Parliamentary committee says progress is being made but is being ‘hampered by a weak evidence base and lack of business case’
The UK National Cyber Security Strategy needs clearer long-term objectives built on a firmer evidential basis, according to a new report from the Public Accounts Committee.
A report published today by the committee finds that the strategy, which covers the five-year period from 2016 to 2021, has been “hampered by a weak evidence base and lack of business case”.
The rollout of the strategy, which follows on from a similar plan that covered the 2011-2016 period, is the responsibility of the Cabinet Office. MPs acknowledged that the department “is beginning to make progress in meeting the strategic outcomes of strategy after a poor start”.
But the report said that a lack of clarity makes it difficult to judge the likelihood of the strategy achieving its objectives. PAC has made five conclusions about the strategy’s challenges and shortcomings – and five supporting recommendations for how these can be addressed.
The first conclusion is that “the UK is particularly vulnerable to the risk of cyberattacks”. In light of this, the committee recommends that the Cabinet Office ensures that another long-term plan for cybersecurity in the UK is in place long before the March 2021 end date of the existing strategy.
- Government criticised for ‘failure to coordinate’ on departmental cyber skills training
- GDS brings in consultant to advise on security of services
- Which government department suffers the most data breaches?
MPs also concluded that the department “cannot justify how its approach to cybersecurity is delivering value for money”. To remedy this, the Cabinet Office must make sure any further long-term plans for cybersecurity are supported by “a properly costed business case”.
The central government agency also “lacks the robust evidence base it needs to make informed decisions about cybersecurity”, the report concluded. MPs have requested that the Cabinet Office writes to them before November 2019 to “setting out what progress it is making in using evidence-based decisions in prioritising cybersecurity work”.
The report added: “This should include plans for undertaking a robust ‘lessons learnt’ exercise to capture all relevant evidence from the current strategy and programme to support any future approach to cybersecurity.”
The penultimate conclusion of the report is that “the department has not been clear what the strategy will actually deliver by 2021”. MPs recommend that the Cabinet Office publishes in autumn 2019 a clear set of goals for what the strategy should deliver, as well as “the risks around those areas where it will not meet its strategic outcomes and objectives”.
Finally, PAC concludes that “government has not yet done enough to enhance cybersecurity throughout the economy and better protect consumers”. In remediation, the Cabinet Office is asked to write to the committee sometime in the next five months “outlining how it intends to influence the different sectors in the economy… to provide consumers with information on their cyber resilience”. Additionally, the committee said that the post-2021 cybersecurity strategy should include plans for how best to protect consumers.
Committee chair Meg Hillier said: “We welcome the National Cyber Security Strategy but are concerned that the programme designed to deliver it is insufficient. As it currently stands, the strategy is not supported by the robust evidence the department needs to make informed decisions and accurately measure progress. On top of this, neither the strategy or the programme were grounded in business cases – despite being allocated £1.9bn funding.”
She added: “Looking longer term, we are disappointed that the department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy. In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyberattacks: future plans should be based on strong evidence, business cases should be rigorously costed to ensure value for money, and strategic outcomes and objectives should be clearly defined.”