Report published June 2019. Awaiting government response.
Scope of the inquiry
The UK has one of the world’s leading digital economies, making it more vulnerable to cyber-attacks from hostile countries, criminal gangs and individuals, which continue to increase and evolve as it becomes easier and cheaper to launch attacks. While all public and private organisations are responsible for safeguarding their own information, since 2010 government has taken a central lead to ensure the UK effectively manages its exposure to cyber risks. The Cabinet Office leads this work, through successive National Cyber Security Strategies published in 2011 and 2016; and separate National Cyber Security Programmes designed to help deliver each Strategy between 2011-2016 and currently between 2016-21.
In March 2019, the National Audit Office (NAO) published a report which found that the first national cyber security programme for 2011-2016 did not achieve sufficient change to stay ahead of the cyber threat. The report further notes that the Department did not undertake a comprehensive lessons-learnt evaluation of the first programme, so there was no robust baseline to inform the current Programme. Finally, the report underlines that the Department did not produce a business case for the Programme, meaning there was no way to assess how much funding was required for it.
The Committee’s report on Protecting information across government in 2017 concluded that it had taken too long to consolidate and coordinate the ‘alphabet soup’ of agencies involved in protecting Britain in cyberspace. The Committee also considered cyber security risks in 2018 in its reports on Online Fraud and Wannacry, the cyber-attack on the NHS.
On 1 April, the Committee will question Sir Mark Sedwill, Cabinet Secretary and National Security Adviser, along with other senior officials from the Cabinet Office and National Cyber Security Centre about the failure to establish its current strategy in line with good practice. Members will also ask how and by when the Department will improve the performance of the current Programme, as well as challenge officials to provide a commitment on how it plans to build on its current cyber security beyond 2021.
The Committee may also want to use this session to question Sir Mark Sedwill, the former Permanent Secretary at the Home Office, on Windrush, the Disclosure and Barring Service (DBS) and the emergency services network (ESN).