NAO calls UK Government Cyber Security Programme a farce
In 2016, the government announced it was to invest £1.9 billion in a National Cyber Security Strategy. The announcement came with a lot of fanfare and claims about where the money would be invested. The Strategy was designed as a cross government approach to making the UK more secure. Of the £1.9bn, £1.3bn was allocated to the UK 2016-2021 National Cyber Security Programme.
The National Audit Office (NAO) has just published its latest progress report on the Programme and it does not make for good reading. The full report runs to a whopping 53 pages which, in places, is far from the most scintillating read. What it does do, however, is deliver a damning insight into the way the Programme is being run.
What did the report find?
The report identifies:
- Inadequate management that continues despite recent improvements
- A poor delivery record which is improving but not enough
- A lack of effective baselines for allocating resources, deciding on priorities or measuring progress
- 37% of the budget from the first two years (£169 million) loaned or transferred to support other activities
- Only 8 of the 12 objectives have at least 80% of the projects supporting them on track
- A low confidence that six projects will achieve their objectives
- National security reasons used to prevent the NAO reporting on 11 of the key strategic outcomes
- A third (107) of the 326 metrics that could track the performance of the Programme and the overall Strategy are not being measured
- No funding for the new capabilities in the Programme to be funded after 2021
- An expectation that there will be no coherent vision for cyber security post 2021 in time for the 2019 Spending Review which will set out funding requirements when the current Programme expires
Overall, this leads the NAO to say that: “With two years of the Programme still to run this makes it hard to say whether it will provide value for money.”
What has gone wrong?
Seemingly right from the beginning. Despite this being the second five year Strategy, it seems that there was a significant lack of understanding about what was involved. The NAO report highlights the fact there was: “No business case for the Programme.” This, in turn, meant there was: “No way to assess how much funding it really required.”
The lack of planning is also one of the reasons that monies were loaned or transferred elsewhere. The grand Strategy announcement was overtaken by other priorities. Counter-terrorism has “borrowed” (£100m) and (£69m) was given to other national security activities. The report does say that there is some cyber security benefit from those but doesn’t say how much.
The lack of planning is also reflected in confusion over roles and responsibilities. This extended from government departments to the private sector. The report stops short of saying if monies was wasted on private sector contracts but confusion is not conducive to value for money.
Adding to the pressure on the government is the claim that: “Two years in the government still lacks the evidence to prioritise those activities that will have the greatest impact.” This will concern those responsible for security in the long-term. It means that there is a significant risk of effective projects being lost and gaps in the Programme appearing.
Not everything is a failure
Among the bad news there is some good news. The success of the National Cyber Security Centre is highlighted. It has created a solid education platform and targeted messaging to businesses. It has also been increasingly involved in responding to certain types of attack. This is as part of its work with the Incident Response Programme. Since 2016, the NCSC has dealt with over 1,100 incidents.
Among the successes for the NCSC has been the blocking of over 54.5 million fake emails in 2017-2018. Many of these promise tax or VAT refunds. This success is part of the Active Cyber Defence Programme that the NCSC has been responsible for. However, despite the efforts of the NCSC and HMRC, those emails continue to circulate and cyber criminals continue to have success.
It is not just emails where the NCSC has been successful. It has brought the time taken to bring down a malicious website from 42 hours to 9 hours. This work has also seen over 53,000 websites closed.
The report states that parts of the Active Cyber Defence have been taken up by other parts of the public sector and the private sector. This is good news. It has certainly provided some relief from commodity attacks. What is not clear is if this is likely to be supported by the government to bring more partners in.
There is also a substantial amount of work being done by UK universities to help close the cyber skills gap. What is missing here is the same interest in vocational training which will deliver help sooner.
What does the industry think?
Not a lot, well not a lot that was printable. Farce, inept, laughable and a national embarrassment were typical of the comments we received via phone calls. Some, however, were understanding and even supportive of the government.
Jake Moore, cyber security specialist at ESET commented: “In 2016, £1.9 billion may have sounded like a huge financial injection but cyber security needs a constant flow of resources, both people and financial support. If this money were to simply dry up in 2021 then over a short period of time all the good work done thus far could unravel. Great Britain has been no safe haven for cyber criminals and the NCSC is known across the world as a solid force against cyber criminality.”
There was also a view from some comments that businesses who rely on government fixing this are wrong. Spencer Young, RVP EMEA at Imperva told us: “With cyber-crimes on the rise and becoming increasingly sophisticated by the day, the responsibility now lies with businesses to protect their data.
“With a multitude of apps, cloud storage platforms and devices available, organisations are finding that their data security posture is not as robust as it used to be. Web applications have been quickly growing more complex as users and companies demand more from their online, mobile and connected device experiences.
“The growing popularity of these apps, however, means hackers now have many different entry ways to target an organisation’s data – and potentially cause more exposures and breaches.
“This is why businesses must focus their efforts on protecting their data above all else – regardless of the platform, app or device it sits in or passes through.”
Enterprise Times: What does this mean
Governments and grand plans are history’s way of delivering comedy. The repeated announcement of the initial £1.9bn for cyber security is a good case in point. There was confusion over whether this was a single announcement or multiple chunks of money.
We now know that only £1.3bn made it through to the core Programmes. Spending in the first two years has been limited especially as monies have gone elsewhere. The report also questions if the current plans can be delivered with what is left in the pot.
Of more concern is that fact that there is no serious planning for 2021 and beyond. The cyber threat is growing far faster than government can react. Other governments, such as the US, are allocating billions every year to cyber defence. It is time for the UK government to take this threat seriously.
While the NAO doesn’t say that the Programme is a complete failure it does make it clear that there are significant shortcomings. Those mean that it cannot be certain of what will be achieved and what won’t. It will be interesting to see what changes as a result of this report. The likelihood is that very little will happen. Why? The department responsible for this is the Cabinet Office who is currently struggling with Brexit and all that entails.
Industry: Cyber Security News
- Outside IR 35 CONTRACT SC CLEARED Cyber Security Operations Analyst SPLUNK ES- UK REMOTE- £500 a day.
6 month contract Outside IR35 Operational Cyber Security Analyst. Hands on Splunk Security Enterprise and Security clearance is required As is someone that holds SC clearance. SOC and Vulnerability management experience. Vulnerability Analysis / Management - Tenable
- SailPoint Consultant
- Upto €80,000
SailPoint Consultant is need for this rapidly expanding global business, The business is currently in the middle of a SailPoint Deployment, they require an experienced Consultant who is able to help them on this Journey You will be responsible for helping to configure and deploy SailPoint as well as on board applications onto the platform You will also work with the business to understand workflow and process to help align the way the business works to ensure that the business gets the most from the deployment We are looking for an experienced SailPoint consultant who has experience with both Deployment and BAU work and is interested in joining a business which is at the start of an interesting IAM Journey
- SOC Manager Security Operations. SIEM, Threat / Vulnerability, IR, SOC Service- Exclusive
- United Kingdom
SOC Manager- SIEM, Threat / Vulnerability, Incident response. Exclusive Project. Management and on growth growth of Security Operations Centre capability. Managing and maturing the team, technical services line and fronting client engagements where needed. An in-depth technical background is essential, experience across SOC SIEM/ Threat Hunting (IR) tools, processes, techniques, operational is a MUST. The role will include, but not limited to; evolving the technical process, building operational capability, managing and hiring team, involved at a high level overviewing policy/playbooks, fine turning of the go-to-market collateral etc.
- Contact 12 month- Security Operations- Tanium Engineer / Analyst.
- United Kingdom
- Dependent on experience
Security Operations engineer / Analyst with Tanium for a 12 month contract. Experience configuring using, managing, supporting troubleshooting Tanium's suite of end point solutions is essential. The opportunity is due to a client expanding its international capability to a follow the sun model. To be involved in spinning up a European capability. Based in the UK. English essential and ideally being fluent in French.