Stuart Monk - Fotolia

Government data security confusing, finds PAC

A Public Accounts Committee hearing shows the government’s data and cyber security landscape is chaotic and confusing

The government still has a long way to go before it can claim it has a clear role for data protection across departments, the Public Accounts Committee (PAC) has found.

In a hearing on 14 November, the PAC grilled Paddy McGuinness, deputy national security advisor for intelligence, security and resilience, and Ben Aung, deputy director for cyber and government security secretariat, on the government’s work on data protection.

The hearing followed on from a September 2016 report by the National Audit Office, which found the Cabinet Office had “not yet established a clear role for itself in coordinating and leading departments’ efforts to protect their information”. 

MP Chris Evans pointed out that there had long been an ongoing problem of numerous organisations “producing conflicting advice” to departments on how to deal with data protection and cyber security.

However, McGuinness told the PAC that the National Cyber Security Centre (NCSC) was bringing together a lot of the disparate relationships and becoming a one-stop shop for advice and guidance.  

“We have, I think, a clear segmentation of who is going to give advice. Ministers have been very clear about their expectations regarding the National Technical Authority, and the one source of expertise on this will be the NCSC, so I have high confidence,” he said.

“Doubtless, we are on a journey. We have only just set up this centre, and there may be individuals who do not choose to work that way, but I know that the institutions and the ministers are committed, so I have a high level of confidence that they will be able to work together.”

The government recently updated its cyber security strategy, following on from its previous 2011 strategy, which was due to be completed by 2015. However, NAO boss Amyas Morse said it was “quite obvious” the government had not accomplished what it set out to do.

When asked by Morse why, and what had proven to be more difficult, McGuinness told the committee that “this was a strategy, not a plan”.

“It had stretch targets within it and aspired. That is good, and we should encourage it as a way of thinking. We learnt that the interface between the different bodies that were working on cyber security through this period was not good enough, and therefore we have combined them in the National Cyber Security Centre, and we need that to work,” said McGuinness.  

ICO not clear enough on reporting of data breaches

The NAO report found that the government failed to analyse performance in protecting information and had “little visibility of information risks in departments” and “limited oversight of the progress departments are making to better protect their information”. It added that reporting of personal data breaches was “chaotic, with different mechanisms making departmental comparisons meaningless”.

Aung told the PAC that the government had introduced a departmental security healthcheck to tackle the problem.

Read more about government cyber security and data protection

“In general terms, our approach is to be far more data-driven than we have previously been in terms of understanding risks and trends, but it is very challenging, if not unrealistic sometimes, to expect departments to be able to understand their systems and security approaches in a very consistent way, but we are much better at it,” he said.

However, MPs pointed out that some departments report huge numbers of data breaches, while others hardly report any.

McGuinness blamed this on the information commissioner. “We don’t have sufficiently specific guidance from the Information Commissioner’s Office [ICO] on what should and should not be reported,” he said, adding that work is ongoing with the ICO to produce better guidance.  

“The difficulty is that those definitions and thresholds the ICO publishes are to cover all organisations in the UK, not just government, so for us to interpret their published guidance in a way that is more meaningful for departments will require them to balance whether they are consistent,” said Aung.

MPs call for mandatory cyber security training

MPs also criticised that departments were not mandated to report incidents and that there was no mandatory training for cyber security.

“There is no mandatory reporting. There is no mandatory training. There is no mandatory certification,” said Richard Bacon, MP for South Norfolk. “There is no mandatory regulation. Somehow, by some process of learning and osmosis…this information will get to the people who need it. What is wrong with mandating what is required in terms of regulation, certification and training?”

However, McGuinness argued that “mandation” doesn’t work, and instead, the government is implementing chief security officers in each department, or a cluster of departments. The security officers should be in place by the end of 2018, or early 2019.

“We have not worked out the exact dynamics in terms of reporting lines, but there will be a smaller number of accountable full-time professional individuals of the right seniority,” Aung added.

Read more on IT for government and public sector