The Cabinet Office is failing to coordinate the UK's government departments' efforts to protect their information according to a damning report by the National Audit Office.
The NAO found that the Cabinet Office failed in its duty and ambition to coordinate and lead government departments’ efforts in protecting such information.
The Cabinet Office has “tried to take a more strategic role in offering support and guidance to central government departments,” the NAO report found. “However, senior-level governance remains complex and unclear and, until recently, a wide array of central teams have been involved in information assurance and protecting information, sometimes offering overlapping and contradictory advice.”
Reporting personal data breaches is chaotic, with different mechanisms making departmental comparisons meaningless. In addition, the Cabinet Office does not have access to robust expenditure and benefits data from departments, in part because they do not always collect or share such data. The Cabinet Office has recently collected some data on security costs, though it believes that actual costs are "several times" the reported figure of £300 million.
As a result, NAO stated that GCHQ dealt with 200 “cyber national security incidents” per month in 2015, double the number of attacks it had addressed in 2014, though the result of these attacks has not been reported.
The report certainly suggests that departments need to get their own houses in order before they start opening up access to even more of citizens' data, as per the porn-blocking Digital Economy Bill, with 8,995 data breaches in the 17 largest government departments in 2014-15.
Government departments are being challenged by the increasing need to share data with other public bodies, with delivery partners, service users, and citizens. According to the NAO, recent years’ “cuts to departmental budgets and staff numbers, and increasing demands form citizens for online public services, have changed the way government collects, stores and manages information”.
At the same time “the threat of electronic data loss from cyber crime, espionage and accidental disclosure has risen considerably. Alongside this new challenge, reporting to the Information Commissioner’s Office (ICO) by public bodies shows that the loss of paper records remains significant.”
Efforts have complicated by the lack of coordination by the 12 separate teams and organisations which play a role in governmental infosec, including: GDS; GCHQ; CESG, CERT-UK; and the UK National Authority for Counter Eavesdropping (UKNACE).
That this work hasn’t been coordinated “has meant that a large number of bodies continue to have overlapping mandates and activities” according to the NAO, which noted how last November the then-Chancellor of the Exchequer noted this acronym-heavy problem and the need to “address the alphabet soup of agencies involved in protecting Britain in cyberspace.”
As part of that address, Osborne announced the launch of a new National Cyber Security Centre (NCSC) which will act as a hub for sharing best practices in security between public and private sectors, and will tackle cyber incident response.
Speaking to The Register earlier this month, the former head of GCHQ Sir David Omand said: "Next month, the new National Cyber Security Centre starts its work, under the Director of GCHQ, drawing on the technical expertise of GCHQ staff in operating in cyberspace, a further major development in harnessing the skills of the intelligence community in protecting the public."
NAO's head, Amyas Morse, said: “Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge. To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.” ®