The Cabinet Office’s National Cyber Security Programme (NCSP) has failed to produce a detailed breakdown of exactly what it has spent and where, a report today from the National Audit Office (NAO) reiterated, urging improved transparency and external scrutiny.
Progress of the NCSP programme that runs from 2016-2012 is also being inadequately measured, the NAO found, saying that one-third (107) of the key performance indicators (KPIs) of success are currently not being measured, “either because the Department
has low confidence in the evidence underpinning a metric or it is planned as a future measure of performance.”
The report comes after the Joint Committee on the National Security Strategy attacked the programme, saying “lack of transparency about such large sums of public money is of serious concern.”
NAO On National Cyber Security Programme
The NAO has found that once the NCSP project was established the government concluded that: “It needed to prioritise additional funding on counter-terrorism activities.”
While the NAO notes these actions contributed to enhancing cyber and national security, they were not originally planned for the project. As a result this action: “Delayed work on projects such as elements of work to understand the cyber threat.”
Many of the early issues with the programme appear to stem from the fact that when the HM Treasury set the funding in 2015 the department did not have an overall programme business case.
This resulted in a situation where money was coming in, but the project had “no way to assess how much funding was required.”
Meg Hillier MP, Chair of the Committee of Public Accounts comment in an emailed statement that the: “Government’s £1.3 billion flagship cyber security programme is yet another example of an important government programme launched without getting the basics right.”
“There were serious weaknesses in its initial set up, undermining its contribution to government’s overall cyber security strategy.”
Red Amber Green
The NAO found that the programme has inefficiently used its time in assessing the projects benefits and strategic outcomes. The office said it belives that the NCSP does not have a robust framework in place to measure how the project has performed.
Rather than establish a comprehensive review structure, officials at the programme were asked to rate risk involved in achieving the projects strategic outcomes via Red, Amber and Green indicators.
As the NAO states: “There is little evidence to support these assessments, which makes it difficult to assess how well the Programme has performed so far. The Strategy set out 48 measures of success but by July 2018 only 17 were being measured.”
The NAO noticed improvement in these systems as the Department now requires lead departments to spend between two and ten percent of their funding on measuring performance. However the NAO notes that the: “Department is not checking whether this is being done.”
The issue of performance measuring is compounded by the fact that the department has little confidence in the evidence underpinning some of their metrics. The NAO found a lack of quantitative measures of impact.
This is making it very hard for any lessons to be learnt from the programme running from 2016-2021 as the Department has ‘limited historical data’ to gain insights from.
The NAO has expressed concerns for the future of the programme as they state that: “The Department has started preparations for an approach to cyber security after 2021, but risks repeating previous mistakes.”