A scathing parliamentary report into UK.gov’s infosec practices has called for the government to step up its efforts to protect Britain from cyber attacks in the face of today’s “chaotic” practices.
The criticism is published today in the Public Accounts Committee’s report on Protecting Information Across Government, which follows a similar report last year from the National Audit Office that slammed the Cabinet Office’s continuing failures to organise central government’s approach to infosec.
These two official reports have found that the Cabinet Office has failed in both its duty and ambition to coordinate and lead government departments’ efforts in protecting information. According to the PAC, there is “little oversight of the costs and performance of government information assurance projects, and processes for recording departmental personal data breaches are inconsistent and dysfunctional.”
Meg Hillier MP, chair of the PAC, said today: “Government has a vital role to play in cyber security across society, but it needs to raise its game. Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks. The threat of cyber crime is ever-growing, yet evidence shows Britain ranks below Brazil, South Africa and China in keeping phones and laptops secure,” Hillier continued.
In this context it should concern us all that the Government is struggling to ensure its security profession has the skills it needs. Leadership from the centre [of government] is inadequate and, while the National Cyber Security Centre has the potential to address this, practical aspects of its role must be clarified quickly.
“Government must communicate clearly to industry, institutions and the public what it is doing to maintain cyber security on their behalf and exactly how and where they can find support,” the committee chair concluded.
NCSC and data breaches
Where there were formerly “at least 12 separate teams or organisations” with infosec duties within the centre of government, many of these have now been amalgamated within the UK’s new National Cyber Security Centre. Launched in October 2016, NCSC will offer guidance to all, and has promised businesses that it would not inform the Information Commissioner's Office of any data breaches they had suffered.
This is at odds with the PAC’s report, which complains: “Poor reporting of low-level breaches, such as letters containing personal details being addressed to the wrong person, reduces our confidence in the Cabinet Office’s ability to protect the nation from higher-threat cyber attacks.”
There are “major and unexplained variations in the extent to which individual departments report security breaches,” the report continued. “In 2014-15, the 17 largest departments recorded a total of 14 data incidents that they considered reportable to the Information Commissioner’s Office, and recorded 8,981 non-reportable incidents. Of the 8,981, Her Majesty’s Revenue and Customs (HMRC) recorded 6,038 (67 per cent) and the Ministry of Justice (MoJ) 2,798 (31 per cent).”
The remaining 15 departments recorded under two per cent of the total data breach incidents, with the Department for Work and Pensions (DWP) recording no non-reportable incidents at all, despite being “a large department with a comparable level of online activity to HMRC,” according to the PAC.
We are aware that numerous low-level breaches do occur, such as letters containing personal details being addressed to the wrong person; however these are not consistently recorded as data breaches.
The Cabinet Office does not collect or analyse departments’ performance in protecting information on a routine or timely basis and was not aware of the wide variability and inconsistency of departments’ self-reporting processes prior to the National Audit Office’s analysis.
Departments with a high reporting rate are likely to be better protected because they have developed a reporting culture to allow early identification of threats. Without a consistent approach across Whitehall to identifying, recording and reporting security incidents, the Cabinet Office is unable to make informed decisions about where to direct and prioritise its attention.
It recommended that the Cabinet Office “should consult with the Information Commissioners’ Office to establish best practice reporting guidelines, and issue these to departments to ensure consistent personal data breach reporting from the beginning of the 2017-18 financial year.” ®