MPs warn Government to 'raise its game' over cyber security

Confidence in the Government's ability to protect Britain from high-level cyber-attacks is being undermined by skills shortages and "chaotic" handling of personal data breaches, an influential group of MPs has said.

Ministers have also taken too long to consolidate the "alphabet soup" of agencies tasked with safeguarding the UK from cyber-attacks and there appears to be no coordination across the public sector, the Public Accounts Committee (PAC) said.

The MPs' warning comes amid increasing concern about Russian cyber-attacks after Moscow allegedly interfered with the United States presidential election in Donald Trump's favour.

The PAC said that despite cyber-attacks being ranked as a top four risk to UK national security since 2010, the role of the Cabinet Office, which is responsible for coordinating information protection across Government, remains unclear.

Committee chair and Labour MP Meg Hillier said: "Government has a vital role to play in cyber security across society but it needs to raise its game.

"Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks.

"The threat of cyber crime is ever-growing yet evidence shows Britain ranks below Brazil, South Africa and China in keeping phones and laptops secure.

"In this context it should concern us all that the Government is struggling to ensure its security profession has the skills it needs.

"Leadership from the centre is inadequate and, while the National Cyber Security Centre (NCSC) has the potential to address this, practical aspects of its role must be clarified quickly.

"Government must communicate clearly to industry, institutions and the public what it is doing to maintain cyber security on their behalf and exactly how and where they can find support."

PAC's report said the Cabinet Office's ability to make informed decisions about security is "undermined by inconsistent and chaotic processes for recording personal data breaches".

Reporting across Whitehall departments varies widely, with some highlighting thousands of data breaches while others recording none at all.

But the Cabinet Office does not collect or analyse their performance in protecting information on a routine or timely basis and was not aware of the variability in reporting until the National Audit Office highlighted the issue last year, the MPs said.

"Without a consistent approach across Whitehall to identifying, recording and reporting security incidents, the Cabinet Office is unable to make informed decisions about where to direct and prioritise its attention," the committee said.

The Government is also struggling to ensure its security profession is suitably skilled with the Cabinet Office unwilling to bring in a minimum standard for departments.

"It remains unclear as to what skills gaps exist and how to fill these in the face of UK-wide skills shortages in this field," the report said.

The MPs said new initiatives to share information securely and classify information consistently across Government are failing to deliver as planned.

The PAC found the Government ignored its own advice by failing to carry out a business case for Government Security Classifications (GSC) system, which was meant to deliver £110 to £150 million-a-year in benefits.

A National Cyber Security Centre spokesman said: "In the four months since becoming operational, the NCSC has transformed how the UK deals with cyber security by offering incident management capabilities, fostering technical innovation to help prevent attacks and providing real-time cyber threat information to 3,000 organisations from over 20 different industries.

"The UK faces a growing threat of cyber-attacks and we share the committee's determination to make the UK as safe a place as possible to live and do business online."

A Cabinet Office spokesman said: "Our comprehensive and ambitious National Cyber Security Strategy, underpinned by £1.9 billion of investment, sets out a range of measures to defend our people, businesses, and assets; deter and disrupt our adversaries; and develop capability and skills."