Failings in the way the Cabinet Office established its current cyber security programme mean that the government does not know whether it will meet the programme’s goals and raises questions about its plans to tackle cyber-attacks after 2021, according to today’s report by the National Audit Office (NAO).

The UK has one of the world’s leading digital economies1, making it more vulnerable to cyber-attacks from hostile countries, criminal gangs and individuals, which continue to increase and evolve as it becomes easier and cheaper to launch attacks. The National Cyber Security Strategy 2016 (the Strategy) outlines how the government aims to make the UK more secure online. The £1.9 billion Strategy includes £1.3 billion of funding for the National Cyber Security Programme 2016-21 (the Programme) and this report assesses progress just beyond the mid-point of the five-year Programme.

The Programme provides a focal point for cyber activity across government and has already led to some notable innovation, such as the establishment of the National Cyber Security Centre (NCSC). The Programme has also reduced the UK’s vulnerability to specific attacks. For example, the NCSC developed a tool that led to 54.5 million fake emails being blocked in 2017-18 and the UK’s share of global phishing attacks falling from 5.3% to 2.2% in two years.

However, despite agreeing an overall approach to cyber security as part of the 2015 Strategic Defence and Security Review and Spending Review, the Cabinet Office did not produce a business case for the Programme before it was launched. This meant that when HM Treasury set its funding in 2015 it had no way to assess how much money it would need. The work of the Programme was delayed over its first two years as a third of planned funding was reallocated to counter-terrorist and other national security activities. Although this reallocation contributed to enhancing wider national security, it delayed specific projects such as elements of work to understand the cyber threat.

It is unclear whether the Cabinet Office will achieve the Strategy’s wider strategic outcomes by 2021. This is partly due to the difficulty of dealing with a complex and evolving cyber threat but also because it has not assessed whether the £1.9 billion of funding was ever sufficient. It has acknowledged that it may take longer than 2021 to address all the cyber security challenges set out in the Strategy but does not yet know when these might be achieved.

The Cabinet Office has introduced a more robust framework to assess both the Programme and Strategy’s performance and has asked departments to spend more money on measuring their progress in meeting objectives. However, this was only introduced in 2018 and it will take time for any benefits to materialise. It will also be difficult for the Cabinet Office to identify what needs to be done to achieve the aims of the Strategy as it only has ‘high’ confidence in the quality of the evidence used to assess progress against one of its 12 strategic outcomes. Funding for the Programme’s final three years up to 2021 is less than that recommended by those departments responsible for delivering each of the Strategy’s strategic outcomes.

The Cabinet Office has started preparations for its future approach to cyber security, but risks repeating previous mistakes. It seems unlikely that the Cabinet Office will have decided on its overall approach to cyber security before the 2019 Spending Review, which is expected to determine government funding for the next few years. This increases the risk of the Cabinet Office making the same mistake that it did in 2015, when funding was agreed before it published its Strategy outlining the government’s approach to cyber security.

Going forward, the NAO recommends that Cabinet Office establishes which areas of the Programme are having the greatest impact and are most important to address, and focuses its resources there until 2021. Building on existing work, it should consult widely and develop a strategy for UK cyber security after 2021 which clearly sets out which work should be centrally-funded, which are private sector responsibilities and which are core departmental activities. It should also consider more flexible approaches to cyber security that involve a mixture of shorter programmes, so that it can be more responsive to changing risks.

“Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services. The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences in order to meet this growing threat.”

Amyas Morse, the head of the NAO, said today

Read the full report

Progress of the 2016-2021 National Cyber Security Programme

Notes for editors

Key facts

£1.3bn

National Cyber Security Programme budget 2016-21

£648m

remaining funding for the final two years of the five-year Programme

3

number of the Programme’s 12 objectives for which the Department assesses the supporting projects are all currently on track

8

number of the Programme’s 12 objectives where at least 80% of the projects that support the objective are currently on track, with fewer than 80% on track against the twelfth objective

1

number of the National Cyber Security Strategy’s 12 strategic outcomes for which the Department has ‘high confidence’ in its assessment that it will be met by 2021

11

number of strategic outcomes we are unable to report progress on for national security reasons. However, we can report that the Department has ‘moderate confidence’ in the evidence supporting progress in achieving four of them and ‘low confidence’ in a further six. The twelfth strategic outcome – ‘understanding the cyber threat’ - is fully excluded from the analysis

326

metrics the Department has identified to track performance of both the Programme and the Strategy. However, one-third (107) of these are currently not being measured, either because the Department has low confidence in the evidence underpinning a metric or it is planned as a future measure of performance

£169 million

value of Programme expenditure loaned or transferred in the first two years to support other activities, representing 37% of funding 72% percentage of large UK companies reporting a cyber-attack in the previous 12 months, with 9% of those reporting multiple attacks per day

1,100+

number of cyber security incidents dealt with by the National Cyber Security Centre since its formation in October 2016

Notes for Editors

1. The UK’s digital economy contributes a higher percentage to gross domestic product than in any other G20 country, and the UK aspires to be a world leader in digital economy and government.

2. Press notices and reports are available from the date of publication on the NAO website. Hard copies can be obtained by using the relevant links on our website.

3. The National Audit Office scrutinises public spending for Parliament and is independent of government. The Comptroller and Auditor General (C&AG), Sir Amyas Morse KCB, is an Officer of the House of Commons and leads the NAO, which employs some 785 people. The C&AG certifies the accounts of all government departments and many other public sector bodies. He has statutory authority to examine and report to Parliament on whether departments and the bodies they fund have used their resources efficiently, effectively, and with economy. Our studies evaluate the value for money of public spending, nationally and locally. Our recommendations and reports on good practice help government improve public services. Our work led to audited savings of £741 million in 2017.

Press Notice 16/19

All enquiries to the NAO press office:

will.pollard@nao.org.uk 020 7798 7348 / 07940 311 694

pressoffice@nao.org.uk 020 7798 7400