1.It has taken too long to consolidate and coordinate the ‘alphabet soup’ of agencies involved in protecting Britain in cyberspace. The threat from cyber attacks has been one of the UK’s top four risks to national security since 2010. Numerous teams and organisations were formed in government, with overlapping mandates and activities related to protecting information. In November 2015 the then Chancellor of the Exchequer noted this problem and the need to “address the alphabet soup of agencies involved in protecting Britain in cyberspace”. As recently as April 2016, there were still at least 12 separate teams or organisations in the centre of government with a role in protecting information. There were several lines of accountability with little coherence between them. The Cabinet Office has since amalgamated many of these bodies; into the National Cyber Security Centre (NCSC), designed to act as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security, including the management of cyber security incidents; and the Cabinet Office’s Cyber and Government Security Directorate, responsible for all aspects of government protective security. The breadth of the NCSC’s role is considerable and it is still unclear which organisations from across the public and private sectors can call on the NCSC for assistance.
Recommendation: The Cabinet Office should develop a detailed plan for the NCSC by the end of this financial year, setting out who it will support, what assistance it will provide and how it will communicate with organisations needing its assistance.
2.The Cabinet Office’s approach to protecting information places too little emphasis on informing and supporting citizens, service users, and the wider public sector beyond Whitehall. There are increasing dependencies and associated information flows between central government, the wider public sector, delivery partners, citizens and service users. The Cabinet Office has no formal role to provide oversight, coordination and support to the wider public sector in the same way that it does for central government. A founding principle of the Government’s security strategy is that any public body holding official information or data is responsible for securing it that data. The Cabinet Office is relying on those organisations to resolve the majority of security requirements through commercially available products and services, but also to know when the risk is significant enough to contact the NCSC. According to the Barclays Digital Development Index, Britain is below Brazil, South Africa and China at keeping our phones and laptops secure. There is too little emphasis on informing and supporting the public sector, delivery partners, and individual users of government websites, particularly on what to do if a data breach incident occurs. This is of particular concern given the Government’s extensive reliance on arm’s length bodies to deliver core public services and functions, with more than 450 arm’s length bodies through which the Government spends around £250 billion annually.
Recommendation: The government should establish a clear approach for protecting information across the whole of the public sector and delivery partners—not just central government—and clearly communicate to all these bodies how its various policy and guidance documents can be of most use, including during a data breach incident.
3.Centrally managed government information projects are not yet delivering as planned. The Government Security Classifications system (a three-point system to classify information consistently across government), the Public Services Network (a high performance network to allow public sector bodies to share resources securely) and the Foxhound project (a confidential network to allow the sharing of classified information across government) have been slow to deliver planned benefits or significant financial savings due to poor planning. These projects pose considerable business change, cultural and technical challenges because the systems in place need to be sufficiently robust to keep up with the pace of change. Initial project assumptions have been optimistic and have not been challenged at regular intervals to ensure they remain valid and facilitate accountability. For example, the Government ignored its own advice by not undertaking a detailed financial business case for the Government Security Classifications system. This project was initially forecast to deliver between £110 million to £150 million annually in benefits. Having never completed a detailed financial business case, the Department did not have confidence in these figures and consequently has not had a baseline against which to judge whether the GSC has produced any financial benefits.
Recommendation: The Cabinet Office should ensure that there is robust challenge built into the design of these projects and review them regularly. It should monitor spend against budget and be clear that the expected benefits for cyber security are still achievable.
4.The Cabinet Office’s attitude to departmental reporting has led to poor monitoring of the costs and performance of individual departments’ efforts to protect information. The Cabinet Office does not mandate how departments should report on the costs and benefits of their information protection initiatives, nor does it believe that a clear, central view of these costs would be useful for its decision making. The Cabinet Office argued that fundamentally different requirements for protecting information across departments means there are different expenditure profiles, which limit the usefulness of having such information for central decision-making. However, only the Cabinet Office is in a position to demand clear and consistent cost and performance data across central government departments, to allow it to assess challenges and allocate resources accordingly to minimise risks and maximise value for money.
Recommendation: The Cabinet Office should regularly assess the cost and performance of government information security activities, and identify a set of baseline indicators that departments should report against to support this objective.
5.The Cabinet Office’s ability to make informed information security decisions is undermined by inconsistent and chaotic processes for recording personal data breaches. There are major and unexplained variations in the extent to which individual departments report security breaches. In 2014–15, the 17 largest departments recorded a total of 14 data incidents that they considered reportable to the Information Commissioner’s Office, and recorded 8,981 non-reportable incidents. Of the 8,981, Her Majesty’s Revenue and Customs recorded 6,038 (67%) and the Ministry of Justice 2,798 (31%). The other 15 departments recorded only 145 between them, fewer than 2% of the total. Several departments recorded no non-reportable incidents at all, including the Department for Work and Pensions, a large department with a comparable level of online activity to HMRC. We are aware that numerous low-level breaches do occur, such as letters containing personal details being addressed to the wrong person; however these are not consistently recorded as data breaches. The Cabinet Office does not collect or analyse departments’ performance in protecting information on a routine or timely basis and was not aware of the wide variability and inconsistency of departments’ self-reporting processes prior to the National Audit Office’s analysis. Departments with a high reporting rate are likely to be better protected because they have developed a reporting culture to allow early identification of threats. Without a consistent approach across Whitehall to identifying, recording and reporting security incidents, the Cabinet Office is unable to make informed decisions about where to direct and prioritise its attention.
Recommendation: The Cabinet Office should consult with the Information Commissioners’ Office to establish best practice reporting guidelines and issue these to departments to ensure consistent personal data breach reporting from the beginning of the 2017–18 financial year.
6.The Government is struggling to ensure its security profession is suitably skilled. The Cabinet Office established a security profession in 2013 to develop professional learning and career development activities for civil servants working in this field. However, it remains unclear as to what skills gaps exist and how to fill these in the face of UK-wide skills shortages in this field. The Cabinet Office is also unwilling to mandate a minimum skills standard for departments in the security profession. It is planning to amalgamate 40 separate departmental security teams into four larger clusters, and has established the first pilot cluster, to better enable the sharing of scarce skills across central government.
Recommendation: The Cabinet Office should write to us within six months of this report, setting out its findings from the pilot security cluster and what steps it is taking to improve government’s capability in this area.
1 February 2017