Insights House of Commons Public Accounts Committee publishes report on Government’s cyber security strategy

The Committee concludes that the Government has not made sufficient progress on developing long-term objectives for the National Security Strategy, which has been hampered by a weak evidence base and lack of business case.

The report notes that to counter the threat to the UK’s cyber security, the Cabinet Office has, since 2011, managed two five-year national cyber security strategies. According to the report, it is beginning to make progress in meeting the strategic outcomes of the current 2016–2021 National Cyber Security Strategy after a poor start.

However, a weak evidence base and the lack of a business case for the National Cyber Security Programme that helps to deliver the Strategy make it difficult for the Cabinet Office to assess whether it will meet all its objectives by 2021. A lack of a business case also means it is unclear whether the money allocated at the start of the Programme was the right amount, making it more difficult to judge value for money.

The Committee also says that it is concerned that consumers do not know how safe the websites or internet-enabled products they use are. There is clearly more that the government needs to do to make progress in this area.

Recommendations include:

  • given that the UK is particularly vulnerable to the risk of cyber attacks, the Government should ensure another long-term coordinated approach to cyber security is put in place well in advance of the current Strategy finishing in March 2021;
  • to justify how its approach to cyber security is delivering value for money, the Government needs to ensure that, to support any follow on, long-term and coordinated approach to cyber security, it produces a properly costed business case;
  • given the Government lacks the robust evidence base it needs to make informed decisions about cyber security, the Government should write to the Committee by November 2019 setting out what progress it is making in using evidence-based decisions in prioritising cyber security work. This should include plans for undertaking a robust “lessons learnt” exercise to capture all relevant evidence from the current Strategy and Programme to support any future approach to cyber security;
  • the Government has not been clear what the Strategy will actually deliver by 2021. Therefore, when the Government publishes its costed plan in autumn 2019 for its future approach to cyber security it should also set out what the existing Strategy and Programme should deliver by March 2021, and the risks around those areas where it will not meet its strategic outcomes and objectives;
  • the Government has not yet done enough to enhance cyber security throughout the economy and better protect consumers. Therefore, it must write to the Committee by November 2019, outlining how it intends to influence the different sectors in the economy, for example retail, to provide consumers with information on their cyber resilience. As part of this it should outline how it intends to measure success in protecting consumers. This should also form part of its approach to cyber security after 2021.

To access the report in full, click here.

Expertise