Skip to main content

Government must step up work to protect Britain from cyber attacks

3 February 2017

The Public Accounts Committee report says that threats to cyber security are growing rapidly and government faces "a real struggle" to find enough staff with the skills to fight them.

Breach recording processes "inconsistent and dysfunctional"

The warning comes in the Committee's latest report, which examines measures to protect information across government.

The Committee concludes that while the threat from cyber attacks has been one of the top four risks to national security since 2010, it has taken government too long to consolidate and coordinate the 'alphabet soup' of agencies that protect Britain.

Processes for recording departmental personal data breaches by government departments are inconsistent and dysfunctional, says the Committee, with poor recording of low-level breaches.

This reduces the Committee's confidence in the ability of the Cabinet Office to protect the nation from higher-threat cyber attacks.

Detailed plan needed for new National Cyber Security Centre

The Committee finds the Cabinet Office's role in protecting information remains unclear within central government and its approach "places too little emphasis on informing and supporting citizens, service users, and the wider public sector beyond Whitehall".

It calls on the Cabinet Office to develop a detailed plan for the new National Cyber Security Centre (NCSC), established to bring together much of government's cyber expertise, by the end of this financial year.

This should explain "who it will support, what assistance it will provide and how it will communicate with organisations needing its assistance".

Government urged for clear approach to public sector information

Within six months the Cabinet Office should also write to the Committee setting out its findings from a pilot 'security cluster'—an initiative intended to better enable the sharing of scarce skills across central government.

Among its other recommendations, the Committee urges government to establish a clear approach for protecting information across the whole of the public sector.

Chair's comment

Meg Hillier MP, Chair of the PAC, said:

"Government has a vital role to play in cyber security across society but it needs to raise its game.

Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks.

The threat of cyber crime is ever-growing yet evidence shows Britain ranks below Brazil, South Africa and China in keeping phones and laptops secure.

In this context it should concern us all that the Government is struggling to ensure its security profession has the skills it needs.

Leadership from the centre is inadequate and, while the National Cyber Security Centre has the potential to address this, practical aspects of its role must be clarified quickly.

Government must communicate clearly to industry, institutions and the public what it is doing to maintain cyber security on their behalf and exactly how and where they can find support."

Report summary

Well documented data security breaches at Tesco, Northern Lincolnshire and Goole NHS Trust, Sage, and TalkTalk have recently thrown the challenge of protecting information into the spotlight.

The threat from cyber attacks has been one of the UK's top four risks to national security since 2010, yet it has taken the government too long to consolidate and co-ordinate its 'alphabet soup' of agencies involved in protecting Britain in cyberspace.

The Cabinet Office's role in protecting information remains unclear within central government, and there appears to be no coordination across the wider public sector.

Little oversight of costs of projects

There is little oversight of the costs and performance of government information assurance projects, and processes for recording departmental personal data breaches are inconsistent and dysfunctional.

Poor reporting of low-level breaches, such as letters containing personal details being addressed to the wrong person, reduces our confidence in the Cabinet Office's ability to protect the nation from higher threat cyber attacks.

The use of the internet for cyber crime is evolving fast and the government faces a real struggle to find enough public sector employees with the skills to match the pace of change.

Further information

Image: iStockphoto