A National Audit Office review of the Government’s strategy for cyber security indicates that, although it is at an early stage, activities are already beginning to deliver benefits.
The cost of cyber crime to the UK is currently estimated to be between £18 billion and £27 billion. Business, government and the public must therefore be constantly alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack.
The UK Cyber Security Strategy, published in November 2011, set out how the Government planned to deliver the National Cyber Security Programme through to 2015, committing £650 million of additional funding. Building on ten years’ experience of seeking to protect government information, systems and networks, the strategy placed greater emphasis on the role of the public and industry in helping secure the UK against attacks and also the opportunities to UK business from a growing market in cyber security.
Among progress reported so far, the Serious Organised Crime Agency repatriated more than 2.3 million items of compromised card payment details to the financial sector in the UK and internationally since 2011, preventing a potential economic loss of more than £500 million. In the past year, moreover, the public reported to Action Fraud over 46,000 reports of cyber crime, amounting to £292 million worth of attempted fraud.
The NAO identifies six key challenges faced by the Government in implanting its cyber security strategy in a rapidly changing environment. These are the need to influence industry to protect and promote itself and UK plc; to address the UK’s current and future ICT and cyber security skills gap; to increase awareness so that people are not the weakest link; to tackle cyber crime and enforce the law; to get government to be more agile and joined-up; and to demonstrate value for money.
The NAO recognizes, in particular, that there are some challenges in establishing the value for money of the cyber security strategy. There is the conceptual problem that, if cyber attacks do not occur, it will be difficult to establish the extent to which that was down to the success of the strategy. There is also the challenge of determining the relative contribution to overall success or otherwise of different components of the strategy. And there is the challenge of assigning a value to the overall outcome, to set against the cost of the strategy. The Government has work underway to measure the benefits of the strategy.
The report is designed to set the scene in an area likely to be of continuing interest to the Committee of Public Accounts. Although the Committee has not specifically examined the issue of cyber security, it raised concerns about cyber security in relation to the government’s plans for smart meters, which will enable energy suppliers to collect meter readings over the internet, as well as pointing to a lack of detail on cyber security plans in the Government’s 2011 ICT strategy.
Amyas Morse, head of the National Audit Office, said today:
“The threat to cyber security is persistent and continually evolving. Business, government and the public must constantly be alert to the level of risk if they are to succeed in detecting and resisting the threat of cyber attack.
“It is good that the Government has articulated what success would look like at the end of the programme. It is crucial, in addition, that progress towards that point is in some form capable of being measured and value for money assessed.”
Background Information
- Fifteen government organizations are working together on four objectives: to tackle cyber crime and make the UK one of the most secure places in the world to do business; to make the UK resilient to cyber attack and be better able to protect its interests in cyberspace; to help shape an open, stable and vibrant cyberspace which the UK public can use safely; and to build the UK’s knowledge, skills and capability to underpin all cyber security objectives.
- In the strategy, the government describes what success would look like at the end of the programme. This includes individuals knowing how to protect themselves from crime online; critical national infrastructure being protected against cyber attack; and working relationships with other countries, business and organizations around the world being strong and well-established.