09 April 2019

The National Audit Office (NAO) has criticised the government over “failings” in the way it is planning to protect the UK’s critical infrastructure from cyber-attacks.

According to a report by the public spending watchdog, the Cabinet Office made errors when it established the National Cyber Security Programme (NCSP) in the autumn of 2016 and has claimed the government now does not know whether it will be able to meet the programme’s goals, or adequately protect UK citizens, businesses and infrastructure from cyber-attacks post 2021.

Although the NAO noted some successes, including the establishment of the National Cyber Security Centre (NCSC) in 2017, it said it remained unclear whether the programme, which was designed to establish a “focal point” for cyber security activity across government, would achieve any of its wider strategic outcomes by 2021.

This was due, in part, to difficultly in dealing with the evolving and complex cyber security landscape, and also because the Cabinet Office had not properly assessed whether the £1.3bn of funding ringfenced for the NCSC – out of the £1.9bn total for the strategy –was enough.

Amyas Morse, the head of the NAO, said that the government had “demonstrated its commitment to improving cyber-security”, but that there is uncertainty about how it will fund these activities after 2021. “Government needs to learn from its mistakes and experiences in order to meet this growing threat,” Morse said.