1.On the basis of a report by the Comptroller and Auditor General, we took evidence from the Cabinet Office on its role in protecting information across government and how it intends to improve capability across government in protecting information.
2. Protecting the information government holds from unauthorised access or loss is a critical responsibility for government and departmental accounting officers, whether that information is held as paper-based records or in electronic formats. The consequences of data losses and breaches of systems are substantial and can lead to significant harm, distress and reputational damage that can undermine entire programmes. In 2015, GCHQ dealt with an average of 200 national cyber security incidents (defined as attacks which threatened UK national security) per month—up from 100 in 2014. In the same year, government’s 17 largest departments recorded 8,995 personal data breaches.
3. The Prime Minister is ultimately responsible for the security of the information government holds. She is supported in this by the Cabinet Secretary, who chairs a committee which sets the overall direction and strategy for government security. The Cabinet Office is responsible for coordinating this activity across central government departments. In each government department, responsibility for information security lies with the respective ministers, permanent secretaries and their management boards. In recent years, cuts to departmental budgets and staff numbers, and increasing demands from citizens for online public services have changed the way government collects, manages and protects information. Major drivers for this change include successive IT and digital strategies since 2010, as well as the 2012 Civil Service Reform Plan, which placed greater responsibility on departments to protect their own data holdings.
4.Since the publication of the 2010 National Security Strategy, the government has classified cyber attacks as one of the top four threats to the UK’s national security. The Cabinet Office’s second National Cyber Security Strategy, published in November 2016, re-emphasised this threat. Given the apparent importance of the issue, we asked the Cabinet Office whether it was directing sufficient attention to cyber security.
5.As at April 2016, at least 12 separate teams or organisations in the centre of government had a role in protecting information. A lack of coordination between these bodies resulted in overlapping and sometimes contradictory specifications and requirements. This has meant that departments have been confused about the roles of these bodies and have not known where to turn to for definitive advice. The Cabinet Office explained that this proliferation of guidance is a result of it trying to account for individual risks as they arose but that it is now attempting to consolidate and streamline the guidance the centre of government produces. In November 2015, the then-Chancellor of the Exchequer noted this problem and the need to: “address the alphabet soup of agencies involved in protecting Britain in cyberspace”.
6.The Cabinet Office has since amalgamated many of these bodies; into the National Cyber Security Centre (NCSC), designed to act as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security, including the management of cyber security incidents; and the Cabinet Office’s Cyber and Government Security Directorate, responsible for all aspects of government protective security. Given that the NCSC only opened in October 2016, its ability to resolve the coordination problems inherent in the previous structure of information protection bodies is untested.
7.The Cabinet Office explained that the success of its objective for the NCSC to provide a clear, single source of advice on cyber security and protecting information would depend on the relevant institutions working together in a new way. The Cabinet Office believes it would have achieved its goals for simplifying the provision of advice when users are directed to the correct organisation by whichever body they first contact.
8.The Cabinet Office is responsible for coordinating information security across central government departments. Its remit does not extend to the wider public sector despite significant data flows between central and local bodies. For example, in 2014–15, the Department of Health spent more than 86% of its £123 billion budget outside the core department. Where central government information is passed onto third parties, the issuing department is responsible for ensuring the information is handled in accordance with government-set rules and regulations. The Cabinet Office acknowledged that protecting information, whether it is in the public sector supply chain or industry, is a challenge for the centre of government. The Cabinet Office has concerns about both the ability of those organisations to meet the standards of central government and the ability of departments to assess and evaluate whether those standards are being met and to know when it is necessary to issue a mandate.
9.According to the Barclays Digital Development Index, Britain is below Brazil, South Africa and China at keeping the nation’s phones and laptops secure: 41% of UK citizens change passwords regularly compared with 59% in India, and only 13% of UK citizens use password generating software, compared with a third of citizens in China and India. An objective of the 2011 National Cyber Security Strategy was for the Government to work with companies that own and manage the UK’s Critical National Infrastructure (CNI) to ensure key data and systems continue to be safe and resilient. To measure progress against this target, the Cabinet Office referred to the Government FTSE 350 Cyber Governance Health Check Report, published May 2016. 113 firms participated, representing around a third of the FTSE 350. While this survey found some improvement in public and commercial understanding of cyber risk management, many companies still need to develop basic information assurance standards to prevent low level malware attacks such as interference with password entries.
10.We queried whether individuals and organisations outside the centre of government will have access to the support and advice of the NCSC. The Cabinet Office set out its expectation that such individuals and organisations should be seeking information protection services from commercial providers with the NCSC’s role being to provide approval of services that are fit-for-purpose. The NCSC has an accessible website that provides contact details enabling government and public to communicate with the agency. However, we have concerns over the ability of the NCSC to manage the volume of security incidents previously channelled through a number of different bodies. 68 incidents were reported to the NCSC in its first month of operation. These incidents varied in scale, nature and target. The Cabinet Office noted that it is unlikely that every inquiry will receive a personal response and that this process relies on the customer understanding when a risk should be escalated to the NCSC.
11.The Cabinet Office is managing a number of projects designed to enable government to better manage its information. The three projects are: the Government Security Classifications (GSC) system, the Public Services Network (PSN) and the Foxhound project. The GSC system, a three-point system for classifying information consistently across government, has replaced the previous six-point security classification system. Its implementation should allow departments to replace expensive, bespoke IT with more flexible and cheaper systems. The PSN is the successor to the government secure intranet and was intended to achieve substantial government cost savings by providing an assured network over which central and local government could safely collaborate. The Foxhound project was originally designed to deliver a single, secret network across government that would offer considerable cost savings by replacing many older systems. Poor planning means that the Cabinet Office does not know if these savings have been delivered.
12.The strategic business case for the GSC used industry comparators to estimate savings each year of between £110 and £150 million. There was no detailed financial business case for this project, since the Cabinet Office could not find accurate data to cover all aspects of security expenditure. Although Departments can make efficiencies by adopting commodity IT services, it is difficult to measure these efficiencies because the benefits are several steps away from changing the classification system. The Cabinet Office therefore cannot say whether it achieved any financial benefits as originally proposed for the GSC.
13.The original plan for the PSN was that it would deliver at least £500 million of savings per year by 2014. The PSN business case update 2011–12 revised this estimate to between £200 million and £400 million per year by 2014. The project achieved annual savings of £60 million, £127 million, £116 million and £103 million respectively in the four years to 2014, all of which are less than the lower limit of the revised estimated annual savings. The Cabinet Office agreed this was a result of unrealistic projections set at the start of the project. The PSN team does not anticipate making any more savings against the original PSN baseline.
14.The Foxhound project is, against its original aspirations, three years late and not on track to deliver the £308 million of anticipated benefits over 10 years. It is clear therefore that the original business case was optimistic in assuming that technical and funding issues could be addressed quickly enough to ensure that the system was in service by 2014. The Cabinet Office noted that the Infrastructure and Projects Authority has completed a review of the Foxhound project in July 2016 and had found improvements. Consequently it moved the project from a red rating to a red-amber rating.
2 , paras 1.1, 1.8, Key Facts
3 , paras 2, 3
5 ; , para 1.24
8 ; para 3.7
9 ; Cabinet Office
10 ; Cabinet Office
11 ; paras 2.22, 2.24, 2.25, 2.33, 2.34, 2.41
12 ; para 2.32
13 ; para 2.40
1 February 2017