PAC report critical of Whitehall cyber security initiatives
Concerns noted over Cabinet Office focus on classifications, Civil Service skills, the Public Services Network and the remit of National Cyber Security Centre
Parliament’s Public Accounts Committee (PAC) has called for the Cabinet Office to set out a clearer approach to data protection throughout the public sector and the work of the National Cyber Security Centre (NCSC) in supporting departments against attacks.
In new findings focused on protecting information across government, the committee called for a detailed plan to be published by the government by the end of the financial year detailing how the NCSC will assist and communicate with organisations.
According to the report, as of April 2016, 12 separate teams or bodies working from the centre of government were charged with tackling or preventing potential cyber threats, seen as one of the key security risks facing the nation.
“The Cabinet Office has since amalgamated many of these bodies into the NCSC. [It is] designed to act as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security, including the management of cyber security incidents; and the Cabinet Office’s Cyber and Government Security Directorate, responsible for all aspects of government protective security,” noted the report’s conclusions.
“The breadth of the NCSC’s role is considerable and it is still unclear which organisations from across the public and private sectors can call on the NCSC for assistance.”
The commission also raised issues with several key centrally-mandated government initiatives, which it said were not delivering their planned benefits, particularly in the case of switching to three security classifications for information - 'Official', 'secret' or 'top secret'.
Other concerns were identified around the Public Services Network (PSN), which GDS last month said it would be moving away from using in favour of internet services. A confidential network known as the Foxhound project was also queried by the report, which argued that all three projects had been found to be slow in delivering their intended benefits.
“These projects pose considerable business change, cultural and technical challenges because the systems in place need to be sufficiently robust to keep up with the pace of change. Initial project assumptions have been optimistic and have not been challenged at regular intervals to ensure they remain valid and facilitate accountability,” said the findings.
The PAC said it backed more robust criteria within the design of similar projects, with clear monitoring of spend against budget and anticipated benefits called for.
As an extension of these concerns, the report also warned about the quality of reporting by departments with regard to their individual performance in protecting key information due to a lack of a Cabinet Office mandate on providing information on costs and benefits.
“The Cabinet Office should regularly assess the cost and performance of government information security activities, and identify a set of baseline indicators that departments should report against to support this objective,” noted the findings.
As part of its findings, the PAC also argued that the Cabinet Office has been set back in making more informed security decisions as a result of inconsistent, “chaotic” recording of data breaches, resulting in unexplained variations in reported incidents between departments.
According to the findings, in the 2014/15 financial year, 14 data incidents that impacted Whitehall’s 17 largest departments were deemed reportable to the data regulator. Over the same period, 8,981 were classed as non-reportable incidents, with HM Revenue and Customs (HMRC) accounting for 67% of these instances.
“Several departments recorded no non-reportable incidents at all, including the Department for Work and Pensions, a large department with a comparable level of online activity to HMRC. We are aware that numerous low-level breaches do occur, such as letters containing personal details being addressed to the wrong person; however these are not consistently recorded as data breaches,” said the PAC.
“The Cabinet Office does not collect or analyse departments’ performance in protecting information on a routine or timely basis and was not aware of the wide variability and inconsistency of departments’ self-reporting processes prior to the National Audit Office’s analysis.”
The report recommended that the Cabinet Office should consult with the Information Commissioner’s Office (ICO) to set out best practice guidelines for departmental reporting of data incidents for the upcoming fiscal year.
In its findings, the PAC also warned that the government was struggling with ensuring sufficient levels of skills were available through its security profession that was established in 2013 to set out training and development for civil servants working in the field.
“It remains unclear as to what skills gaps exist and how to fill these in the face of UK-wide skills shortages in this field. The Cabinet Office is also unwilling to mandate a minimum skills standard for departments in the security profession,” said the committee.
The PAC therefore called on the Cabinet Office to set out steps being taken to improve the government’s overall capability around security skills within six months.