British cyber security efforts criticized by the audit office

The government has been told that there are "failures" in the way it plans to protect the UK's critical infrastructure against cyber attacks.

This warning was taken into account when the National Audit Office (NAO) evaluated the UK National Cyber ​​Defense Plan.

The government is increasingly concerned that these vital sectors are targeted by foreign states seeking to disrupt life in the United Kingdom.

Modern life was now "totally dependent" on cybersecurity, an expert said.

Complex task

The Cabinet Office's national cybersecurity program is expected to be funded until 2021 and involved the creation of the National Cybersecurity Center (NCSC).

The strategy put in place by the government to keep the United Kingdom safe from ongoing cyberattacks includes 12 "strategic outcomes" that include the following areas:

• understand, investigate and disrupt threats
• to defend against evolving cyberattacks
• manage and react effectively
• secure government networks
• develop e-skills in the UK

The NAO said the implementation of the strategy was a "complex challenge" and added that the government did not know where it should focus its efforts to "have the greatest impact or meet the greatest need".

The only article marked "red" in the report concerns the protection plan for power plants and hospitals. This meant that less than 80% of its defense projects for these institutions would be completed in time.

The report states that these key objectives are "actively defended", but adds that it is difficult to badess the effectiveness of this activity as methods of measuring success have yet been developed.

The government itself had "low confidence" in the evidence gathered for half of its strategic plans, the report said. He however noted that it was an improvement over the "very low confidence" expressed at the end of last year on the same topics.

The report highlighted the success of the NCSC, including the creation of a tool that has helped block 54.5 million fake emails between 2017 and 2018. The UK's share of phishing attacks in the world also went from 5.3% to 2.2% between 2016 and 2018.

The NAO said the Cabinet Office had not produced a business case for the program before it was launched. This led to an inadequate budget and strategy.

A total of £ 1.3 billion has been committed to the national cybersecurity program.

"It's a bit like putting the cart before the horse," BBC professor Alan Woodward, an expert in computer security at the University of Surrey, told the BBC.

"The most important thing that emerges from the NAO is that [the government] decided the budget, then the strategy. "

In addition, more than one-third of the funds pledged for the National Cybersecurity Program in its first two years have been loaned or transferred by the Treasury.

These funds were transferred to areas such as the fight against terrorism, but also the troubled identity system, Verify.

"It is disappointing to learn that quite early, some of this activity was used for other purposes," said Professor Woodward. "Our society is now so dependent on cybersecurity.This is becoming a bit of the National Health Service, it's something you can not afford not to do properly."

"Immediate action needed"

Meg Hillier, chair of the Public Accounts Committee, said that it was "another example of an important government program launched without essential basics".

She added: "The growing cyber threat that the UK is facing, and events such as the WannaCry attack in 2017, make it even more critical that the Cabinet Cabinet take immediate steps to improve its program. and plans to protect our cyber security after 2021. "

According to Professor Woodward, another area of ​​concern is the relative lack of attention to the development of future cyber threats. Of the £ 632m spent so far, only £ 70.89m went to the "develop" theme of the program, encompbading educational projects such as NCSC's CyberFirst program.

"It's disappointing, the cyber threat is changing all the time, and if we need enough people with the right skills, we need to strengthen the development part."

Amyas Morse, the head of the NAO, said the government had "demonstrated its commitment to improving cybersecurity", but that there remained uncertainty about how it would finance these activities after 2021.

"The government needs to learn from its mistakes and its experiences in dealing with this growing threat."