The UK’s £860 million National Cyber Security Programme has so far failed to deliver the expected economic benefits for businesses, the latest progress report from the National Audit Office (NAO) has found. Businesses might also not be sharing enough threat information.
Overall, the Update offers a surprisingly glowing assessment of the progress made by the Programme, despite in the past pointing out weaknesses such as the persistent shortage of cyber security skills.
This time, there is more sweetness and light, although if you read deeper some islands of anxiety eventually surface.
On the positive side, progress has been made in getting businesses and consumers to take cyber security seriously, the clutch of educational initiatives have started to address skills shortages, and financial governance of the Programme appears to be good – the NAO said it expected the full £860 million budget to be used by the expected 2016 date.
On the other, the successful launch of UK CERT in March shouldn’t be allowed to obscure the difficulties that still exist in getting businesses to share threat information to make possible real-time intelligence of the sort the Government sees as critical.
“There is, however, some reluctance from many companies to share information about breaches, unless forced by regulators or legislation, because of the potential impact on their reputations.”
But the weakest score of all is reserved for the Programme’s struggle to turn the security expertise held by UK-based businesses into something resembling an economic benefit. Cyber Security is at the top of everyone’s to do list and UK businesses should be booming on the back of exports but somehow this is proving harder to bring about.
Some of the blame is thrown at slow implementation, with the Cabinet Office UK Trade and Investment (UKTI) marketing strategy taking until May 2013 to appear, 14 months behind schedule.
Big deals with foreign governments through the Defence and Security Organisation also favoured established firms rather than SMEs, the NAO said.
The Government agreed a methodology for measuring export success and reaching its own £2 billion target but this remained fraught with difficulties.
“The nature of cyber products means that it is often possible for operations in the UK with intellectual property developed by UK employees to be owned by a foreign company,” said the NAO.
“The ultimate destination for this income being generated by UK intellectual property may therefore not be the UK economy. All of these factors make accurate measurement of the target difficult.”
A final uncertainty with the National Cyber Security Programme was simply the inherent difficult of measuring the relationship between inputs defined through money and initiatives and outputs measured through better cybersecurity.