How is Britain's £1.3bn National Cyber Security Strategy going? Nobody really cares any more – even the Cabinet Office, judging by its latest progress report.
In a report issued this week the Cabinet Office waffled for several tens of pages saying how much work Britain's various governmental organs had done that vaguely fits under the banner of the National Cyber Security Strategy.
Yet nowhere in the report did it explicitly say "we have done what the strategy was meant to achieve". Neither did it say it had missed its goals, or say exactly where £1.3bn of public money had gone – even though the five-year plan expires in a few months.
Penny Mordaunt MP, the Paymaster General (aka Cabinet Office minister Michael Gove's bag carrier and cyber security minister) said in the report's foreword: "Our approach to cyber security strategy post 2021 will reinforce the outcome of the current Integrated Review of the UK's foreign, defence, security and development policy."
Aside from that, about the only tangible thing the report did say was that the next overarching national infosec strategy would be baked into the long-delayed Integrated Review, which will be the cornerstone of Britain's foreign policy in years to come. Cyber security having been enthusiastically adopted by the more military-minded side of government, it seems 2016's priorities are a long way from what civil servants want to do in the immediate future.
While the Cabinet Office progress report contains some details of things achieved over the past year (ranging from "published a cyber security toolkit" to launching specialist police cyber crime units), the report does not relate these to any of its "strategic outcomes" beyond merely reproducing them as haphazard bullet points.
Industry, however, will be pleased to note that UK infosec exports were apparently worth £3.96bn in 2019, an increase of almost £2bn on the previous year. This suggests government is beginning to see that an infosec sector that thrives on its own two feet, rather than one that exists purely to serve UK government contracts, is a valuable thing.
As the Royal United Services Institute think tank said last year when it published [PDF] a paper on the future of the strategy:
To succeed, there will need to be more engagement with the private sector – to move the discussion beyond generalities and into specifics. There must be a clear mutual understanding as to where UK government responsibility ends, and private sector accountability begins. This dialogue is at present only in the early stages.
Despite online security clawing its way up the government's list of priorities, it appears that the National Cyber Security Strategy has been largely overtaken by events. Earlier this month the worst-kept secret in Whitehall, the existence of the National Cyber Force, was revealed to the world, while the Foreign Office has gleefully swung from the coat-tails of the EU and the US Department of Justice as the bodies imposed international sanctions and criminal charges on individual Russian hackers.
Back in 2016 the UK renewed its £1.9bn cyber security spending pledge, a splurge that gave birth to the National Cyber Security Centre and sowed the seeds for Britain's newly acknowledged National Cyber Force state-sponsored hacking crew.
Three years later the National Audit Office (NAO) huffed that the Cabinet Office wasn't doing very well on the plan, known by then as the National Cyber Security Programme – but said that embarrassed civil servants had retreated behind unspecified "security reasons" to gag the NAO from saying precisely what had gone wrong.
While that may or may not have been a factor in the Cabinet Office's report being as dreary as it is, it is clear that Britain is on the brink of a fundamental shift in how both public and private sectors approach the topic of cyber security. ®