1.The UK is particularly vulnerable to the risk of cyber-attacks. As one of the world’s leading digital economies and global leader in putting government systems online, the UK is especially vulnerable to cyber-attacks. The National Cyber Security Centre (NCSC) has dealt with over 1,100 cyber security incidents since it was established in October 2016. The cyber-attack threat is evolving fast and becoming technically more complex, with the boundaries between state-orchestrated attacks and those of cyber criminals increasingly blurred. The government introduced a coordinated approach to cyber security in 2010 and has since published two, five-year strategies (National Cyber Security Strategy 2011–2016, and National Cyber Security Strategy 2016–2021). It has yet to set out its plans for its approach to cyber security after 2021. It needs to start planning now and develop a revised approach before the next Spending Review, which we understand should be announced as part of the 2019 autumn budget. Beyond 2021, the Department is expecting to put together a portfolio business case, rather than replicating its current approach of individual business cases for each of the 12 objectives of the Programme.
Recommendation: The Department should ensure another long-term coordinated approach to cyber security is put in place well in advance of the current Strategy finishing in March 2021.
2.The Department cannot justify how its approach to cyber security is delivering value for money. The £1.9 billion funding for the Strategy, including £1.3 billion for the Programme, was allocated via the 2015 Spending Review. The Department did not develop a business case for the Strategy or the Programme, although teams that manage each of the 12 objectives that make up the Programme do produce their own annual business cases. This means that the Department did not assess at the start whether £1.3 billion was the right amount needed to deliver the Programme and makes it more challenging to assess value for money. The Department acknowledges that it was not absolutely confident that the funding was at the right level, and that the estimated funding relied on a judgement about the resources required, the level of risk involved and the impact intended. It asserts that as its approach was cutting edge there was no existing approach or model for building a national cyber security strategy or programme on which the Department could base its assessment. The Department is nonetheless unable to explain what proportion of the overall Strategy the Programme itself is expected to deliver. In addition, a third (£169 million) of the Programme’s planned funding for the first two years was either transferred or loaned to support other government national security priorities, such as counter-terrorism activities. Some £69 million of this funding will not be returned to the Programme, which seems at odds with the government’s claim that cyber security is a priority.
Recommendation: The Department should ensure that, to support any follow-on, long-term and coordinated approach to cyber security, it produces a properly costed business case.
3.The Department lacks the robust evidence base it needs to make informed decisions about cyber security. The evidence base used to measure progress of the Strategy is weak. The Department has admitted that it has ‘low confidence’ in the evidence used to assess progress against half of the Strategy’s 12 strategic outcomes, and only has ‘high confidence’ in the evidence related to one strategic outcome—incident management. The Department did not conduct a robust ‘lessons learnt’ exercise to capture the evidence from the 2011–2016 National Cyber Security Strategy to help develop a baseline for the 2016–2021 National Cyber Security Strategy. Although the Department has been involved in aspects of cyber security for many years it often lacks evidence around the impact of its work; for example, on the demand for cyber skills. However, the Department has developed sufficient understanding in some areas to stop work where it is clear the desired impact has not been achieved. Its active cyber defence work is making good progress in generating evidence for future investments. Looking ahead, the Department is beginning work to ensure that it captures the relevant lessons from the current Strategy and hopes to develop a continuous process of learning rather than waiting until the Strategy ends in 2021.
Recommendation: The Department should write to the Committee by November 2019 setting out what progress it is making in using evidence-based decisions in prioritising cyber security work. This should include plans for undertaking a robust ‘lessons learnt’ exercise to capture all relevant evidence from the current Strategy and Programme to support any future approach to cyber security.
4.The Department has not been clear what the Strategy will actually deliver by 2021. The Department asserts that it didn’t intend to deliver all 12 strategic outcomes by the end of the Strategy in 2021, although it is unable to say how many it did intend to achieve. The evidence we heard suggests the Strategy committed to delivering 2 outcomes by 2021, although currently it is only on track to deliver a single strategic outcome, ‘incident management’. The Department’s ‘low confidence’ in the quality of the evidence underpinning the assessment of progress against many of the remaining 11 strategic outcomes gives us little confidence in the Department’s progress up to 2021. Regarding the performance indicators for the Programme that support the Strategy, the Department is currently achieving only three of its 12 objectives. Unlike during the 2011–2016 National Cyber Security Strategy, the Department has not published any updates on progress since the current Strategy began, despite agreeing in the Strategy to report progress on an annual basis. It has committed to doing so in future and expects to produce its first report in May 2019.
Recommendation: When the Department publishes its costed plan in autumn 2019 for its future approach to cyber security it should also set out what the existing Strategy and Programme should deliver by March 2021, and the risks around those areas where it will not meet its strategic outcomes and objectives.
5.Government has not yet done enough to enhance cyber security throughout the economy and better protect consumers. It is difficult for consumers to know whether the internet-enabled devices they buy or the companies they give their details to online are holding their information securely. For example, a trusted brand like British Airways was hacked in 2018, and the personal data of 380,000 customers was stolen. There is currently no ‘traffic light’ or ‘kitemark’ system to inform consumer choice on how cyber secure the products they buy are, unlike recognised standards in other areas—such as food safety. This is a difficult area for government to influence and regulate, although it has made some progress. For example, the NCSC has promoted two-factor identification to make thefts of basic personal information less valuable to criminals on the open market. The NCSC has also worked with the Bank of England to build better cyber security standards. Rather than trying to impose a list of requirements on the banking sector, which may become rapidly outdated, the NCSC has provided technical advice to allow the Bank to best judge how to incorporate cyber security into its statutory mandate to promote financial stability. A similar approach could be developed to support other sectors of the economy, such as retail. Government also needs to involve larger organisations to make sure they realise the responsibility they have to encourage the smaller and more vulnerable companies that sit within their long supply chains to get their basic cyber security right. To help this process in 2018 NCSC published a guide specifically aimed at small and medium enterprises in an effort to get these organisations to improve their “basic hygiene” in terms of cyber security.
Recommendation: The Department should write to the Committee by November 2019, outlining how it intends to influence the different sectors in the economy—for example, retail—to provide consumers with information on their cyber resilience. As part of this it should outline how they intend to measure success in protecting consumers. This should also form part of its approach to cyber security after 2021.
Published: 5 June 2019