NAO calls UK Government Cyber Security Programme a farce
In 2016, the government announced it was to invest £1.9 billion in a National Cyber Security Strategy. The announcement came with a lot of fanfare and claims about where the money would be invested. The Strategy was designed as a cross government approach to making the UK more secure. Of the £1.9bn, £1.3bn was allocated to the UK 2016-2021 National Cyber Security Programme.
The National Audit Office (NAO) has just published its latest progress report on the Programme and it does not make for good reading. The full report runs to a whopping 53 pages which, in places, is far from the most scintillating read. What it does do, however, is deliver a damning insight into the way the Programme is being run.
What did the report find?
The report identifies:
- Inadequate management that continues despite recent improvements
- A poor delivery record which is improving but not enough
- A lack of effective baselines for allocating resources, deciding on priorities or measuring progress
- 37% of the budget from the first two years (£169 million) loaned or transferred to support other activities
- Only 8 of the 12 objectives have at least 80% of the projects supporting them on track
- A low confidence that six projects will achieve their objectives
- National security reasons used to prevent the NAO reporting on 11 of the key strategic outcomes
- A third (107) of the 326 metrics that could track the performance of the Programme and the overall Strategy are not being measured
- No funding for the new capabilities in the Programme to be funded after 2021
- An expectation that there will be no coherent vision for cyber security post 2021 in time for the 2019 Spending Review which will set out funding requirements when the current Programme expires
Overall, this leads the NAO to say that: “With two years of the Programme still to run this makes it hard to say whether it will provide value for money.”
What has gone wrong?
Seemingly right from the beginning. Despite this being the second five year Strategy, it seems that there was a significant lack of understanding about what was involved. The NAO report highlights the fact there was: “No business case for the Programme.” This, in turn, meant there was: “No way to assess how much funding it really required.”
The lack of planning is also one of the reasons that monies were loaned or transferred elsewhere. The grand Strategy announcement was overtaken by other priorities. Counter-terrorism has “borrowed” (£100m) and (£69m) was given to other national security activities. The report does say that there is some cyber security benefit from those but doesn’t say how much.
The lack of planning is also reflected in confusion over roles and responsibilities. This extended from government departments to the private sector. The report stops short of saying if monies was wasted on private sector contracts but confusion is not conducive to value for money.
Adding to the pressure on the government is the claim that: “Two years in the government still lacks the evidence to prioritise those activities that will have the greatest impact.” This will concern those responsible for security in the long-term. It means that there is a significant risk of effective projects being lost and gaps in the Programme appearing.
Not everything is a failure
Among the bad news there is some good news. The success of the National Cyber Security Centre is highlighted. It has created a solid education platform and targeted messaging to businesses. It has also been increasingly involved in responding to certain types of attack. This is as part of its work with the Incident Response Programme. Since 2016, the NCSC has dealt with over 1,100 incidents.
Among the successes for the NCSC has been the blocking of over 54.5 million fake emails in 2017-2018. Many of these promise tax or VAT refunds. This success is part of the Active Cyber Defence Programme that the NCSC has been responsible for. However, despite the efforts of the NCSC and HMRC, those emails continue to circulate and cyber criminals continue to have success.
It is not just emails where the NCSC has been successful. It has brought the time taken to bring down a malicious website from 42 hours to 9 hours. This work has also seen over 53,000 websites closed.
The report states that parts of the Active Cyber Defence have been taken up by other parts of the public sector and the private sector. This is good news. It has certainly provided some relief from commodity attacks. What is not clear is if this is likely to be supported by the government to bring more partners in.
There is also a substantial amount of work being done by UK universities to help close the cyber skills gap. What is missing here is the same interest in vocational training which will deliver help sooner.
What does the industry think?
Not a lot, well not a lot that was printable. Farce, inept, laughable and a national embarrassment were typical of the comments we received via phone calls. Some, however, were understanding and even supportive of the government.
Jake Moore, cyber security specialist at ESET commented: “In 2016, £1.9 billion may have sounded like a huge financial injection but cyber security needs a constant flow of resources, both people and financial support. If this money were to simply dry up in 2021 then over a short period of time all the good work done thus far could unravel. Great Britain has been no safe haven for cyber criminals and the NCSC is known across the world as a solid force against cyber criminality.”
There was also a view from some comments that businesses who rely on government fixing this are wrong. Spencer Young, RVP EMEA at Imperva told us: “With cyber-crimes on the rise and becoming increasingly sophisticated by the day, the responsibility now lies with businesses to protect their data.
“With a multitude of apps, cloud storage platforms and devices available, organisations are finding that their data security posture is not as robust as it used to be. Web applications have been quickly growing more complex as users and companies demand more from their online, mobile and connected device experiences.
“The growing popularity of these apps, however, means hackers now have many different entry ways to target an organisation’s data – and potentially cause more exposures and breaches.
“This is why businesses must focus their efforts on protecting their data above all else – regardless of the platform, app or device it sits in or passes through.”
Enterprise Times: What does this mean
Governments and grand plans are history’s way of delivering comedy. The repeated announcement of the initial £1.9bn for cyber security is a good case in point. There was confusion over whether this was a single announcement or multiple chunks of money.
We now know that only £1.3bn made it through to the core Programmes. Spending in the first two years has been limited especially as monies have gone elsewhere. The report also questions if the current plans can be delivered with what is left in the pot.
Of more concern is that fact that there is no serious planning for 2021 and beyond. The cyber threat is growing far faster than government can react. Other governments, such as the US, are allocating billions every year to cyber defence. It is time for the UK government to take this threat seriously.
While the NAO doesn’t say that the Programme is a complete failure it does make it clear that there are significant shortcomings. Those mean that it cannot be certain of what will be achieved and what won’t. It will be interesting to see what changes as a result of this report. The likelihood is that very little will happen. Why? The department responsible for this is the Cabinet Office who is currently struggling with Brexit and all that entails.
Industry: Cyber Security News
- IAM developer - Saviynt
- United Kingdom
- Upto £60,000 plus benefits
IAM developer/ Consultant is required for a global consultancy who are looking to expand their deployment team within the UK Looking for a IAM developer who has experience with at least one of the following vendors Saviynt, Clearskye, Beyond Trust or Okta You will be part of a deployment team, involved in a number of high profile projects Key duties will be: implement IAM solutions to ensure secure access to applications, systems, and data for authorized users. This may involve integrating technologies and standards such as SAML, OAuth, LDAP, and RBAC. Conduct IAM audits and assessments: to identify vulnerabilities, gaps, and areas for improvement. Provide IAM support and troubleshooting and resolve incidents related to user access, authentication, and authorization.
- Lead Cyber Security Incident Response Consultant.
- United Kingdom
Seeking skilled and passionate UK-based individual for a Lead Cyber Security Incident Response Consultant opportunity 3 core skillsets for the role Hands on technical incident response (triage and planning). Business consultancy (engaging with clients). Commercial awareness. Being able to engage in business growth conversations. Consultancy experience is an essential as it the ability to visit clients and the office. Additional experience will include, but not be limited to: Developing incident response strategies, guides and procedures for effective incident handling Proactive and reactive defense plans based on cyber threat actors' techniques Offering guidance, supervision, and fostering opportunities for team development Significant career development opportunities for the right individuals.
- OUTSIDE IR35 Contract- Functional tester- SC clearance Microsoft Windows Server
- Outside IR35 contract
Front End Functional tester with SC clearance needed for an Outside IR35 project. Current valid SC clearance is required Experience with functional testing with exchange, sharepoint, SQL and other applications relating across a windows server Migration to 2019. Must be able to get to Central London 3 days a week. Jira, Wiki documentation and automation experience highly desirable.
- ForgeRock Consultant- UK
- United Kingdom
- Upto £100,000 plus benefits
ForgeRock Consultant/ Architect is require for niche consultancy who are looking to expand their presence within the UK/European Market Looking for a lead IAM architect, ideally with ForgeRock experience but would consider other vendors, But looking for someone who is able to advice and consultant with Clients but have the implementation background so they can get involved in projects as and when needed. Key duties will be: Provider IAM consultancy to clients, with a focus on ForgeRock Product stack ·Responsible for the design and implementation of ForgeRock solutions ·Install and configure ForgeRock stack to meet customer authentication and authorization requirements, ·Design and implement OAuth2 protocol using ForgeRock OpenAM, ·Design and develop OpenAM custom authentication modules, ·Configure ForgeRock stack to protect RESTful API, ·Troubleshoot and support ForgeRock IAM stack. This is a great role to join a niche play as they look to kick of their European expansion