After a number of high profile breaches cyber security has become a key focus for the public sector, says Meg Hillier MP, Chair, Public Accounts Committee
The NHS was hardest hit by the recent ransomware attack in May which affected businesses and public services across the world. During the attack operations were cancelled, ambulances diverted, medical records inaccessible and patients left adrift. Reports suggest that hackers used out of date software on NHS computers as their way in. Software that should have been updated many months ago.
In 2010 the government ranked cyber security as one of the top 4 security threats to the UK. Seven years later this threat remains. With the cyber-attack on the NHS and more recently Parliament itself, the importance of protecting not only government data but the data of people it represents is paramount.
When the Public Accounts Committee looked at the government’s efforts to protect information last year we found a lack of joined up action across Whitehall. Each government department determined what it considered to be a data protection breach and recorded this data differently. This chaotic approach meant that central government could not monitor the problem.
This lack of monitoring concerned the Committee. Threats to cyber security are growing rapidly – with 200 incidents a month which were serious enough to alert GCHQ to in 2015, up from 100 a month in 2014. Ministers realise the challenge they face but the government has taken too long to consolidate and coordinate its response to protecting the UK.
As recently as April last year there were at least 12 separate organisations and teams in central government with a role in protecting information. The Committee’s report highlighted the former Chancellor George Osborne’s criticism of the “alphabet soup” of agencies involved. The establishment of the National Cyber Security Centre (NCSC) was a welcome step in beginning to bring these bodies together to provide a unified source of guidance and support, including the management of critical cyber security incidents. But there is a lot still to do to make sure that this centre lives up to expectation.
It is not clear for instance how an organisation outside of Whitehall such as a local authority, charity or business would know whether a cyber breach needed to be escalated to the NCSC.
An area of real concern, and one harder to tackle is the recruitment of staff with the right skills to tackle the problem. A particular challenge is too often the private sector can outbid government rates of pay. In 2013 the Cabinet Office established a security profession to develop the professional skills of civil servants working in this field. It is attempting to paper over the cracks by setting up large clusters where civil servants can share their skills – amalgamating 40 different departmental security teams into 4 larger clusters.
There are patches of good practice in Whitehall. The Department for Work and Pensions (DWP) is working to ensure its staff buy in to their role in maintaining security. As one of only a few command and control departments where there’s a direct line between Whitehall and the front line this is easier to achieve compared with a department made up of a disparate group of organisations such as the Department of Health and the NHS. The National Archives is also providing training courses for civil servants from across Whitehall. This is all welcome but the government has to make sure it has the capability to provide support in the event of an attack.
The NCSC has the potential to provide national leadership, but it is only just making its first baby steps in 2017 despite the government committing to take action in 2010. We are 7 years off the pace.
However, the NCSC can only provide guidance and has no statutory power to enforce its recommendations.
Whilst the NCSC must ensure its advice is acted upon, cyber security relies on us all – individuals, private companies, public bodies and government. The fact that Britain ranks below Brazil, South Africa and China in keeping personal phones and laptops secure is worrying.
There are also other concerns coming down the line. The possible security threat of foreign investment in major infrastructure projects such as Hinkley Point. How EU directives being brought into force to ensure a strategic approach to cyber security across Member States will work in a post-Brexit world. And the growing concerns around the Internet of Things. The hacking of smart gadgets in people’s homes can not only be used against one consumer but linked to cause wider disruption of services. With new smart technology, anything is hackable – cars, security cameras, televisions, even children’s toys.
The government has a vital role to play but it needs to raise its game. Its approach to handling basic data breaches is chaotic and my Committee did not have confidence in its ability to take swift, coordinated and effective action in the event of an attack.
The UK can be ahead of the game – it was a British cybersecurity researcher who halted the recent global attack, but across government departments, there is much work to do to keep up with the staggering pace of change.
Meg Hillier MP
Public Accounts Committee