the programme. But questions remain about its ability to assess the programme’s impact, with officials stating they only have “high” confidence in the quality of its performance metrics for one of the 12 strategic outcomes.

The head of the NAO, Amyas Morse, said in a statement: “Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services. The government has demonstrated its commitment to improving cyber security.

“However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences in order to meet this growing threat.”