MPs have slammed the government’s cybersecurity efforts as uncoordinated, inconsistent and failing the wider public sector outside Whitehall.
In a damning report which echoes a previous investigation by the National Audit Office (NAO) in September last year, the Public Accounts Committee (PAC) claimed it’s taking too long for the government to consolidate the “alphabet soup” of agencies tasked with protecting the UK.
“The Cabinet Office should develop a detailed plan for the [National Cyber Security Centre] NCSC by the end of this financial year, setting out who it will support, what assistance it will provide and how it will communicate with organizations needing its assistance,” it recommended.
The report also claimed there’s too little emphasis on supporting the wider public sector, delivery partners and individual users of government sites, especially on what to do if a data breach occurs.
With 450 “arm’s length” bodies delivering core services, this is of particular concern and hints at a large, exposed underbelly which hackers could go after.
“The government should establish a clear approach for protecting information across the whole of the public sector and delivery partners—not just central government—and clearly communicate to all these bodies how its various policy and guidance documents can be of most use, including during a data breach incident,” the report argued.
The government is also struggling with cybersecurity skills gaps, monitoring departmental efforts at improving their security posture and the recording of personal data breaches, the PAC said.
Of the 8981 incidents which were classed as not reportable to the ICO in 2014/15, the HMRC and Ministry of Justice accounted for 98%, with some departments reporting none at all.
“The Cabinet Office should consult with the Information Commissioners’ Office to establish best practice reporting guidelines and issue these to departments to ensure consistent personal data breach reporting from the beginning of the 2017–18 financial year,” the PAC said.
David Ferbrache, technical director in KPMG’s cybersecurity practice, said rationalization of cybersecurity roles and functions in government is long overdue.
“The National Cyber Security Centre plays a vital role in defending the UK against state sponsored cyber-attacks, the militarization of cyber space and an increasingly sophisticated organized cyber-crime threat,” he argued.
“The NCSC has made good progress in developing and implementing its cybersecurity strategy, but there is clearly a long way to go. There can be a natural tendency for governments to cloak discussions around security in secrecy but when it comes to cybersecurity, the best response is a community response that involves industry. The NCSC must be agile, flexible and unconventional – and it can only achieve that by drawing on talent from the community as a whole.”