UK Public Accounts Committee slams government on cybersecurity strategy

The government's approach to personal data breaches has been described as "chaotic"

The Public Accounts Committee has taken the government to task over a lack of action on addressing cyber security in the UK - and that poor reporting of breaches and low oversight in general reduces its confidence in the Cabinet Office to protect the country from cyber threats.

The report cites cyber security as one of the biggest threats that faces the country today, but committee chair Meg Hillier said that the government's approach to personal data breaches "has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher threat attacks".

She went on to say that the Cabinet Office is "undermined by inconsistent and chaotic processes for recording personal data breaches".

And Hillier said that it "should concern us all that the government is struggling to ensure its security profession has the skills it needs". She recommended that government communicates "clearly to industry, institutions and the public what it is doing to maintain cyber security on their behalf and exactly how and where they can find support".

The first of the PAC's recommendations is that it develops a plan for the National Cyber Security Centre, a recently formed body created to foster dialogue between government and industry in cybercrime. It should, the report argues, clearly set out what and who it will support, as well as the assistance it will provide and exactly how it intends to communicate with organisations that need its assistance.

Read next: How the government's new National Cyber Security Centre plans to keep the UK safe

The government should also create a "clear approach" for the protection of information in all public sector institutions, and not just in central government, the report says. Central government should also commit to regular assessments of performance and cost for cyber security, review information projects such as the Public Services Network, and regularly consult with the Information Commissioner's Office (ICO) on establishing best practice guidelines.

And the last point is that the government is struggling to bring in cybersecurity professionals with the right skills - and recommends that the government replies to the PAC within six months, to report on how it plans to improve this.

Read next: How to get a job as a security engineer

Speaking with Computerworld UK, Javvad Malik, security advocate for AlienVault, acknowledged that the skills gap has been a challenge for businesses - but will be compounded for government.

"Private enterprises can often offer greater salaries and other benefits to security professionals," Mailk said. "Therefore, it's not just finding talent that's tough, but also retaining the skill - in the big scheme of things the cyber security industry is still in its infancy and as a result it's difficult to establish what constitutes an adequate baseline for what's appropriate."

"As there are issues at the people, technology and process levels it would make sense to start by casting a broad net to evaluate the situation and then pull it in from there," he said. "From a process side this would include things like formalising a breach notification plan, and an incident response process should be put in place."

"The skills baseline should be drawn up based on industry standards. There are plenty of bodies that can provide a template in this regard, but priority should be given to recruit in areas where the most breaches have been reported, to maximise the benefits."

David Ferbrache, who previously worker in the MoD but is now technical director at KPMG's cyber security practice, said that the government has been progressive on addressing the skills gap - but the major problem is in properly fostering dialogue between government and industry.

He told Computerworld UK: "The bit I'm interested in is building bridges between industry and government - one of the things that strikes you is there needs to be a lot more understanding in government of the industry perspectives around security.

"The reverse is also true, so you end up with a big disconnect between people like CISOs in big firms, wrestling day-to-day with security investments, and governments who get very frustrated sometimes with why they're not taking this issue more seriously."

Ferbrache added that he original vision of the NCSC was building bridges between industry and government in cyber security.

"The reason they were moving into London was because they wanted to move beyond the donut in Cheltenham," he said. "They wanted to create a new space where, yes, there was going to be sensitive material handled but it was supposed to be a much more engaging and open space to bring in industry and have discussions."

"They made a start on that, but it's hard. You need cultural change, from being in government, from being in an intelligence agency, to then saying we're going to open the doors and bring in industry and actively involve them in working groups."