The UK Government cannot justify how its approach to cyber security is delivering value for money, warns a committee of MPs. The Government lacks the robust evidence base it needs to make informed decisions about cyber security, says a report by the Public Accounts Committee.
Committee chair, the Labour MP Meg Hillier said: “With its world-leading digital economy, the UK is more vulnerable than ever before to cyber-attacks. As the likelihood of these attacks continues to grow, the UK needs to protect itself against the risks created by more and more services going online. We welcome the National Cyber Security Strategy but are concerned that the Programme designed to deliver it is insufficient. As it currently stands, the Strategy is not supported by the robust evidence the Department [Cabinet Office] needs to make informed decisions and accurately measure progress. On top of this, neither the Strategy or the Programme were grounded in business cases – despite being allocated £1.9bn funding.
“Looking longer term, we are disappointed that the Department was not able to give us a clear idea of what the Strategy will deliver by 2021. This does not represent a resilient security strategy. In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyber-attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money, and strategic outcomes and objectives should be clearly defined.”
Nor has the Cabinet Office been clear what the five-year Strategy will actually deliver by 2021, the committee said. MPs said that Government has not yet done enough to enhance cyber security throughout the economy and better protect consumers. The report complained that it is difficult for consumers to know whether the internet-enabled devices they buy or the companies they give their details to online are holding their information securely. For example, a trusted brand like British Airways was hacked in 2018, and the personal data of 380,000 customers was stolen. There is currently no ‘traffic light’ or ‘kitemark’ system to inform consumer choice. The PAC asked the Government to say how it intends to influence sectors in the economy; for example, retail, to provide consumers with information on their cyber resilience.
For the full report visit https://publications.parliament.uk/pa/cm201719/cmselect/cmpubacc/1745/174502.htm.
The PAC heard from Sir Mark Sedwill, Cabinet Secretary and Head of the UK Civil Service, and UK National Security Advisor; Madeleine Alessandri, Deputy National Security Advisor, Cabinet Office; and Ciaran Martin, Chief Executive, National Cyber Security Centre (NCSC).
