Without a business case for its National Cyber Security Programme the government cannot confirm that it is delivering value for money, a Public Accounts Committee report has said.
The programme is part of the wider National Cyber Security Strategy which runs from 2016 to 2021.
The strategy sets 12 strategic outcomes but the Cabinet Office has said it does not intend to deliver all 12 outcomes by the end of the strategy. The PAC said it is currently on track to deliver only one of these outcomes by 2021.
PAC chair Meg Hillier said: “With its world-leading digital economy, the UK is more vulnerable than ever before to cyber-attacks. As the likelihood of these attacks continues to grow, the UK needs to protect itself against the risks created by more and more services going online.
“Looking longer term, we are disappointed that the department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy.
“In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk of cyber-attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money, and strategic outcomes and objectives should be clearly defined.”
The report, out today, said that a third (£169m) of the programme’s planned funding for the first two years was either transferred or loaned to support other government national security priorities, such as counter terrorism activities.
Some £69m of this funding will not be returned to the programme, the report said.
The PAC recommended that the government come up with another coordinated approach to cyber security when the current one finishes in 2021 as cyber threats are “evolving fast and becoming technically more complex”.
A Cabinet Office spokesperson said: “The UK is safer since the launch of our cyber strategy in 2015.
“We have set up the world leading National Cyber Security Centre, taken down 140,000 scam websites in the last year, and across government have helped over a million organisations become more secure.”
In March the National Audit Office found that the National Cyber Security Programme may go over deadline as it is running out of money.
