NAO slams mismanaged national cyber security programme

National Audit Office building in London

The Cabinet Office has been mismanaging the country's National Cyber Security Programme since its introduction in 2016 which has forecast the failure to meet its goals, according to a National Audit Office (NAO) report

One year prior to the programme's 2016 implementation, the Cabinet Office agreed to an overall approach on how to tackle cyber security and the spending that should go towards it but failed to make a business case for the programme.

This meant that the 1.9 billion budget allocated to the programme was misguided, according to the NAO report, and the Cabinet Office had no real indication as to how much money it would actually need to fulfil the program's objectives.

Other factors have contributed to the programme's poor performance, the report acknowledges that in the first two years of the programme, resources and funds were allocated away from the programme and directed towards anti-terrorism activities.

Although the wider landscape of national security was improved, it came at the cost of cyber security safety and it delayed the government's understanding of the cyber security threat it faces.

"It is unclear whether the Cabinet Office will achieve the Strategy's wider strategic outcomes by 2021," read the report. "This is partly due to the difficulty of dealing with a complex and evolving cyber threat but also because it has not assessed whether the 1.9 billion of funding was ever sufficient.

"It has acknowledged that it may take longer than 2021 to address all the cyber security challenges set out in the Strategy but does not yet know when these might be achieved."

"In 2016, 1.9 billion may have sounded like a huge financial injection but cyber security needs a constant flow of resources, both people and financial support," said Jake Moore, cyber security specialist at ESET. "If this money were to simply dry up in 2021 then over a short period of time all the good work done thus far could unravel."

It's not all bad, though; the report praises the program in a number of areas, most pertinently its achievement of establishing the hugely successful National Cyber Security Centre (NCSC).

The NCSC's role is to understand the global cyber security climate and offer practical advice to government, businesses and the public regarding how to effectively mitigate the threats faced online.

It has also established the popular Cyber Discovery program in England, Scotland and Northern Ireland which aims to recruit the best 14-18 year-olds and provide them with fun and accessible cyber security activities, promoting career paths in the field.

The NCSC also developed a tool that led to 54.5 million fake emails being blocked in 2017-18 and the UK's share of global phishing attacks falling from 5.3% to 2.2% in two years.

In response to the uncertainty of the program, the Cabinet Office introduced a new, robust assessment framework to make sure it has a better vision of how the programme is performing. It has also asked departments to allocate more funds to ensure it meets its objectives and measures progress adequately.

Although these steps have been taken to improve the programme's effectiveness, these were only made in 2018, so it's too early to see the results of them.

Another blow to the programme is that it seems unlikely, according to the NAO report, that the Cabinet Office will have decided on its overall approach to cyber security before the 2019 Spending Review, which is expected to determine government funding for the next few years.

The report says that because of this, the Cabinet Office runs the risk of repeating the same mistakes it made in 2015 and that the budget for the programme could remain insufficient due to a lack of preparedness.

"Improving cyber security is vital to ensuring that cyber-attacks don't undermine the UK's ability to build a truly digital economy and transform public services," said Amyas Morse, head of the NAO.

"The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. The government needs to learn from its mistakes and experiences in order to meet this growing threat."

The NAO recommends that the Cabinet Office prioritise the programme's best performing aspects and focus most attention and resources there until 2021, as they will have the most positive impact on the country.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.