“As it currently stands, the Strategy is not supported by the robust evidence the Department needs to make informed decisions.”
The Cabinet Office only expects to meet one of the 12 strategic outcomes outlined in its National Cyber Security Strategy (NCSS) by the end of the programme’s term in 2021. The rest are considered “open ended” and the Cabinet has “low confidence” in the assessment process of half of the outcomes.
These are the findings of a typically blistering Public Accounts Committee (PAC) report into the progress of the five-year NCSS programme [pdf] running from 2016-2021, which expresses concern about the delivery of the programme so far, and notes that no further long-term strategy seems to have been established.
PAC committee chair Meg Hillier MP commented: “We are disappointed that the Department was not able to give us a clear idea of what the Strategy will deliver by 2021. This does not represent a resilient security strategy.”
“The Department [Cabinet Office] explained that its performance measures for each of the outcomes in the Strategy related to the confidence it had in the evidence that the strategic outcome will be achieved, not the actual deliverability of the strategic outcomes”, PAC noted.
(The other strategic outcomes are largely on track, but are hard to measure, the Cabinet Office told PAC, saying “three were on track, and a further eight objectives had 80 percent or more of their projects on schedule. It told us that while one project had 73 percent of its projects on track, it was moving in the right direction”).
What is the National Cyber Security Strategy?
The NCSS is a cross-government strategy running for five years with a budget (for this term) of £1.9 billion. The strategy itself is divided into three themes; defend, deter and develop. These themes are divided into the project’s 12 outcomes, such as developing cyber skills, cybercrime detection and prevention.
The one outcome the Cabinet Office is confident it can hit by the programme’s close in 2021, is incident management, which the NCSS lists as: “Incident management – the management and coordination of activities to investigate, and remediate, an actual or potential occurrence of an adverse cyber event that may compromise or cause harm to a system or network.”
In terms of performance monitoring, PAC said it “asked the Department why it had taken it until 2018, halfway through the current Programme, to introduce a new performance framework. Prior to this, the individual departments that led each of the 12 strategic outcomes included within the Programme reported on progress.”
“The Department told us that the evaluation of each outcome was originally carried out by individual departments to reflect the devolved funding arrangements for the Programme. However, the 2017 National Security Capability Review found that the centre of government needed to have a better overview of the Programme, so performance measurement was centralised in the Department. The Department acknowledged that there are still gaps in its evidence base.”
The Threat Is Real
In its investigation PAC highlighted that as a leading digital economy the UK is particularly vulnerable to cyber threats. Since the establishment of the National Cyber Security Centre (NCSC) in 2016 it has dealt with over 1,100 serious cyber security incidents, the committee noted.
PAC said it was told by the NSCS that: “Cyber-attacks are becoming more complex with the boundaries between state orchestrated attacks and those of cyber criminals becoming more blurred, criminal networks being used by state entities and the ability of some criminal networks to employ state resources.”
They also note that roughly 4,000 vulnerabilities within local government systems have been identified and fixed in the last two years.
The NCSC recommended that the UK make its: “Infrastructure a less attractive target for cyber-attacks by reducing the ability of hackers to operate from within the UK. “ and to “work in the international arena to help combat cyber-attacks is to publish evidence of the interventions that the NCSC has made that work and hope that other countries will use them as well.”
Building on NAO
The PAC referenced a report delivered by the National Audit Office last year which found the programme had done very little to measure its operation or how money was being allocated for individual projects.
The NAO found that the programme has inefficiently used its time in assessing the projects benefits and strategic outcomes. The office said it believed that the strategy did not have a robust framework in place to measure how the project has performed. Rather than establish a comprehensive review structure, officials at the programme were asked to rate risk involved in achieving the projects strategic outcomes via Red, Amber and Green indicators.
As the NAO states: “There is little evidence to support these assessments, which makes it difficult to assess how well the Programme has performed so far. The Strategy set out 48 measures of success but by July 2018 only 17 were being measured.”
Meg Hillier commented that they: “Are concerned that the Programme designed to deliver it is insufficient. As it currently stands, the Strategy is not supported by the robust evidence the Department needs to make informed decisions and accurately measure progress. On top of this, neither the Strategy or the Programme were grounded in business cases – despite being allocated £1.9 billion funding.”
“The Department is still considering its approach to cyber security after 2021, but expected to have a single, portfolio-based business case, rather than its current approach where each of the 12 strategic outcomes of the Strategy has its own, separate business case,” the report found, adding: “The Department expects that it will focus on three elements: improving cyber resilience; continuing to build capability to deal with threats; and making sure that the UK is the safest place in the world to do business online.”
In the event of the UK leaving the EU without any agreement, then certain systems would be out of reach of the UK as it would be considered a third country legally by the EU and out of the zone of trust, the report reiterates.
Sir Mark Sedwill the Cabinet Secretary and Head of the UK Civil Service noted in his witness evidence to the committee that: “On the presumption that we leave, it of course depends on whether we leave with an agreement. If we do not, those measures will be severed, as I set out recently in another Committee, with a significant impact, which we would then seek to mitigate.”
“I think SIS II would be the example for which there is no current legal framework to allow a non-Schengen, non-EU country the kind of access we have now. We have said that we would like to ensure that that is available to us. We will have it for the implementation period, but we want it available to us at the end of that period. Trying to secure that will be part of the next phase of the negotiation.”
“This will be one of the areas that, however hard we seek to mitigate it, there will be a no-deal impact.”