Addressing Cybersecurity: UK NAO Efforts to Tackle Increasing Challenges

by Tom McDonald, Director of Cybersecurity Work, United Kingdom National Audit Office

Cybersecurity—A UK Priority
Addressing cybersecurity challenges is a clear priority for the United Kingdom (UK) government. In the 2010 National Security Strategy, cyber was classified as a “tier 1 threat”—the government considered cybersecurity equally as threatening as a conventional military attack or a natural disaster.

As the UK’s economy and public services continue to become progressively digital, ensuring online activity is secure and trusted is vital, and in 2011, the government published its first national cybersecurity strategy. With a budget of £860m, the central government sought to increase capabilities to deal with cybersecurity challenges and work in partnership with others to make private sector and individual citizens’ online activities safer.
However, the government has recognized that, although it has made some progress, it has not achieved the scale and pace of change required to stay ahead of what had become a fast-moving threat.

In its second national cybersecurity strategy, issued in 2016, the government allocated £1.9bn over a five-year period. The government also re-cast its approach by implementing the new strategy in three specific areas of activity—“Defend,” “Deter” and “Develop”—with a key aspect to establish and embed a new National Cyber Security Centre (NCSC) designed to more actively defend UK networks and improve the depth and breadth of cyber skills available to UK public and private sectors.

Cybersecurity—The NAO Response
The UK National Audit Office (NAO) is responding to the challenges associated with auditing cybersecurity expenditures in three ways.

First, the NAO is assessing the National Cybersecurity Program’s effectiveness, along with other central government activities designed to protect data. Examples of NAO work on this front include reports on the National Cyber Security Program and Protecting Information Across Government. Both reports document the difficulties involved in protecting information while redesigning public services and introducing necessary technology to support them.

Second, the NAO is auditing cyber elements of other programs and the government’s response to specific cybersecurity incidents. Cybersecurity considerations are increasingly featured in a wide range of projects and initiatives, from digital transport schemes to smart energy meters and secure online financial transactions. The NAO noted in its report on Online Fraud that the internet is changing the nature of crime, and law enforcement responses are struggling to keep up. As more and more public services are delivered online and internet connectivity is steadily becoming a feature of everything—from military equipment to medical technology—considering cyber elements is likely to become a bigger part of audit work.

A good example of this is the “WannaCry” incident, which affected many national health service institutions (in addition to other organizations) across the world. In October 2017, the NAO authored a report outlining some of the government’s response shortcomings in an effort to help the government improve should there be another breach or incident.

Third, the NAO is equipping and training its staff to help client bodies think about cyber issues they may face. The NAO has added new activities to its long-standing IT and systems auditor training programs to engage a broader range of staff. During the NAO annual training and development week, government and industry representatives, including the head of the NCSC, addressed NAO staff and provided them with the latest developments.

The NAO also shares insights with colleagues who have expressed an interest in cyber security through blogs, article recommendations and guidance. Popular resources include the NAO’s recent publication, “Cyber Security and Information Risk Guidance for Audit Committees.” The guidance, which has been particularly well-received by small- and medium-sized organizations, provides a checklist of questions covering issues of particular concern, including the:

• Overall approach to cybersecurity and information risk management;
• Capability needed to manage cybersecurity;
• Specific aspects, such as information risk management, network security, user education, incident management, malware protection, monitoring, and home and mobile working; and
• Related areas to include using cloud services and developing new services or technology.

Cybersecurity is a fast-paced area, and the NAO, in consultation with clients, continues to learn about technical and policy developments. From discussions with many of those clients, the NAO has discovered a general lack of experience and skills necessary to deal with technological changes. Spreading good practice and awareness can help clients adapt.

Of course, in conjunction with all of this work, the NAO must keep its own house in order. Since the NAO retains sensitive client data, as well as data relating to internal management and operations, considerable efforts have been dedicated to improving internal security practices and raising NAO staff awareness. This is an ongoing process, and, like our clients, remaining alert and steadfast to thwart cyber security threats is crucial.

For more information contact tom.mcdonald@nao.gsi.gov.uk.