As a lead rapporteur during the latest Public Accounts Committee (PAC) inquiry on Monday 14 November, Bridget Phillipson, Member of Parliament for Houghton and Sunderland South, raised serious questions about the performance of the Cabinet Office in protecting information across government.
Protecting this information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge. The PAC inquiry was launched following the publication of a report in September this year by the National Audit Office (NAO), which found that the Cabinet Office has not yet established a clear role for itself in coordinating and leading departments' efforts to protect their information
During the inquiry, Bridget questioned two of the senior civil servants responsible for government policy on this issue: Paddy McGuinness, Deputy National Security Advisor for Intelligence, Security and Resilience, and Ben Aung, Deputy Director, Cyber and Government Security Secretariat.
She exposed inconsistencies over the way in which different government departments and the wider public sector reported security breaches, highlighted the failure of the Cabinet Office to deliver cost savings from its centrally managed IT projects, and pressed the witnesses to clarify whether the UK will introduce new EU General Data Protection Regulations when they come into force in 2018.
Bridget began by highlighting problems with the Cabinet Office’s delivery of three centrally managed projects – the Government Security Classifications (GSC) system, the Public Services Network (PSN), and Foxhound – all of which have been slow to provide planned benefits and failed to deliver promised financial savings in full. Although Paddy McGuinness defended the implementation of the projects on the basis that they were all very different, he conceded that the PSN had not achieved what it set out to achieve.
Responding to the NAO’s finding that the reporting of data breaches across government departments was ‘chaotic’ and made departmental comparisons ‘meaningless’, Bridget pressed the witnesses to explain why the Cabinet Office did not collect or analyse government’s performance in protecting information on a routine basis, and the discrepancy in departmental reporting mechanisms. She also asked what measures the centre of government was taking to set the standard for better protection of their information.
On improving the government’s capability to protect information, Bridget asked whether the government was still working on the basis that the EU-wide General Data Protection Regulations will be introduced to the UK in 2018. Mr McGuinness confirmed that the Cabinet Office was working on the assumption that the UK will still be a member of the European Union by this time.
Further questioning from committee colleagues revealed the failure of the Cabinet Office to implement a coherent policy on central government oversight of the protection of information. The Cabinet Office was also criticised for taking so long to take responsibility for cyber security across government, and for its failure to encourage local government agencies and small and medium-sized enterprises in the government supply chain to adopt best practice on cyber security, such as patching and upgrading of out of date software.
Commenting at the end of the session on 14 November, Bridget said:
“It’s clear from the inquiry we conducted today that the Cabinet Office has a lot of work to do to improve the way in which the centre of government protects the data it collects – much of which is personal and highly sensitive.
“I am particularly concerned by the Cabinet Office’s failure to analyse government’s performance in protecting information, especially as the figures published by the NAO show that some departments are reporting many data breaches while others are not reporting any at all.
“Ministers cannot hope to identify cyber security risks when they have no idea what is going on from one department to the next. The introduction of cross-departmental guidance for the reporting of data breaches would appear to be a matter of urgency, while far more oversight from the Cabinet Office also seems necessary – not only of the seventeen departments for which it has responsibility but for the public sector as a whole.
“Unfortunately, I am not filled with confidence that the Cabinet Office is currently up to this task. The GSC, PSN, and Foxhound projects that it manages centrally at the moment have so far failed to deliver either the benefits or the financial savings that were promised, and I didn’t get the impression during today’s session that the Cabinet Office is doing enough to ensure it has the capability to implement these projects properly in the future.
“It is also important that the government is ready to deal with the impact of the introduction of EU general data protections regulations in 2018, not only centrally but in terms of the support for the wider public sector and others affected by how the regulations will apply.
“With the number of cyber national security incidents increasing at an alarming rate, it’s high time the government woke up to the threat posed by weaknesses in protecting public information from loss or theft. Over the weeks to come, my committee colleagues and I will assess today’s evidence before publishing a final report, but in the interim I hope ministers will take careful note of what was discussed today.”
To watch the PAC inquiry of 14 November 2016 on protecting information across government, click here.
To read a transcript of the evidence session, click here.