Britain's Cabinet Office (CO) hasn’t quite bungled the National Cyber Security Programme (NCSP) but it could certainly be doing things a lot better, the National Audit Office said today.
The NCSP is owned by the CO and is the government’s master plan for securing Blighty against ne’er-do-wells and hostile foreign states alike trying to hack and take down critical national infrastructure.
It is a £1.3bn taxpayer funded programme, whose costs were originally pegged at £860m. Other government departments bid for a slice of that cash and spend it on their own infosec initiatives, under the Cabinet Office's watchful eye.
"Lead departments are largely on track to deliver against their objectives, although funding for the remainder of the Programme is below the recommended level," said the National Audit Office (NAO) this morning. It added that the CO had not properly planned how it would spend the cash when it originally secured the NCSP's funding from the Treasury:
"The government used the Strategic Defence and Security Review and Spending Review in 2015 to establish the overall direction of cyber security expenditure and approve individual project business cases. However, when HM Treasury set the funding in 2015 the Department did not produce an overall Programme business case to systematically set out the requirement and bid for the appropriate resources."
Of the £1.3bn total fund for the NCSP, £100m was added in a loan from the Treasury after the NCSP got under way, while £69m was cut and reallocated to anti-terror work. The NAO acidly commented:
Although these activities contributed to enhancing cyber and wider national security they were not originally intended to be funded by the Programme, and this delayed work on projects such as elements of work to understand the cyber threat.
One of its big successes, according to the NAO, was the creation of the National Cyber Security Centre in 2016, an offshoot of spy agency GCHQ. The NCSC was instrumental in helping the NHS clean up in the aftermath of the Wannacry malware outbreak of 2017.
The Cabinet Office told El Reg it was proud of what it had done so far, quietly glossing over the criticisms of its financial management of the NCSP.
"The UK is safer since the launch of our cyber strategy in 2015. We have set up the world leading National Cyber Security Centre, taken down 140,000 scam websites in the last year, and across government have helped over a million organisations become more secure," a spokeswoman said. "We recognise that there is always more to do, and are pleased that the NAO has endorsed our plans for the future through their recommendations."
Ominously, the NAO said: "The Department has 'low confidence' in the evidence supporting half of the Strategy's strategic outcomes, and currently only expects to achieve one by 2021."
It also added that it had been gagged from telling the public why the Cabinet Office won’t meet its own targets: "For security reasons we cannot report progress against any further strategic outcomes."
The full report is on the NAO website. ®