NAO calls UK Government Cyber Security Programme a farce
In 2016, the government announced it was to invest £1.9 billion in a National Cyber Security Strategy. The announcement came with a lot of fanfare and claims about where the money would be invested. The Strategy was designed as a cross government approach to making the UK more secure. Of the £1.9bn, £1.3bn was allocated to the UK 2016-2021 National Cyber Security Programme.
The National Audit Office (NAO) has just published its latest progress report on the Programme and it does not make for good reading. The full report runs to a whopping 53 pages which, in places, is far from the most scintillating read. What it does do, however, is deliver a damning insight into the way the Programme is being run.
What did the report find?
The report identifies:
- Inadequate management that continues despite recent improvements
- A poor delivery record which is improving but not enough
- A lack of effective baselines for allocating resources, deciding on priorities or measuring progress
- 37% of the budget from the first two years (£169 million) loaned or transferred to support other activities
- Only 8 of the 12 objectives have at least 80% of the projects supporting them on track
- A low confidence that six projects will achieve their objectives
- National security reasons used to prevent the NAO reporting on 11 of the key strategic outcomes
- A third (107) of the 326 metrics that could track the performance of the Programme and the overall Strategy are not being measured
- No funding for the new capabilities in the Programme to be funded after 2021
- An expectation that there will be no coherent vision for cyber security post 2021 in time for the 2019 Spending Review which will set out funding requirements when the current Programme expires
Overall, this leads the NAO to say that: “With two years of the Programme still to run this makes it hard to say whether it will provide value for money.”
What has gone wrong?
Seemingly right from the beginning. Despite this being the second five year Strategy, it seems that there was a significant lack of understanding about what was involved. The NAO report highlights the fact there was: “No business case for the Programme.” This, in turn, meant there was: “No way to assess how much funding it really required.”
The lack of planning is also one of the reasons that monies were loaned or transferred elsewhere. The grand Strategy announcement was overtaken by other priorities. Counter-terrorism has “borrowed” (£100m) and (£69m) was given to other national security activities. The report does say that there is some cyber security benefit from those but doesn’t say how much.
The lack of planning is also reflected in confusion over roles and responsibilities. This extended from government departments to the private sector. The report stops short of saying if monies was wasted on private sector contracts but confusion is not conducive to value for money.
Adding to the pressure on the government is the claim that: “Two years in the government still lacks the evidence to prioritise those activities that will have the greatest impact.” This will concern those responsible for security in the long-term. It means that there is a significant risk of effective projects being lost and gaps in the Programme appearing.
Not everything is a failure
Among the bad news there is some good news. The success of the National Cyber Security Centre is highlighted. It has created a solid education platform and targeted messaging to businesses. It has also been increasingly involved in responding to certain types of attack. This is as part of its work with the Incident Response Programme. Since 2016, the NCSC has dealt with over 1,100 incidents.
Among the successes for the NCSC has been the blocking of over 54.5 million fake emails in 2017-2018. Many of these promise tax or VAT refunds. This success is part of the Active Cyber Defence Programme that the NCSC has been responsible for. However, despite the efforts of the NCSC and HMRC, those emails continue to circulate and cyber criminals continue to have success.
It is not just emails where the NCSC has been successful. It has brought the time taken to bring down a malicious website from 42 hours to 9 hours. This work has also seen over 53,000 websites closed.
The report states that parts of the Active Cyber Defence have been taken up by other parts of the public sector and the private sector. This is good news. It has certainly provided some relief from commodity attacks. What is not clear is if this is likely to be supported by the government to bring more partners in.
There is also a substantial amount of work being done by UK universities to help close the cyber skills gap. What is missing here is the same interest in vocational training which will deliver help sooner.
What does the industry think?
Not a lot, well not a lot that was printable. Farce, inept, laughable and a national embarrassment were typical of the comments we received via phone calls. Some, however, were understanding and even supportive of the government.
Jake Moore, cyber security specialist at ESET commented: “In 2016, £1.9 billion may have sounded like a huge financial injection but cyber security needs a constant flow of resources, both people and financial support. If this money were to simply dry up in 2021 then over a short period of time all the good work done thus far could unravel. Great Britain has been no safe haven for cyber criminals and the NCSC is known across the world as a solid force against cyber criminality.”
There was also a view from some comments that businesses who rely on government fixing this are wrong. Spencer Young, RVP EMEA at Imperva told us: “With cyber-crimes on the rise and becoming increasingly sophisticated by the day, the responsibility now lies with businesses to protect their data.
“With a multitude of apps, cloud storage platforms and devices available, organisations are finding that their data security posture is not as robust as it used to be. Web applications have been quickly growing more complex as users and companies demand more from their online, mobile and connected device experiences.
“The growing popularity of these apps, however, means hackers now have many different entry ways to target an organisation’s data – and potentially cause more exposures and breaches.
“This is why businesses must focus their efforts on protecting their data above all else – regardless of the platform, app or device it sits in or passes through.”
Enterprise Times: What does this mean
Governments and grand plans are history’s way of delivering comedy. The repeated announcement of the initial £1.9bn for cyber security is a good case in point. There was confusion over whether this was a single announcement or multiple chunks of money.
We now know that only £1.3bn made it through to the core Programmes. Spending in the first two years has been limited especially as monies have gone elsewhere. The report also questions if the current plans can be delivered with what is left in the pot.
Of more concern is that fact that there is no serious planning for 2021 and beyond. The cyber threat is growing far faster than government can react. Other governments, such as the US, are allocating billions every year to cyber defence. It is time for the UK government to take this threat seriously.
While the NAO doesn’t say that the Programme is a complete failure it does make it clear that there are significant shortcomings. Those mean that it cannot be certain of what will be achieved and what won’t. It will be interesting to see what changes as a result of this report. The likelihood is that very little will happen. Why? The department responsible for this is the Cabinet Office who is currently struggling with Brexit and all that entails.
source enterprisetimes
Industry: Cyber Security News
Latest Jobs
-
- Azure Identity Consultant
- Netherlands
- discussed on applications
-
Are you a cybersecurity expert passionate about identity and access management? We are seeking a talented IAM Technical Specialist to join our Sec Ops team. In this role, you will play a pivotal part in developing and maintaining our IAM infrastructure, ensuring the highest levels of security and compliance. What you'll do: Design, implement, and maintain IAM solutions for both on-premise and cloud environments. Collaborate with cross-functional teams to integrate IAM systems into various applications and processes. Conduct security assessments and risk analysis to identify and mitigate vulnerabilities. Stay up-to-date with the latest IAM technologies and industry best practices. What we're looking for: Experience: experience as a technical specialist with expertise in AD management. IGA concepts: Experience with Identity Governance and Administration (IGA) concepts such as RBAC, PAM, SIEM, SSO, segregation of duties (SoD), data classification, and recertification. Azure Identity Management: Minimum 2 years of demonstrable experience with Azure identity management, specifically within complex organizations. IT knowledge: Good general knowledge of IT environments such as Active Directory, Azure Cloud, Office 365, SharePoint Online, etc. Protocol knowledge: Familiar with SAML, OIDC, OAuth, and SCIM. Programming languages: Minimum 3 years of experience with development languages such as PowerShell; knowledge of Java or C# is a plus.
-
- Cloud Architect- German Speaker
- Hungary
- Upto €48000 per year + bonus + benefits
-
As a Senior Pre-Sales Solutions Architect, you will play a pivotal role in driving our sales success by translating complex technical solutions into compelling proposals that resonate with our clients. You will collaborate closely with our sales teams to understand customer needs, design tailored solutions, and negotiate successful deals. Responsibilities: Solution Design: Develop comprehensive technical solutions that align with customer business objectives and industry best practices. Proposal Development: Create compelling proposals, including requirements gathering questionnaires, presentation materials, and Statements of Work (SOWs). Customer Engagement: Build strong relationships with clients, understanding their technical, business, and commercial requirements. Collaboration: Work closely with sales teams, delivery teams, and third-party partners to ensure successful project execution. Pricing Strategy: Define and deliver pricing strategies that align with customer needs and company objectives. Requirements: Experience in technical pre-sales or sales support roles. Proven track record in designing and delivering successful customer solutions. Strong technical foundation in areas such as VMware, Azure, AWS, cloud computing, and data center technologies. Excellent understanding of sales principles, account management, and negotiation techniques. Ability to explain complex technical concepts clearly and concisely. Experience working in international teams and supporting clients across multiple regions. Fluency in German and English is essential. Benefits: Competitive salary and benefits package Opportunity to work on challenging and rewarding projects Collaborative and supportive work environment Potential for career growth and advancement Please note that this role is focused on supporting German clients, but will also involve global client support as needed.
-
- Microsoft Sentinel Architect
- United Kingdom
- discussed on applications
-
Microsoft Sentinel Architect We're seeking a talented and experienced Microsoft Sentinel Architect to be responsible for the design, deploy of a new Sentinel solution into an expanding Services business. As a key member of our team, you'll play a vital role in driving security operations and protecting clients' assets. Responsibilities: Solution Design: Develop comprehensive Microsoft Sentinel architectures aligned with our clients' specific needs and industry best practices. Deployment and Configuration: Oversee the deployment and configuration of Sentinel components, including data connectors, analytics rules, and playbooks. Integration: Integrate Sentinel with other security tools and platforms within our MSSP ecosystem. Tuning and Optimization: Continuously monitor and optimize Sentinel performance to ensure maximum effectiveness and efficiency. Training and Mentoring: Mentor junior team members and provide training on Sentinel technologies and best practices. Required Skills and Experience: Proven experience as a Microsoft Sentinel Architect with a deep understanding of its capabilities and limitations. Strong technical skills in Azure, security operations, and data analytics. Experience designing and implementing complex security solutions, into a services environment Knowledge of threat intelligence, incident response, and compliance frameworks. Excellent communication and problem-solving skills.
-
- Network & Security Consultant
- Romania
- €54000 plus benefits
-
Senior Network & Security Engineer to join a Managed Network & Security Team in Europe. In this critical role, you will: Play a pivotal role in managing and securing network infrastructure across datacenters, customer connections, and on-premise deployments. Proactively monitor network and security devices, analyse incidents, and implement solutions to ensure optimal performance and security. Collaborate with colleagues and customers to troubleshoot issues, troubleshoot outages, and implement effective resolutions. Lead and participate in network system installations for new facilities and expansions. Develop and maintain network infrastructure procedures, recommend technical strategies, and propose improvements to enhance network capabilities. Stay up-to-date on the latest network and security technologies and trends. Work as part of a collaborative international team, contributing to team presentations and knowledge sharing. To be successful, you'll need: Proven expertise in Cisco network solutions (CCNP R&S/Sec/Wireless preferred) for both BAU and project work. In-depth knowledge of network security principles and experience with Fortinet firewalls. Experience deploying and managing large, complex network infrastructure (routing, switching, wireless, security). Solid understanding of ITIL v3 framework for incident, change, and problem management. Excellent troubleshooting skills with experience using Wireshark or similar protocol analysers. Strong communication and teamwork skills, with the ability to work independently and collaborate effectively.