Parliamentary committee also warns of real skill shortage to tackle growing cyber menace
The Public Accounts Committee (PAC) has warned of the growing threat of cyber attacks, hampered by the fact that there is a real skills shortage.
The warning came in the spending watchdog’s latest report that examined the protection of information across government departments.
The report also criticised the “inconsistent and dysfunctional” reporting of data breaches, and said the government has taken too long to “consolidate and coordinate the ‘alphabet soup’ of agencies involved in protecting Britain in cyberspace.”
The threat of cyber attacks has been one of the top four risks to national security since 2010. Indeed, Defence Secretary Sir Michael Fallon has today warned that Russia is carrying out a sustained campaign of cyber attacks targeting democracy and critical infrastructure in the West.
But the government has been slow to react. The PAC cited the fact that numerous teams and organisations (at least 12) had been formed in government to tackle this threat, but they have overlapping mandates and activities related to protecting information.
It noted that the cabinet office has amalgamated many of these bodies; into the National Cyber Security Centre (NCSC), designed to act as a bridge between industry and government; and the Cabinet Office’s Cyber and Government Security Directorate, responsible for all aspects of government protective security.
The PAC urged the government to “develop a detailed plan for the NCSC by the end of this financial year, setting out who it will support, what assistance it will provide and how it will communicate with organisations needing its assistance.”
The PAC report also found that the government’s approach to protecting information places too little emphasis on informing and supporting citizens, service users, and the wider public sector beyond Whitehall, and recommended that the government should establish a clear approach for protecting information across the whole of the public sector and delivery partners – not just central government.
Another problem highlighted the PAC is the perennial problem associated with centrally managed government data protection projects not delivering as planned. It said the government should ensure there is robust challenge built into the design of these projects and review them regularly.
The PAC report also criticised the government’s attitude to departmental reporting, which has led to poor monitoring of the costs and performance of individual departments’ efforts to protect information. It urged the government to regularly assess the cost and performance of government information security activities.
And the PAC report also took the government to task over “inconsistent and chaotic processes for recording personal data breaches,” which is undermining government chances to make informed information security decisions.
“In 2014–15, the 17 largest departments recorded a total of 14 data incidents that they considered reportable to the Information Commissioner’s Office, and recorded 8,981 non-reportable incidents,” said the report.
“Of the 8,981, Her Majesty’s Revenue and Customs recorded 6,038 (67 percent) and the Ministry of Justice 2,798 (31 percent). The other 15 departments recorded only 145 between them, fewer than 2 percent of the total.”
The PAC urged the government to consult with the Information Commissioners’ Office (ICO) to establish best practice reporting guidelines.
And finally the PAC report identified the ongoing cyber skills shortage, noting that the government is struggling to ensure its security profession is suitably skilled. It said the government needs to write to the PAC within six months and detail what steps it is taking to improve government’s capability in this area.
Must Do Better
“Government has a vital role to play in cyber security across society but it needs to raise its game,” said Meg Hillier MP, Chair of the PAC. “Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks.”
And she warned that the UK is shockingly slipping behind developing nations when it comes to data protection.
“The threat of cyber crime is ever-growing yet evidence shows Britain ranks below Brazil, South Africa and China in keeping phones and laptops secure,” said Hillier. “In this context it should concern us all that the Government is struggling to ensure its security profession has the skills it needs.”
“Leadership from the centre is inadequate and, while the National Cyber Security Centre has the potential to address this, practical aspects of its role must be clarified quickly,” added Hillier.
“Government must communicate clearly to industry, institutions and the public what it is doing to maintain cyber security on their behalf and exactly how and where they can find support,” she concluded.
Quiz: Are you a security pro?