15.The Cabinet Office does not mandate how departments should report on the costs and benefits of their information protection initiatives. It is instead trying to provide a framework within which departments can deliver. However, there is a voluntary feel to the process of departments reporting this information. The Cabinet Office told us that it often gets told “we ask too many questions too frequently of Departments about what they are doing”.
16.There is no single body responsible for collecting data on the cost and benefits of current information security activities and projects. The costs of protecting information across government are therefore unclear. The Cabinet Office explained that it does not collect cost and benefits data across departments because the activities are too dissimilar to be comparable and it is difficult to isolate the cost of the security elements of a project from the overall expenditure. It gave the Department of Work & Pensions (DWP) and Her Majesty’s Revenue & Customs (HMRC) as examples of two departments with comparable businesses but fundamentally different security systems; DWP is building and securing the universal credit system compared to HMRC securing a decades-old VAT mainframe system. Both tasks would have very different expenditure profiles and requirements, which the Cabinet Office feels would limit the usefulness of having such information for central decision-making.
17.Only the Cabinet Office is in a position to demand clear and consistent cost and performance data across central government departments. The threat from hostile attacks upon UK cyber space is one of the top four risks (highest priority taking account of both likelihood and impact) to the UK’s national security. The Cabinet Office is currently making decisions on a ‘system by system and department by department’ basis, and there is no central register of cyber risk and the cost and progress towards mitigating that risk. Without this, the Cabinet Office is limited in its ability to make a strategic assessment of where to allocate resources to minimise risks and maximise value for money.
18.The Cabinet Office does not collect or analyse government’s performance in protecting information on a routine or timely basis and departments’ self-reporting processes vary widely. The National Audit Office found that in 2014–15, the 17 largest departments recorded a total of 14 personal data incidents that they considered reportable to the Information Commissioner’s Office, and recorded 8,981 non-reportable incidents. Of the 8,981, HMRC recorded 6,038 (67%) and the MoJ 2,798 (31%). The other 15 departments recorded only 145 between them, fewer than 2% of the total. Several departments recorded no non-reportable incidents at all, including the DWP, a large department with a comparable level of online activity to HMRC. We are aware that numerous low-level breaches do occur, such as letters containing personal details being addressed to the wrong person; however these are not consistently recorded as data breaches by departments. The Cabinet Office was not aware of the wide variability and inconsistency of departments’ self-reporting processes prior to the National Audit Office’s analysis.
19.There is uncertainty by departments over when to record and report a data breaches because guidance from the Information Commissioner’s Office is not sufficiently specific for adoption by the Government. Departments with a high reporting rate may in fact be better protected because they have developed a reporting culture to allow early identification of threats. The Cabinet Office noted that HMRC, which recorded the highest number of breaches in 2014–15, has an online reporting tool to record data breaches. Other departments’ systems are less established or have less maturity and capability for collecting that data. The Cabinet Office is considering whether to roll-out HMRC’s data breach reporting tool to the rest of Government. It emphasised that the government’s response to cyber-security threats is critical and that it needs to focus on ensuring processes and capabilities are in place to be able to respond effectively.
20.The European Union General Data Protection Regulation (GDPR) and the Directive on Security of Network and Information Systems (NIS) are due for introduction in May 2018. The Secretary of State for Culture, Media and Sport, the Rt Hon Karen Bradley MP, confirmed the UK will be implementing the GDPR at the Culture, Media and Sport Select Committee on 24 October. The NIS Directive will be implemented via secondary legislation.
21.The GDPR mandates that a notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR also recognises that it will often be impossible to investigate a breach fully within that time period and allows the organisation to provide information in phases. If the breach is sufficiently serious to warrant notification to the public, the organisation must do so without undue delay. The UK was a major contributor to the design and development of the GDPR and the Cabinet Office will have a role in interpreting these regulations for UK government departments. However, the Cabinet Office is trying to converge government’s use of data, IT and systems with the industry model and commercial good practice to reduce the need for reinterpretation.
22.There is a national shortage of skilled people available for information protection, and this is reflected in the public sector. The Cabinet Office does not know whether departments in general will have sufficient, skilled people in post as the demand for online public services grows and the cyber threat increases. In 2013 the centre responded to skilled staff shortages by setting up a government security profession to establish professional learning and career development activities for all civil servants working in this field. However, departments are struggling to place people with the right skills and there is no mandatory training, certification or regulations of senior information risk owners (SIROs) or departmental security officers (DSOs).
23.The Cabinet Office has asked departments on an annual basis whether their SIROs (a board level official or member of the organisation) were trained, for example through the National Archives training scheme. It found that senior civil servants were often not according the necessary priority to security training courses. In these cases, the Cabinet Office placed responsibility on the DSOs to ensure that senior leaders who are responsible for security understand their responsibilities and the system that they work within. Events such as the TalkTalk or Tesco data breaches have also impressed the need on boards to become more intelligent customers. In May 2016, the Cabinet Office began planning the formal withdrawal of the SIRO role, and the development of chief security officers. This role has now been allocated as a full-time chief security officer who addresses all aspects of security within government.
24.The Cabinet Office agreed that it would be necessary to mandate security training and ensure board familiarity. The Cabinet Office has moved from a system of prescriptive policies and mandating of a few years ago, which resulted in inhibiting technology adoption, to a more flexible description of the security requirement that a department could use to specify and achieve. However, the Cabinet Office found that over time the standard and application of this framework drifted. The Cabinet Office is now planning to amalgamate 40 separate departmental security teams into four larger clusters, and has established the first pilot cluster. These clusters are intended to better enable the sharing of scarce skills across central government. The roll-out of clusters is planned for late 2018 to early 2019 and each cluster will be headed by a trained and certified chief security officer.
15 , , para 3.14
18 ; , Figure 6
20 ; Cabinet Office
21 ; Cabinet Office
22 ; paras 3.24–3.25
1 February 2017