Background to the report
UK businesses and citizens increasingly operate online to deliver economic, social and other benefits, making the country more and more dependent on the internet. However, the internet is inherently insecure, and attempts to exploit its weaknesses – known as cyber attacks – continue to increase and evolve. While departments and public bodies are responsible for safeguarding their own information, since 2010 government has decided that it needed centrally driven strategies and programmes to ensure the UK effectively manages its exposure to these risks.
The Cabinet Office (the Department) leads this work, through successive National Cyber Security Strategies published in 2011 and 2016; and separate National Cyber Security Programmes designed to help deliver each Strategy between 2011–2016 (NCSP1) and 2016–2021 (the Programme).
The 2016 National Cyber Security Strategy’s (the Strategy) focuses on the steps government will take to make the UK more secure online, covering the overarching themes of Deter, Defend and Develop across 12 strategic outcomes. It is designed to be a cross‑government approach, with specific departments (referred to as lead departments) responsible for each of the Strategy’s 12 strategic outcomes (plus a thirteenth – the overarching governance as managed by the Department). The Strategy’s 12 strategic outcomes are regarded as equally important and are not prioritised.
The Strategy includes £1.3 billion for the Programme. The Programme’s objectives are organised under the same headings as the Strategy’s 12 strategic outcomes (Figure 1). The Department uses a range of metrics to assess progress against the objectives and the strategic outcomes. The Programme has a broad scope, from developing cyber skills in the UK to technical measures to defend attacks, to considering how to incentivise organisations to make their digital systems more secure.
Content and scope of the report
Our audit sought to answer the question: “Is the Cabinet Office effectively coordinating the 2016–2021 National Cyber Security Programme?” This includes understanding how the Programme contributes to the delivery of the Strategy’s overarching strategic outcomes. Our report examines the government’s approach to cyber security (Part One); how the Department set up and manages the Programme (Part Two); progress in delivering the Programme (Part Three) and finally examines what the Programme expects to achieve up to 2021 and beyond (Part Four).
We have not examined the other activities that support the Strategy, such as the effectiveness of individual departments’ expenditure on the protection of their digital systems and information, and other activities that contribute to enhancing the UK’s cyber security.
By refreshing its National Cyber Security Strategy in 2016 the government has shown an important commitment to improving cyber security. Such an approach is vital to ensure that the rapidly evolving risk from cyber-attacks does not undermine the UK’s ambition of building a digital economy and transforming public services. Achievement of the Strategy’s strategic outcomes is supported by the £1.3 billion National Cyber Security Programme, which has provided a focal point for cyber activity across government and has already led to some notable innovation, such as the establishment of the National Cyber Security Centre.
However, despite recent improvements in the Programme’s management and delivery record, it was established with inadequate baselines for allocating resources, deciding on priorities or measuring progress effectively. With two years of the Programme still to run this makes it hard to say whether it will provide value for money. Ultimately, the Department can best demonstrate value for money if the Programme’s objectives are delivered by 2021 and can then be shown to have maximised their contribution to the wider Strategy. Looking ahead to the UK’s longer-term position, the Department needs to build on its current work to ensure there is adequate planning for what activity government might undertake after the existing Programme ends.