Ben Birchall/AFP/Getty Images
show image

Government can’t clearly say what £1.9bn security strategy will achieve, warn MPs

The Cabinet Office has come under fire for failing to clearly articulate what the £1.9bn National Cyber Security Strategy will have achieved by the time it concludes in 2021.

A review by the Public Accounts Committee revealed that the government expects to meet just one of the strategy’s 12 outcomes by 2021. All but one of the other outcomes were described by the Cabinet Office as “open ended”.

However, officials told the committee that performance measures “related to the confidence [they] had in the evidence that the strategic outcome will be achieved, not the actual deliverability of the strategic outcomes”.

“The [Cabinet Office …] has ‘low confidence’ in the evidence used to assess progress against half the Strategy’s 12 strategic outcomes and it only has ‘high confidence’ in the evidence related to one strategic outcome—which is incident management.”

Three of the 12 outcomes are said to be on track, with a further eight objectives said to have 80 per cent or more of their projects running on time. “[The Cabinet Office] told us that while one project had 73 per cent of its projects on track, it was moving in the right direction,” the committee noted in its report.

“We are disappointed that the [government] was not able to give us a clear idea of what the strategy will deliver by 2021,” said committee chair Meg Hillier in a statement. “This does not represent a resilient security strategy.”

The government does not currently have any plans in place for the strategy beyond 2021. “In the interest of national security, the Cabinet Office [needs] to take a long-term approach to protecting against the risk of cyber-attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money, and strategic outcomes and objectives should be clearly defined,” Hillier added.

The report comes just over two months after the National Audit Office (NAO) reported that the Cabinet Office had failed to produce a business case for the strategy before it was established, preventing Treasury officials from assessing how much it would cost. This led to budget cuts and funding being diverted to fighting terrorism instead, resulting in delays during the first two years of the project.

The committee also warned that the UK is particularly vulnerable to the rise of cyber attacks because it has one of the world’s leading digital economies. But speaking to NS Tech, Dave Palmer, a former GCHQ and MI5 employee who now works for the security vendor Darktrace, said that the UK had made significant progress in tackling cyber threats domestically. He noted that it should be concerned, however, about trying to establish international norms for the cyber-sphere.

Ian Pratt, the co-founder and president of vendor Bromium, added that the National Cyber Security Centre is doing a “good job” in trying to highlight the basics. “For a lot of organisations, that’s been the most important thing.”