Too many bodies with overlapping responsibilities operate in the centre of government, confusing departments about where to go for advice, according to the National Audit Office (NAO). As at April 2016, at least 12 separate teams or organisations in the centre of government had a role in protecting information, many of whom produce guidance. Some 73 teams are covering security in central government departments; a Cabinet Office review in March 2016 proposed pooling them. And there are 1600 protective security staff (information, physical and personnel) in central government departments. While the new National Cyber Security Centre (NCSC) will bring together much of government’s cyber expertise, in the NAO’s view, wider reforms will be necessary to further enhance the protection of information.
The Cabinet Office has not yet established a clear role for itself in coordinating and leading departments’ efforts to protect their information the NAO says. Meanwhile some 200 cyber national security incidents were dealt with by GCHQ per month in 2015, up from 100 per month in 2014. And a Government estimate of annual spend on security in 34 departments is put at £300m. Actual costs are thought to be ‘several times’ this figure, as many departments cannot separate spending on cyber and physical security from IT and estates contracts, the auditors add. The Cabinet Office’s March 2016 review estimated that departments will spend £28m on external IT security consultants in 2016. A national shortage of skilled people available for information protection is reflected in the public sector, the NAO says.
An NAO report found that its ambition to undertake such a role is weakened by the limited information which departments collect on their security costs, performance and risks. It also notes, however, that the UK Government has a strong international reputation in some areas of information security and digital government.
For the full 47-page report, titled ‘Protecting information across government’, visit the NAO website.
Protecting the information departments hold from unauthorised access or loss is a critical responsibility for departmental accounting officers. Departments are, however, increasingly required to balance this responsibility with the need to make this information available to other public bodies, delivery partners, service users and citizens via new digital services. And increasing dependencies between central government and the wider public sector mean that the traditional security boundaries have become blurred, according to the NAO.
As the NAO says, accountability for information security is devolved to departments, government does not currently collect or analyse its overall performance in protecting information on a routine basis. This means it has little visibility of information risks in each department and has limited oversight of the progress departments are making to better protect their information.
Reporting personal data breaches is chaotic, with different mechanisms making departmental comparisons meaningless. In addition, the Cabinet Office does not have access to robust expenditure and benefits data from departments, in part because they do not always collect or share such data. The Cabinet Office has recently collected some data on security costs, though it believes that actual costs are ‘several times’ the reported figure of £300m.
Some departments have made significant improvements in information governance, but most have not given it the same attention as other forms of governance. The Cabinet Office does not currently provide a single set of standards for departments to follow, and does not collate or act upon those weaknesses it identifies.
In the context of a challenging national picture it has been difficult for government to attract people with the right skills, the official auditors say. The Government established a security profession in 2013 (itself a response to a shortage of people with the right skills), and has undertaken some initial work to establish professional learning and development. Demand for skills and learning across government is growing and is likely to continue to grow. According to the NAO, plans to cluster security teams may initially share scarce skills, but will not solve the long-term challenge. The report warns that with limited resource the profession cannot make real progress on addressing the skills shortage and define what ‘good looks like’ for physical, personnel and, in particular, technical security. For example, the Ministry of Defence has introduced procedures to reduce the number of phishing emails, but none of the other departments the NAO spoke to were aware of that.
Central government is now adopting four security clusters across all departments to deliver vetting, cyber and physical security services and to communicate best practice and education for staff and boards. The first cluster will enter the pilot phase in October 2016.
According to the NAO, the Cabinet Office is taking action to improve its support for departments, but needs to set out how this will be delivered in practice. The NAO recommends that to reach a point where it is clearly and effectively coordinating activity across government, the Cabinet Office must further streamline the roles and responsibilities of the organisations involved, deliver its own centrally managed projects cost-effectively and clearly communicate how its various policy, principles and guidance documents can be of most use to departments.
Comments
Amyas Morse, head of the National Audit Office, said: “Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge. To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.”
Michael Hack, SVP of EMEA Operations at IT security and management company Ipswitch said: “Whilst rules on data protection, privacy and sharing have been in a state of flux in the last year, that’s absolutely no excuse for poor data security policies, procedure and practice in any organisation. Requirements for new data regulation, the GDPR (set to come in to force in May next year) have been very well documented and publicised. Data breaches will need to be reported without undue delay and within 72 hours of becoming aware of it.
“Public bodies strive to be in the headlines for setting standards and best practice, not for failing in their data security responsibilities. Many have invested already in bolstering their IT security and data sharing processes. Government now needs to introduce a cohesive risk management exercise that identifies the key processes and assets, and evaluates their vulnerabilities and potential threats. The results will then highlight priorities for the next stage of the process. The exercise should cover all areas of public sector and should also consider technologies and strategies to mitigate the risks identified.
“Public sector organisations must ensure they have the right file transfer technologies, security systems, processes, and most importantly, staff training. By automating, managing and controlling all file transfers from a central point of control, staff are able to easily send and share files using approved secure methods and the IT department gains complete control over activity.”
Paul Farrington, manager of EMEA solution architects at the information security product company Veracode said: “Coordination is key to improving the government’s “dysfunctional” approach to data security. One way of doing this in in clarifying the remit of the Chief Security Officer. Government departments are unlikely to want to have their delivery agendas interfered with by a Cyber Czar, who may not be perceived as holding political influence. As such, there probably needs to be a financial incentive in terms of budget release for departments to play ball with any Security Officer. That ultimately means that Key Performance Indicators will need to be established to help drive incremental improvement and coherence across Whitehall.
“It’s unlikely that a single initiative can address all the known security problems highlighted by the report. However, it is clear that Britain continues to be weakened by security breaches: citizens lives are impacted and, in some cases, put at risk, when a breach occurs; government and businesses suffer when valuable secrets are stolen and given to outside interests. It is essential that the execution of the government’s security policy begins to match the political rhetoric. A willingness to change is essential and, while securing government may seem an unsurmountable task for some, engaging with the soon-to-be-opened National Cyber Security Centre will be just one way that government departments will be able to call upon expertise in this area.”
