The UK National Cyber Security Strategy needs clearer long-term objectives built on a firmer evidential basis, the Public Accounts Committee has said.
A report published yesterday by the committee found that the strategy, which covers the five-year period from 2016 to 2021, had been “hampered by a weak evidence base and lack of business case”.
The rollout of the strategy, which follows on from a similar plan that covered the 2011-2016 period, is the responsibility of the Cabinet Office. MPs acknowledged that the department “is beginning to make progress in meeting the strategic outcomes of strategy after a poor start”.
RELATED CONTENT
But the report said that a lack of clarity makes it difficult to judge the likelihood of the strategy achieving its objectives. PAC has made five conclusions about the strategy’s challenges and shortcomings – and five supporting recommendations for how these can be addressed.
The first conclusion is that “the UK is particularly vulnerable to the risk of cyberattacks”. In light of this, the committee recommends that the Cabinet Office ensures that another long-term plan for national cybersecurity is in place long before the March 2021 end date of the existing strategy.
MPs also concluded that the department “cannot justify how its approach to cybersecurity is delivering value for money”. To remedy this, the Cabinet Office must make sure any further long-term plans for cybersecurity are supported by “a properly costed business case”.
The central government agency also “lacks the robust evidence base it needs to make informed decisions about cybersecurity”, the report concluded. MPs have requested that the Cabinet Office writes to them before November 2019 to “setting out what progress it is making in using evidence-based decisions in prioritising cybersecurity work”.
The report added: “This should include plans for undertaking a robust ‘lessons learnt’ exercise to capture all relevant evidence from the current strategy and programme to support any future approach to cybersecurity.”
The committee also found that “the department has not been clear what the strategy will actually deliver by 2021”. MPs recommend that the Cabinet Office publishes a clear set of goals in autumn for what the strategy should deliver, as well as “the risks around those areas where it will not meet its strategic outcomes and objectives”.
Finally, PAC concluded that “government has not yet done enough to enhance cybersecurity throughout the economy and better protect consumers”. The MPs asked the Cabinet Office to write to them in the next five months “outlining how it intends to influence the different sectors in the economy… to provide consumers with information on their cyber resilience”. Additionally, the committee said that the post-2021 cybersecurity strategy should include plans for how best to protect consumers.
Committee chair Meg Hillier said: “We welcome the National Cyber Security Strategy but are concerned that the programme designed to deliver it is insufficient. As it currently stands, the strategy is not supported by the robust evidence the department needs to make informed decisions and accurately measure progress. On top of this, neither the strategy or the programme were grounded in business cases – despite being allocated £1.9bn funding.”
She added: “Looking longer term, we are disappointed that the department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy. In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyberattacks: future plans should be based on strong evidence, business cases should be rigorously costed to ensure value for money, and strategic outcomes and objectives should be clearly defined.”
A Cabinet Office spokesperson said: “The UK is safer since the launch of our cyber strategy in 2015.
“We have set up the world leading National Cyber Security Centre, taken down 140,000 scam websites in the last year, and across government have helped over a million organisations become more secure.”