The Cabinet Office has not yet established a clear role for itself in coordinating and leading departments’ efforts to protect their information, according to the National Audit Office.
Today’s report found that its ambition to undertake such a role is weakened by the limited information which departments collect on their security costs, performance and risks. It also notes, however, that the UK Government has a strong international reputation in some areas of information security and digital government.
Protecting the information departments hold from unauthorised access or loss is a critical responsibility for departmental accounting officers. Departments are, however, increasingly required to balance this responsibility with the need to make this information available to other public bodies, delivery partners, service users and citizens via new digital services. And increasing dependencies between central government and the wider public sector mean that the traditional security boundaries have become blurred.
According to the NAO, too many bodies with overlapping responsibilities operate in the centre of government, confusing departments about where to go for advice. As at April 2016, at least 12 separate teams or organisations in the centre of government had a role in protecting information, many of whom produce guidance. While the new National Cyber Security Centre (NCSC) will bring together much of government’s cyber expertise, in the NAO’s view, wider reforms will be necessary to further enhance the protection of information.
As accountability for information security is devolved to departments, government does not currently collect or analyse its overall performance in protecting information on a routine basis. This means it has little visibility of information risks in each department and has limited oversight of the progress departments are making to better protect their information.
Reporting personal data breaches is chaotic, with different mechanisms making departmental comparisons meaningless. In addition, the Cabinet Office does not have access to robust expenditure and benefits data from departments, in part because they do not always collect or share such data. The Cabinet Office has recently collected some data on security costs, though it believes that actual costs are ‘several times’ the reported figure of £300 million.
Some departments have made significant improvements in information governance, but most have not given it the same attention as other forms of governance. The Cabinet Office does not currently provide a single set of standards for departments to follow, and does not collate or act upon those weaknesses it identifies.
In the context of a challenging national picture it has been difficult for government to attract people with the right skills. The government established a security profession in 2013, and has undertaken some initial work to establish professional learning and development. Demand for skills and learning across government is growing and is likely to continue to grow. According to the NAO, plans to cluster security teams may initially share scarce skills, but will not solve the long-term challenge.
According to the NAO, the Cabinet Office is taking action to improve its support for departments, but needs to set out how this will be delivered in practice. The NAO recommends that to reach a point where it is clearly and effectively coordinating activity across government, the Cabinet Office must further streamline the roles and responsibilities of the organisations involved, deliver its own centrally managed projects cost-effectively and clearly communicate how its various policy, principles and guidance documents can be of most use to departments.
This report highlights some issues relevant in light of the malware cyber-attack on 12 May. It sets out the increasingly complex challenge of protecting information while re-designing public services and introducing the technology necessary to support them.Amyas Morse, head of the National Audit Office, 14 September 2016