Whitehall slammed for poor cyber security coordination and 'dysfunctional' breach reporting

Written by Rebecca Hill on 3 February 2017 in News

The government has taken too long to consolidate and coordinate the “alphabet soup” of cyber security agencies and faces “a real struggle” to find staff with the right skills to tackle threats, MPs have said.

As global cyber threats increase, PAC says UK needs to up its game - Photo credit: Pixabay

The criticisms come in the Public Accounts Committee’s report Protecting Information Across Government, which was published today.

In it, the MPs note the ever-increasing number of cyber attacks faced by governments across the world, and say the UK government’s poor past performance on cyber security “reduces our confidence” for the future.

“Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks,” said committee chairwoman Meg Hillier.

Related content

“Active cyber defence”: UK’s first National Cyber Security Centre chief sets out strategy
UK cyber security centre promises to boost local government focus
Are we entering a 'cognitive era'?

Echoing the analysis of central government coordination and leadership made in September 2016 by the National Audit Office, the MPs’ report said that the Cabinet Office’s role in protecting information “remains unclear within central government”.

The committee said that, despite being aware of the problem posed by multiple agencies dealing with cyber security, the government still had too many lines of accountability “with little coherence between them”.

It acknowledged that the creation of the National Cyber Security Centre, which was officially opened in summer last year, aimed to bring the disparate groups working on cyber intelligence and security across the country together but that more details of its work were needed quickly.

“The breadth of the NCSC’s role is considerable and it is still unclear which organisations from across the public and private sectors can call on the NCSC for assistance,” the report said.

It called on the government to publish a detailed work plan for the centre by the end of this financial year, covering who the centre will support, what assistance it will provide and how it will communicate with organisations.

“Government must communicate clearly to industry, institutions and the public what it is doing to maintain cyber security on their behalf and exactly how and where they can find support,” said Hillier.

The report also said that there was too little emphasis on informing and supporting the wider public sector, and a lack of coordination with other public bodies – something that has been raised repeatedly by local authorities, which have said they are concerned about being the “weak link” in UK cyber security efforts.

This lack of coordination “is of particular concern, given the government’s extensive reliance on arm’s length bodies to deliver core public services and functions, with more than 450 arm’s length bodies through which the government spends around £250 billion annually”, the MPs said.

Instead of relying on those organisations to resolve security issues themselves, and to know when the risk is significant enough to contact the NCSC, the committee said government should work to ensure that there is more information and support available to those bodies.

Central government reporting processes also came under fire in the report, which branded those for recording departmental personal data breaches “chaotic”, “inconsistent and dysfunctional”.

The report pointed to “major and unexplained variations” in the extent to which departments report them: of the 8,981 non-reportable incidents that were recorded by the 17 largest departments, 67% were recorded by HMRC and 31% by the Ministry of Justice.

"The Cabinet Office’s ability to make informed information security decisions is undermined by inconsistent and chaotic processes for recording personal data breaches"

The remaining 15 departments – including the large and digitally-active Department for Work and Pensions – recorded just 145 between them.

The MPs argued that encouraging a culture of recording of incidents would help departments identify threats early on, and said the Cabinet Office should work with the Information Commissioner’s Office to establish best practice reporting guidelines for departments.

Meanwhile, the committee raised concerns that the government was “struggling to ensure its security profession has the skills it needs” to match the rapid and changing landscape of cyber security.

It said that, although a security profession was established in 2013, it was unclear what skills gaps still exist and how they could be filled when there was a UK-wide skills shortage in the field, and urged the government to focus on identifying and filling those gaps.

The MPs also called for the Cabinet Office to report the results of a pilot scheme that will see 40 separate departmental security teams being brought into four large clusters to the committee within six months.

A further criticism levelled at the government was that it had failed to properly manage central government information projects, saying that they were not delivering as planned and needed to be challenged and reviewed on a more regular basis.

For instance, it said, there has never been a detailed financial business case produced for the Government Security Classifications system – a three-point system to classify information consistently across government – meaning there is no baseline against which to judge its progress or potential savings.

Finally, the Cabinet Office was told to do more to assess the cost and performance of government information security activities. The committee said that its failure to mandate how departments should report on the costs and benefits of their information protection efforts has made it hard to tell which projects are providing value for money. 

The government last year published its national cyber security strategy, which focused on defence, deterrence and innovation, along with commitments to greater international cooperation to deal with global threats, and is to be funded with the £1.9bn cyber investment first announced in the 2015 spending review.

Share this page




Please login to post a comment or register for a free account.


Geoff Duke (not verified)

Submitted on 3 February, 2017 - 11:37
Reporting lacking due to unwillingness to be a focal point for something bad - so as not to be blamed or associated - political choice to say nothing and not report seems to be order of the day. Overall cost, performance, business case scenario absolutely reeks of a lack of fundamental risk management. Cybersecurity should be deemed as part of risk management but if risk managment is lacking to start with then there is little basis for critical thinking.

Related Articles

Gove believes Whitehall reform plans will not suffer because of close association with Cummings
7 July 2020

Cabinet Office minister said that, despite the controversy that often surrounds the PM’s top adviser, ‘people are interested in Dominic and his ideas’

Cyber national security: how the UK has prepared itself for major attacks
6 July 2020

We are approaching the fourth anniversary of the foundation of the NCSC and the threats it was created to respond to loom larger than ever. PublicTechnology examines the growth of the UK’...

Related Sponsored Articles

Interview: CyberArk EMEA chief on how government has become a security leader
29 May 2020

PublicTechnology talks to Rich Turner about why organisations need to adopt a ‘risk-based approach’ to security – but first make sure they get the basics right

Accelerating sustainability in the age of disruption
21 May 2020

HPE shows why organisations are increasingly seeking to understand and consider the environmental impacts of their IT purchasing decisions