The Public Accounts Committe has found that the UK government has not made sufficient progress on developing long-term objectives for the National Security Strategy.
According to the announcement made today, a weak evidence base and a lack of a business case for the National Cyber Security Programme made it difficult for the Cabinet Office to assess whether it will meet all its objectives by 2021.
The National Cyber Security Centre (NCSC) has dealt with over 1100 cybersecurity incidents since it was established in October 2016. CSC chair Meg Hillier says that the UK will need to protect itself against risks created by more and more services going online, but there is concern that consumers do not know how well they are protected: "We welcome the National Cyber Security Strategy but are concerned that the program designed to deliver it is insufficient," she explained.
"As it currently stands, the strategy is not supported by the robust evidence the department needs to make informed decisions and accurately measure progress. On top of this, neither the strategy or the program were grounded in business cases – despite being allocated £1.9bn funding.
"Looking longer term, we are disappointed that the department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy."
Since 2011, the Cabinet Office has managed two five-year national cybersecurity strategies. According to the report, it is beginning to make progress in meeting the strategic outcomes of the current one, the 2016–2021 National Cyber Security Strategy, after a poor start.
But the report has also found that as well as a weak evidence base, it is also unclear whether the money allocated at the start of the program was the right amount, making it more difficult to judge value for money.
A third (£169m) of the program’s planned funding for the first two years was either transferred or loaned to support other government national security priorities, such as counterterrorism activities, according to the Public Accounts Committee. Some £69m of this funding will not be returned to the program, which seems at odds with the government’s claim that cybersecurity is a priority.
The recommendations made include the Cabinet Office ensuring another long-term coordinated approach to cybersecurity is put in place in advance of the current one, which finishes in March 2021. Further, it has suggested that a business case should be produced.
The CSC has asked the Cabinet Office to write to it by November 2019, setting out what progress it is making in using evidence-based decisions in prioritizing cybersecurity work. This includes plans for undertaking robust "lessons learned" exercise.
It is also expected that the Cabinet Office will publish its costed plan for the strategy in autumn 2019.