Failings in the way the Cabinet Office established its current cyber security programme raises questions about its plans to tackle cyber-attacks after 2021, according to a report by the National Audit Office.
The UK has one of the world’s leading digital economies, making it more vulnerable to cyber-attacks from hostile countries, criminal gangs and individuals, which continue to increase and evolve as it becomes easier and cheaper to launch attacks.
The £1.9 billion National Cyber Security Strategy in 2016 outlined how the government aims to make the UK more secure online and included £1.3bn funding for the National Cyber Security Programme, which runs until 2021 and has just passed its mid-point.
The NAO report said the government does not know whether it will meet the programme’s goals.
“The programme has seen the establishment of the National Cyber Security Centre and reduced the UK’s vulnerability to specific attacks. For example, the NCSC developed a tool that led to 54.5 million fake emails being blocked in 2017-18 and the UK’s share of global phishing attacks falling from 5.3 per cent to 2.2 per cent in two years,” read the report.
“However the Cabinet Office did not produce a business case for the programme before it was launched. This meant that when HM Treasury set its funding in 2015 it had no way to assess how much money it would need.
“The work of the programme was delayed over its first two years as a third of planned funding was reallocated to counter-terrorist and other national security activities.
“Although this reallocation contributed to enhancing wider national security, it delayed specific projects such as elements of work to understand the cyber threat.
“It is unclear whether the Cabinet Office will achieve the strategy’s wider strategic outcomes by 2021. This is partly due to the difficulty of dealing with a complex and evolving cyber threat but also because it has not assessed whether the £1.9 billion of funding was ever sufficient.
“It has acknowledged that it may take longer than 2021 to address all the cyber security challenges set out in the strategy but does not yet know when these might be achieved.”
The NAO recommended that the Cabinet Office establishes which areas of the programme are having the greatest impact and are most important to address, and focus its resources there until 2021.
“Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services,” said NAO head Amyas Morse.
“The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021.
“Government needs to learn from its mistakes and experiences in order to meet this growing threat.”