The government has been told there are “failings” in the way it is planning to protect the UK’s critical infrastructure from cyber-attacks. The warning came in a National Audit Office (NAO) assessment of the UK’s national cyber-defence plan.
The government is increasingly worried that these essential sectors will be targeted by foreign states seeking to disrupt UK life. Modern life was now “totally dependent” on cyber-security, said one expert. The Cabinet Office’s National Cyber Security Programme is intended to be funded until 2021, and has involved the establishment of the National Cyber Security Centre (NCSC).
The government-driven strategy to keep the UK safe in the face of constant cyber-attacks involves 12 “strategic outcomes” that cover such things as: understanding, investigating and disrupting threats, defending against evolving cyber-attacks, managing and responding effectively, securing government networks and developing cyber-skills in the UK.
The NAO said that delivering the strategy was a “complex challenge” and added that the government did not know where it should concentrate efforts to “make the biggest impact or address the greatest need”. The only section marked as “red” in the report was the plan to protect power plants and hospitals. This meant that fewer than 80% of its projects to defend these institutions would finish on time.
These key targets were being “actively defended”, said the report, but added that it was hard to gauge how effective this activity had been as methods to measure success were still being developed.
The government itself had “low confidence” in the evidence gathered for half of its strategic plans, said the report. Though it noted that this was an improvement on the “very low confidence” expressed late last year about the same topics.
The report noted the success of the NCSC, including the creation of a tool that has led to 54.5 million fake emails being blocked between 2017 and 2018. The UK’s share of global phishing attacks also fell from 5.3% to 2.2% between 2016 and 2018.
The NAO said the Cabinet Office did not produce a business case for the programme before it was launched. This led to a mismatch of budget and strategy. A total of £1.3bn was committed for the National Cyber Security Programme. “It’s a bit like putting the cart before the horse,” Prof Alan Woodward, a computer security expert at the University of Surrey, told the BBC.
“The overarching thing that comes out from the NAO is that [the government] decided on the budget and then they decided on the strategy.” In addition, more than one-third of funding that had been promised for the National Cyber Security Programme over its first two years was loaned or transferred by the Treasury.
These funds were moved into areas including counter-terrorism, but also the troubled ID scheme, Verify. “It’s disappointing to learn that, quite early on, some of this was diverted to other purposes,” said Prof Woodward. “Our society is now so totally dependent on cyber-security. It’s becoming a bit like the National Health Service; it’s something you can’t afford not to do properly.”
Meg Hillier, chair of the Committee of Public Accounts, said it is “yet another example of an important government programme launched without getting the basics right”. She added: “The increasing cyber-threat faced by the UK, and events such as the 2017 WannaCry attack, make it even more critical that the Cabinet Office take immediate action to improve its current programme and plan for safeguarding our cyber-security beyond 2021.”
Another area of concern, according to Prof Woodward, is the comparative lack of focus on addressing the development of future cyber-talent. Of the £632m that has been expended to date, only £70.89m has gone on the programme’s “develop” theme, encompassing educational projects like the NCSC’s CyberFirst scheme.
“It’s disappointing. The cyber-threat evolves all the time. If we need enough people with the right skills we need to step up on the ‘develop’ part.” Amyas Morse, the head of the NAO, said that the government has “demonstrated its commitment to improving cyber-security”, but that there is uncertainty about how it will fund these activities after 2021. “Government needs to learn from its mistakes and experiences in order to meet this growing threat.”