NAO calls UK Government Cyber Security Programme a farce
.jpg)
In 2016, the government announced it was to invest £1.9 billion in a National Cyber Security Strategy. The announcement came with a lot of fanfare and claims about where the money would be invested. The Strategy was designed as a cross government approach to making the UK more secure. Of the £1.9bn, £1.3bn was allocated to the UK 2016-2021 National Cyber Security Programme.
The National Audit Office (NAO) has just published its latest progress report on the Programme and it does not make for good reading. The full report runs to a whopping 53 pages which, in places, is far from the most scintillating read. What it does do, however, is deliver a damning insight into the way the Programme is being run.
What did the report find?
The report identifies:
- Inadequate management that continues despite recent improvements
- A poor delivery record which is improving but not enough
- A lack of effective baselines for allocating resources, deciding on priorities or measuring progress
- 37% of the budget from the first two years (£169 million) loaned or transferred to support other activities
- Only 8 of the 12 objectives have at least 80% of the projects supporting them on track
- A low confidence that six projects will achieve their objectives
- National security reasons used to prevent the NAO reporting on 11 of the key strategic outcomes
- A third (107) of the 326 metrics that could track the performance of the Programme and the overall Strategy are not being measured
- No funding for the new capabilities in the Programme to be funded after 2021
- An expectation that there will be no coherent vision for cyber security post 2021 in time for the 2019 Spending Review which will set out funding requirements when the current Programme expires
Overall, this leads the NAO to say that: “With two years of the Programme still to run this makes it hard to say whether it will provide value for money.”
What has gone wrong?
Seemingly right from the beginning. Despite this being the second five year Strategy, it seems that there was a significant lack of understanding about what was involved. The NAO report highlights the fact there was: “No business case for the Programme.” This, in turn, meant there was: “No way to assess how much funding it really required.”
The lack of planning is also one of the reasons that monies were loaned or transferred elsewhere. The grand Strategy announcement was overtaken by other priorities. Counter-terrorism has “borrowed” (£100m) and (£69m) was given to other national security activities. The report does say that there is some cyber security benefit from those but doesn’t say how much.
The lack of planning is also reflected in confusion over roles and responsibilities. This extended from government departments to the private sector. The report stops short of saying if monies was wasted on private sector contracts but confusion is not conducive to value for money.
Adding to the pressure on the government is the claim that: “Two years in the government still lacks the evidence to prioritise those activities that will have the greatest impact.” This will concern those responsible for security in the long-term. It means that there is a significant risk of effective projects being lost and gaps in the Programme appearing.
Not everything is a failure
Among the bad news there is some good news. The success of the National Cyber Security Centre is highlighted. It has created a solid education platform and targeted messaging to businesses. It has also been increasingly involved in responding to certain types of attack. This is as part of its work with the Incident Response Programme. Since 2016, the NCSC has dealt with over 1,100 incidents.
Among the successes for the NCSC has been the blocking of over 54.5 million fake emails in 2017-2018. Many of these promise tax or VAT refunds. This success is part of the Active Cyber Defence Programme that the NCSC has been responsible for. However, despite the efforts of the NCSC and HMRC, those emails continue to circulate and cyber criminals continue to have success.
It is not just emails where the NCSC has been successful. It has brought the time taken to bring down a malicious website from 42 hours to 9 hours. This work has also seen over 53,000 websites closed.
The report states that parts of the Active Cyber Defence have been taken up by other parts of the public sector and the private sector. This is good news. It has certainly provided some relief from commodity attacks. What is not clear is if this is likely to be supported by the government to bring more partners in.
There is also a substantial amount of work being done by UK universities to help close the cyber skills gap. What is missing here is the same interest in vocational training which will deliver help sooner.
What does the industry think?
Not a lot, well not a lot that was printable. Farce, inept, laughable and a national embarrassment were typical of the comments we received via phone calls. Some, however, were understanding and even supportive of the government.
Jake Moore, cyber security specialist at ESET commented: “In 2016, £1.9 billion may have sounded like a huge financial injection but cyber security needs a constant flow of resources, both people and financial support. If this money were to simply dry up in 2021 then over a short period of time all the good work done thus far could unravel. Great Britain has been no safe haven for cyber criminals and the NCSC is known across the world as a solid force against cyber criminality.”
There was also a view from some comments that businesses who rely on government fixing this are wrong. Spencer Young, RVP EMEA at Imperva told us: “With cyber-crimes on the rise and becoming increasingly sophisticated by the day, the responsibility now lies with businesses to protect their data.
“With a multitude of apps, cloud storage platforms and devices available, organisations are finding that their data security posture is not as robust as it used to be. Web applications have been quickly growing more complex as users and companies demand more from their online, mobile and connected device experiences.
“The growing popularity of these apps, however, means hackers now have many different entry ways to target an organisation’s data – and potentially cause more exposures and breaches.
“This is why businesses must focus their efforts on protecting their data above all else – regardless of the platform, app or device it sits in or passes through.”
Enterprise Times: What does this mean
Governments and grand plans are history’s way of delivering comedy. The repeated announcement of the initial £1.9bn for cyber security is a good case in point. There was confusion over whether this was a single announcement or multiple chunks of money.
We now know that only £1.3bn made it through to the core Programmes. Spending in the first two years has been limited especially as monies have gone elsewhere. The report also questions if the current plans can be delivered with what is left in the pot.
Of more concern is that fact that there is no serious planning for 2021 and beyond. The cyber threat is growing far faster than government can react. Other governments, such as the US, are allocating billions every year to cyber defence. It is time for the UK government to take this threat seriously.
While the NAO doesn’t say that the Programme is a complete failure it does make it clear that there are significant shortcomings. Those mean that it cannot be certain of what will be achieved and what won’t. It will be interesting to see what changes as a result of this report. The likelihood is that very little will happen. Why? The department responsible for this is the Cabinet Office who is currently struggling with Brexit and all that entails.
source enterprisetimes
Industry: Cyber Security News
Latest Jobs
-
- Senior Cyber Security Analyst / Engineer. Exclusive role
- United Kingdom
- 75000
-
Senior Cyber Security Analyst / Engineer. Exclusive role Hybrid role- Travel to London once a month. ROLE Day to day operations, management and scalability of existing cyber security systems. Advanced triaging and troubleshooting security alerts. Improve tooling, reducing false positives. Improve processes and documentation Reviewing, approving, escalating security change management requests. Implementing new cyber security systems. Managing of and maturing security tooling such as; SIEM Vulnerability management Firewalls Patch management CASB Ideal technical experience Vulnerability Management: Qualys Forcepoint: CASB, DLP, web security, email security Microsoft Defender for Endpoint SIEM (Splunk) Firewalls: Cisco, Palo Alto, Juniper, Sonicwall IDS: Alert Logic Microsoft Cloud App Security Microsoft Azure ManageEngine ADAudit Plus Darktrace, Cloudflare, Cisco Umbrella, Imperva WAF Appreciation of ISO27001, GDPR, PCI, etc
-
- Security Operations Senior Technical Analyst, Financial Services. Exclusive to DCL Search
- London
- 75000 + benefits
-
Exclusive Security Operations - Senior Technical Analyst (x2) needed within a forward thinking financial services business head quartered in London. DCL Search have been engaged on an Identifier Project to attract the very best cyber talent to this business. Influence the cyber security capability and direction within the business. Learn new skills working within a collaborative team. Grow as a security professional. ROLE Triaging and troubleshooting security alerts. Improve tooling, reducing false positives. Improve processes and documentation Reviewing, approving, escalating security change management requests. Day to day operations, management and scalability of existing cyber security systems. Implementing new cyber security systems. Managing of and maturing security tooling such as; SIEM Vulnerability management Firewalls Patch management CASB Ideal technical experience Vulnerability Management: Qualys Forcepoint: CASB, DLP, web security, email security Microsoft Defender for Endpoint SIEM (Splunk) Firewalls: Cisco, Palo Alto, Juniper, Sonicwall IDS: Alert Logic Microsoft Cloud App Security Microsoft Azure ManageEngine ADAudit Plus Darktrace, Cloudflare, Cisco Umbrella, Imperva WAF Appreciation of ISO27001, GDPR, PCI, etc 2 days a fortnight in London- or more if you want.. Hybrid reworking.
-
- It's Pen Testing Chris, but not as we’ve know it.
- United Kingdom
- 95000
-
5 reasons, as long as you are a skilled penetration tester (and a nice person) this may be different enough for you. Healthy package for the right talents- before you ask up to 95k+ (depending on skillset). Yes permanent only. Remotely based with the occasional time to meet up- unless you enjoy retiring from society. BUT UK based but not UK client focused. Research and training time- A dedicated trainer with budget for you to sharpen / develop skills. You can make your stamp. It’s a new role for someone technical to deliver, lead and shape a testing capability. No political shenanigans etc Exclusive to DCL Search and not one of the usual names. So you can dramatically increase your chances of securing it. Infrastructure pen testing and Web app / Manual penetration testing experience highly valued. Someone that can scope, deliver pen testing, report and not be useless in front of clients. Apply today to find out more. Or email Chris.Holt@dclsearch.com Or call 07884666351 This is a UK based role.
-
- Ping Contractor-
- N/A
- Depends on skills and experience
-
Looking for experienced PIng Consultants, Looking for consultant with Implemenation or Architect experience in the Ping product set (Ping Identity, Ping Federate, Ping Access, Ping Directory, Ping Adapter development, SDK etc) This would be for implementation projects, working across UK. You will be responsible for providing implementation services to our clients from information gathering through to implementation. Evaluating client business, process, systems, and technology requirements and advise clients on best practices to help guide and solidify proposed designs. Manage Client expectations, Stakeholder Managment, ensuring design Matches business requirements