Posted on June 23, 2017 by Tom McDonald
WannaCry, the 12th of May global cyber attack, brought home clearly one of the key cyber security risks to government services: loss of access to data. This ransomware attack didn’t target the NHS, but the NHS was particularly affected by it, causing extensive disruption to patients and healthcare for a week. With digital transformation of public services a key government priority, what lessons from this episode can the government learn to protect public services from cyber attacks?
The NHS was vulnerable to this malware largely because its software was old and hadn’t been ‘patched’ against a known vulnerability.
The NAO will conduct an Investigation into the cyber-attack on the NHS, but there are already many lessons from our previous work on digital transformation and cyber security.
What’s the NAO’s role in cyber security?
The NAO identifies risks to the achievement of value for money in the delivery of public services. In an increasingly digital world, cyber security presents major risks. We don’t advise on cyber security; that’s the job of the new National Cyber Security Centre and other bodies. But as part of our work, we do determine whether organisations have identified the scale of their cyber risks and put in place suitable plans.
For several years our reports have recommended that the government improves its preparation for, and accountability and resourcing of, cyber security. This is particularly important in light of the government’s focus on achieving a ‘digital transformation’ of public services. The new technology being used in transformation brings great opportunities, but also considerable challenges and risks. For example, while sharing data brings benefits such as speeding up processes for consumers and potentially reducing opportunities for fraud and error, there are risks in transferring and centralising data, creating a need for strong data protection. If these risks are not addressed this could result in the loss of consumers’ ‘digital trust’. Our reports on these issues can be found on our Digital service delivery web-page.
Ensuring ‘the buck stops’ somewhere
The trend towards devolution and localism is a second key generator of cyber risks. Making decisions at a local level enables local needs to be met more flexibly. The downside is the risk that when data needs to be shared, no single person or organisation is accountable or has the power to manage cyber security.
An example: In the case of health, the Department of Health delegates delivery to NHS England, which funds over 200 local clinical commissioning groups to purchase care from local health trusts. Social care is the responsibility of the larger local authorities who are also accountable to their local electors. NHS Digital has some overview of data and IT systems for the health and social care sectors (through its management of national NHS IT systems, such as the NHS Spine or N3 Network) and it has a dedicated Data Security Centre, but it has no authority over local authorities and trusts to ensure even simple security measures are implemented locally, such as software updates and patches.
Across government as a whole, accountability is also an issue. In Protecting information across government we found there has been little coherence between the several lines of governance and senior oversight of cyber and information security. A number of organisations and a plethora of working-level groups have been involved in cyber security and supporting digital transformation across government. The government itself has described these arrangements as an “alphabet soup”.
The Cabinet Office is undertaking a review of governance and accountability with the aim of simplifying the structure. In our view, it needs to ensure that there is clear responsibility for monitoring the ‘big picture’, and that responsibilities for managing cyber risks match the management information and capacity to do so.
Filling the gaps in scarce skills
The demand for cyber security and wider digital skills is huge – and obviously not limited to the public sector.
We conducted a survey of digital skills, including those for cyber, and discussed the skills-shortfall 18 months ago in our blog-post Skills for digital transformation. There has been little improvement since then, as we reported recently in Capability in the Civil Service. Not only does the government need to find the skills to deliver its digital transformation aims, but it’s simultaneously seeking to reduce its reliance on outsourcing IT providers by building in-house digital capability.
Achieving these dual aims is an immense task. Across departments there’s a need to increase considerably the number of staff with digital, data and technology-specific skills. Recruitment is challenging given the demand and scale of competition from the private sector. So the Government Digital Service (GDS) is trying to address the problem and aims to train at least 3,000 people a year in digital awareness. But this does not address the need – now – for deep technical skills, including those for cyber.
The Cabinet Office intends to address the wide gap in cyber security skills by pooling the government’s existing security teams – although these teams are already overstretched within their own departments. Similarly, Cabinet Office has withdrawn the Senior Information Risk Owner (SIRO) role, intending to replace SIROs with Chief Security Officers (CSOs). Training, recruitment and capacity building will be needed to ensure that this isn’t simply a name change.
The needs are urgent and the plans for growing skills are too slow, as we concluded in Capability in the Civil Service. In the longer-term, to identify achievable ways to grow digital skills, government must first gain a better understanding of the extent and nature of the digital and cyber security skills gaps – within departments and across government. In the shorter-term, if digital skills aren’t available, projects and transformation programmes may have to be stopped; and new ones shouldn’t be started. Where these skills are in short supply, projects need to be prioritised to reduce the demand for scarce skills.
Coping with legacy systems
On top of the issues around accountability and skills, there are the challenges of legacy systems and dealing with them during the move to more digital services. We reported back in 2013 on Managing the risks of legacy ICT to public service delivery, highlighting the fact that legacy ICT not only reduces the flexibility to improve public services, but means organisations are vulnerable to certain types of cyber threats – as WannaCry showed very clearly. This study looked at four case studies, demonstrating three strategies typically used for managing legacy ICT systems – ‘no change’, ‘enhance and maintain’ and ‘replace’ – and setting out the risks and benefits associated with each strategy.
The challenges involved in maintaining an effective Public Services Network (PSN), across which government can share data securely, illustrates the need for much better central planning and support in a continually changing digital world, as we discussed in Protecting information across government.
The government’s 2011 ICT strategy included the plan to develop the Public Services Network (PSN) to succeed the ageing Government Secure Intranet (GSi). Both networks aimed to connect central and local government and other public services, allowing secure collaboration and sharing. PSN was intended to provide stronger security than GSi, particularly given the risks associated with greater sharing between government services and local authorities.
However, the increased security requirements, for example around encrypting data, proved problematic and too costly for many local authorities. As a result changes were made, including establishing encrypted and non-encrypted functions. Over time the appetite from the centre to provide a shared network or overview has diminished, thereby undermining the aim of a single secure network and eroding the ease of sharing data.
More recently, government has announced an intention to phase out the use of the PSN and for departments to assess their own network requirements, but there has been limited guidance for departments on managing the transition or monitoring potential risks, and no planned oversight.
What can government, businesses and consumers do?
Cyber security is a huge challenge – the scale of which is highlighted in our report, Online Fraud.
The impacts on individuals of e-crime, as well as scams, unfair trading, unsafe goods and investment fraud, were also discussed in our previous blog-post: Do you feel protected as a consumer?
- require strong passwords;
- have a formal policy on managing cyber security risk;
- provide cyber security training;
- develop and test an incident management plan to handle cyber security attacks; and
- gain the Cyber Essentials certification.
Since its opening in October 2016, support for organisations has been provided by the National Cyber Security Centre (NCSC), which is part of GCHQ and consolidated the work of a number of bodies. NCSC provides non-mandatory guidance and is as (or more) focused on private and third sector organisations as on the public sector – but all organisations should follow its advice. Among its many resources are:
‘10 Steps to Cyber Security’, which includes ten technical advice sheets and information about why protecting information is a board-level responsibility and how basic security controls can protect organisations from the most common cyber attacks. NCSC also makes available a number of infographics on cyber security.
Cyber Essentials scheme enables organisations to apply to be recognised for the achievement of government-endorsed standards of cyber hygiene – either a basic-level, self-completion based badge or a higher level external certification.
The NCSC is a good start and has been resourced with funds from the £1.9 billion National Cyber Security Programme to invest in protecting the nation. But its guidance is not mandatory and, although its potential reach stretches well beyond central government, the onus is on individual organisations – in the public, private and third sectors – to heed the WannaCry warning and proactively take advantage of its products and guidance.
As we undertake further reviews of cyber security and digital transformation more widely, we will continue to blog on this vital subject. We also invite you to comment or contact us if you would like to discuss these issues further.
About the authors:
Tom McDonald is the Director responsible for the NAO’s work on cyber security. Tom has worked at the NAO since 2001 and has focused his career on the defence, overseas, health and national security sectors. He has degrees in modern languages, international relations and management from Bristol University and Ashridge Business School.
Yvonne Gallagher is NAO’s digital transformation expert, focused on assessing the value for money of the implementation of digital change programmes. Yvonne has over 25 years’ experience in IT, business change, digital services and cyber and information assurance, including as CIO in two government departments and senior roles in private sector organisations, including the Prudential and Network Rail.
Max Tse is a member of the NAO’s Leadership Team, with particular oversight of Digital Transformation. He joined the NAO in 2011 and led our value-for-money audit of the Department for Work & Pensions until becoming an Executive Leader in April 2017. Prior to joining the NAO, Max was a consultant with McKinsey & Co. and has worked in the UK and overseas in a range of sectors including logistics, regulatory strategy, retail, climate finance, and health.
Leave a Comment