Lack of funding for cyber security for government online services
Despite the importance of the digital economy and the move to online services such as Making Tax Digital, the government does not have a sufficiently clear strategy for ensuring cyber security and may not have allocated sufficient funds to its five-year action programme, the National Audit Office (NAO) is warning
15 Mar 2019
The National Cyber Security Strategy 2016 outlined how the government aims to make the UK more secure online. The £1.9bn strategy included £1.3bn of funding for the National Cyber Security Programme 2016-21, and the NAO’s report assessed progress just beyond the mid-point of the five-year programme.
Its report suggests failings in the way the Cabinet Office established its current cyber security programme mean that the government does not know whether it will meet the programme’s goals and raises questions about its plans to tackle cyber-attacks after 2021.
The Cabinet Office did not produce a business case for the programme before it was launched., meaning that when the Treasury set its funding in 2015 it had no way to assess how much money it would need.
The work of the programme was delayed over its first two years as a third of planned funding was reallocated to counter-terrorist and other national security activities. Although this reallocation contributed to enhancing wider national security, it delayed specific projects such as elements of work to understand the cyber threat.
NAO says it is unclear whether the Cabinet Office will achieve the strategy’s wider strategic outcomes by 2021. This is partly due to the difficulty of dealing with a complex and evolving cyber threat but also because it has not assessed whether the £1.9bn of funding was ever sufficient. It has acknowledged that it may take longer than 2021 to address all the cyber security challenges set out in the strategy but does not yet know when these might be achieved.
The Cabinet Office has introduced a more robust framework to assess both the programme and strategy’s performance and has asked departments to spend more money on measuring their progress in meeting objectives. However, this was only introduced in 2018 and it will take time for any benefits to materialise.
The NAO also says it will also be difficult for the Cabinet Office to identify what needs to be done to achieve the aims of the strategy as it only has ‘high’ confidence in the quality of the evidence used to assess progress against one of its 12 strategic outcomes. Funding for the programme’s final three years up to 2021 is less than that recommended by those departments responsible for delivering each of the strategy’s strategic outcomes.
The Cabinet Office has started preparations for its future approach to cyber security, but risks repeating previous mistakes, the audit watchdog says. It seems unlikely that the Cabinet Office will have decided on its overall approach to cyber security before the 2019 Spending Review, which is expected to determine government funding for the next few years. This increases the risk of the Cabinet Office making the same mistake that it did in 2015, when funding was agreed before it published its strategy outlining the government’s approach to cyber security.
Going forward, the NAO recommends that Cabinet Office establishes which areas of the programme are having the greatest impact and are most important to address, and focuses its resources there until 2021. Building on existing work, it should consult widely and develop a strategy for UK cyber security after 2021 which clearly sets out which work should be centrally-funded, which are private sector responsibilities and which are core departmental activities. It should also consider more flexible approaches to cyber security that involve a mixture of shorter programmes, so that it can be more responsive to changing risks.
Amyas Morse, head of the NAO, said: ‘Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services.
‘The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021.
‘Government needs to learn from its mistakes and experiences in order to meet this growing threat.’
Report by Pat Sweet