The government has taken too long to consolidate and coordinate the “alphabet soup” of cyber security agencies and faces “a real struggle” to find staff with the right skills to tackle threats, MPs have said.
The criticisms come in the Public Accounts Committee’s report Protecting Information Across Government, published on Friday.
In it, the MPs note the ever-increasing number of cyber attacks faced by governments across the world, and say the UK government’s poor past performance on cyber security “reduces our confidence” for the future.
An in-depth look at the National Cyber Security Programme
Government's cyber security strategy gets a refresh
National Cyber Security Centre open for business – as new London HQ revealed
“Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks,” said committee chairwoman Meg Hillier.
Echoing the analysis of poor central government coordination and leadership made in September 2016 by the National Audit Office, the MPs’ report said that the Cabinet Office’s role in protecting information “remains unclear within central government”.
Despite being aware of the problem posed by multiple agencies dealing with cyber security, the government still had too many lines of accountability “with little coherence between them”, the committee said.
It acknowledged that the creation of the National Cyber Security Centre, which was officially opened in summer last year, aimed to bring the disparate groups working on cyber intelligence and security across the country together but that more details of its work were needed quickly.
“The breadth of the NCSC’s role is considerable and it is still unclear which organisations from across the public and private sectors can call on the NCSC for assistance,” the report said.
It called on the government to publish a detailed work plan for the centre by the end of this financial year, covering who the centre will support, what assistance it will provide and how it will communicate with organisations.
“Government must communicate clearly to industry, institutions and the public what it is doing to maintain cyber security on their behalf and exactly how and where they can find support,” said Hillier.
"Chaotic"
The report also said that there was too little emphasis on informing and supporting the wider public sector, and a lack of coordination with other public bodies — something that has been raised repeatedly by councils, which have said they are concerned about being the “weak link” in UK cyber security.
This lack of coordination “is of particular concern, given the government’s extensive reliance on arm’s length bodies to deliver core public services and functions, with more than 450 arm’s length bodies through which the government spends around £250 billion annually”, the MPs said.
Instead of relying on those organisations to resolve security issues themselves, and to know when the risk is significant enough to contact the NCSC, the committee said government should work to ensure that there is more information and support available to those bodies.
Central government reporting processes also came under fire in the report, which branded those for recording departmental personal data breaches “chaotic”, “inconsistent and dysfunctional”.
The report pointed to “major and unexplained variations” in the extent to which departments report them: of the 8,981 non-reportable incidents that were recorded by the 17 largest departments, 67% were recorded by HMRC and 31% by the Ministry of Justice.
The remaining 15 departments — including the large and digitally-active Department for Work and Pensions — recorded just 145 between them.
The MPs argued that encouraging a culture of recording of incidents would help departments identify threats early on, and said the Cabinet Office should work with the Information Commissioner’s Office to establish best practice reporting guidelines for departments.
Skills gaps
Meanwhile, the committee raised concerns that the government was “struggling to ensure its security profession has the skills it needs” to match the rapid and changing landscape of cyber security.
It said that, although a security profession was established in 2013, it was unclear what skills gaps still exist and how they could be filled when there was a UK-wide skills shortage in the field, and urged the government to focus on identifying and filling those gaps.
The MPs also called for the Cabinet Office to report the results of a pilot scheme that will see 40 separate departmental security teams being brought into four large clusters to the committee within six months.
A further criticism levelled at the government was that it had failed to properly manage central government information projects, saying that they were not delivering as planned and needed to be challenged and reviewed on a more regular basis.
For instance, it said, there has never been a detailed financial business case produced for the Government Security Classifications system — a three-point system to classify information consistently across government — meaning there is no baseline against which to judge its progress or potential savings.
Finally, the Cabinet Office was told to do more to assess the cost and performance of government information security activities. The committee said that its failure to mandate how departments should report on the costs and benefits of their information protection efforts has made it hard to tell which projects are providing value for money.