Parliamentary auditors have criticized the government for failing to build a clear business case for the UK’s National Cyber Security Programme at inception and ongoing management weaknesses, meaning it’s unclear if it provides value for money.
The National Audit Office (NAO) review of the 2016-21 program highlighted multiple failings on the part of the Cabinet Office, which is leading the strategy.
It claimed that the lack of an initial business case meant there was no way to assess whether the £1.9bn of funding was ever sufficient to meet its 12 strategic objectives. The program was also “reprofiled” in its first two years, with over a third (37%) of funding transferred to other national security activities like counter-terrorism.
However, during this reprofiling, the Cabinet Office failed to develop a “robust performance framework,” only getting around to it in 2018. This means it currently doesn’t have enough evidence to effectively prioritize funding on the objectives “likely to deliver the biggest impact, address the greatest needs and deliver best value for money,” the NAO warned.
In fact, the Cabinet Office only has “high confidence” in meeting one of its 12 strategic outcomes by 2021, incident management, with a lack of quality evidence hampering accurate assessments elsewhere.
These ongoing program management weaknesses will likely continue to 2021, making it difficult to deliver effectively, the NAO said.
After this time, it recommended the Cabinet Office refocus its efforts on understanding which areas are having the greatest impact or are most important to address. The NAO also urged it to engage with other departments to understand their cybersecurity priorities, which could enable them to contribute to a future strategy and facilitate more accurate costing.
Despite the doom and gloom there were some bright spots. The Cabinet Office was praised for successfully establishing the National Cyber Security Centre (NCSC), while it was claimed that its Active Cyber Defence program has already reduced the UK’s vulnerability to some attacks.
The latter was one of the few areas where the Cabinet Office has enough evidence to understand its impact, and has increased funding as a result of its success.
“Improving cybersecurity is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services. The government has demonstrated its commitment to improving cyber security,” said NAO head, Amyas Morse.
“However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences in order to meet this growing threat.”