The National Cyber Security Programme (NCSP) was launched in October 2010 (for more details see paragraphs 4 to 7 of this report).

In its first annual progress report on the National Cyber Security Strategy, the Cabinet Office reported on how the £650 million allocated to the NCSP had been spent so far.[140]How the National Cyber Security Programme money has been spent

Source: Cabinet Office, Progress against the Objectives of the National Cyber Security Strategy - December 2012

Outturn and forecast spending in the first two years of the NCSP was as follows:

National sovereign capability to detect and defeat high end threats (Security & Intelligence Agencies, £157M)[141]

Mainstreaming Cyber throughout Defence (MoD, £31M)

Law enforcement and combating Cyber Crime (Home Office, £28M)

Engagement with the private sector (BIS, £17M)

Improving the resilience of the Public Sector Network (Cabinet Office, £12M)

Programme coordination, trend analysis and incident management / response (Cabinet Office, £9M)

Education, skills and awareness (Cabinet Office, £4M)

International engagement and capacity building (FCO, £2M)

TOTAL = £260M[142]

The fact that many Departments have an interest in aspects of cyber-security means it is important to establish who bears responsibility for what elements of the agenda (beyond all agencies having a responsibility to protect their own data and systems). This is necessary in order to limit duplication, minimise the chance of gaps developing, and ensure that each Department is clear about its mission.

The Intelligence and Security Committee in its 2010-11 Annual Report identified 18 departments, units or agencies with particular responsibilities for aspects of cyber-security, spread across the intelligence and security Agencies, law enforcement, and other government departments including the Home and Foreign Offices, MoD and BIS. That Committee expressed concerns about "structural issues", noting that between them these 18 bodies:

cover policy, management, intelligence operations, protective advice, detection and analysis, with some focused on crime, some on hostile activity from overseas, some on counter-terrorism and others covering all three. This risks duplication and confusion and cannot be cost-effective.[143]

When we put these concerns to Francis Maude, he responded, "It may not be particularly tidy, but we are getting quite a lot done in rather an effective way. [...]I would be concerned if there were only a few departments that had any interest in this, and if they rigidly stuck to concerning themselves only with what lay within their narrowly-drawn boundaries. This is very far-reaching, and it is changing all the time."[144]

Located in the Cabinet Office, the Office for Cyber Security and Information Assurance coordinates cyber-security activity across Government and administers the National Cyber Security Programme under the oversight of the Minister for the Cabinet Office. The Minister chairs the Programme Board, and the Government's Chief Information Officer reports to him, as does the Ministry of Defence CIO, John Taylor, on the specific project of the public sector network. Francis Maude MP explained to us that he did not have the authority to instruct officials in other Departments, but that the Programme Board held Departments to account for their delivery and spending under the NCSP.[145] The Cabinet Office has executive authority for certain aspects of this work, for example the identity assurance programme, but in other respects, Francis Maude told us, "responsibility, very properly, is spread across the Government".[146] James Quinault outlined why the Cabinet Office's role was to coordinate rather than direct:

we see this absolutely as not just a Government and military issue. It touches everything in life, not just everything in Government, which is precisely why the approach to it has to be one of coordinating activity, rather than directing it all from the centre. If you want to reach business, the business Department needs to be mainstreaming this into its other communications with business. [...] It has to lead on that. That cannot be done from the Cabinet Office.[147]

It is the National Security Council (NSC) which identified cyber-security as one of the four most important risks to the UK's national security. The head of the Office for Cyber Security and Information Assurance reports to the deputy National Security Adviser. However, we were told that it was discussed by the NSC as a discrete subject perhaps only two or three times a year and that a session dedicated to the topic in the autumn of 2012, would be the first such meeting.[148] An 'ad hoc' cross-Whitehall ministerial group, chaired by the Foreign Secretary and including Ministers with a cyber-security responsibility in their portfolio, meets roughly every six weeks, and is complemented by a similar officer group.[149]

Professor Brian Collins, Chair ^of Engineering Policy, UCL, commented on a potential weakness of the UK Cyber Security Strategy:

History shows us that continuity of stewardship of strategies of this nature is quite difficult to achieve through our democratic process. [...] Unless we maintain that stewardship over a period that is much longer than the five-year electoral cycle, we will fail to deliver the desired outcomes.[150]

There is no Minister dedicated to cyber-security; it is one of the responsibilities of the Minister for the Cabinet Office. In the past, ownership of the issue has been vested in ministers of more junior rank, but who had fewer diverse responsibilities to attend to. Francis Maude put it to us that it was important for cyber-security to be represented by a senior figure with authority to operate across many Departments.[151] However, he estimated that some 25-30% of his time was spent on cyber-security, and he described the breadth of his portfolio as that of "Minister for everything else".[152]

It is our view that cyber-security is a sufficiently urgent, significant and complex activity to warrant increased ministerial attention. The relevant minister should have the authority to direct government departments to take action if they are not performing as required. We also consider that the National Security Council should dedicate time, with the relevant minister in attendance, to consider cyber-security matters on a more regular basis.

The National Cyber Security Programme requires robust governance and we note that the Minister for the Cabinet Office chairs the Programme Board. However, the Programme represents only the tip of the iceberg of the necessary cyber-security activity across government. High-profile and authoritative leadership is required for all such activity.

Responsibility in the event of a major cyber-security incident

EADS stated in its memorandum to this inquiry that "at present it is not clear who owns the coordinated response to a national cyber-security incident"[153]. The Institute for Security and Resilience Studies argued that:

There are outstanding practical questions about the coherence of activities in the wake of the 2011 UK Cyber Security Strategy. For example, at the cyber summit hosted by the Foreign Secretary in November last year the French had a clear answer to the question "who would you call in the event of a cyber incident?" It is their Prime Minister. This answer resolves the geographic and thematic contradictions cyber crises can otherwise precipitate. During the conference the answer for the UK was unclear. Subsequently it was said to be the Minister for the Cabinet Office, Francis Maude. Whilst he attends Cabinet, is at the centre of UK Government and can act with the authority of the Prime Minister, it is not clear his post commands the capabilities necessary to be the Lead Government Department.[154]

The Institute also said that it would be difficult to imagine international crises not being handled by the Foreign Secretary, internal crises by the Home Secretary, or incidents in the financial sector pointing to the Chancellor, but that what it calls "the Lead Government Department question" "could create unnecessary duplication of capabilities among government departments".[155]

The then Minister for the Armed Forces, Nick Harvey MP, said:

I think that an analogy might be drawn with the COBR principle. When there is some sort of an incident anywhere within Government, the Cabinet Office has this COBR capability that kicks in. In and of itself, it does not have a great organisational empire at its disposal, but it has a coordinating role among other Government Departments, which have the mechanical functions. In a sense, I think, in the cyber sphere, the small unit in the Cabinet Office operates somewhat similarly. The principal levers at their disposal actually reside in GCHQ. That is where the serious firepower would come from to deal with things in a practical sense.

In the event of some sort of cyber attack against the Government, the coordinating role for a response will be exercised by the Cabinet Office. [...] Depending on the precise nature of the attack and which parts of the Government networks were subject to the attack, a lead Government Department would be appointed. Other Government Departments would render any assistance that they could. [...] Depending on the scale and severity of the attack, it might well be that COBR would meet and bring together Ministers and/or officials from the relevant Departments to coordinate the Government's response.[156]

Asked who would take the lead, and on whose authority, in the event of a major cyber attack on the UK, Francis Maude replied:

It depends on the scale and the nature of it. If it is deemed essential—if it is of a scale that it cannot be dealt with just by the Cyber Security Operations Centre at Cheltenham—then it would come up to the Cabinet Office. If it was of sufficient scale, it could lead to COBR being convened at different levels, depending on the scale, with different Departments, potentially, in the lead, depending on what it was. If it was an attack on the energy infrastructure, for example, unless it was at a level where the Prime Minister would want to chair it, you would ordinarily expect the Energy Secretary to chair COBR. Similarly, if it was an attack on transport infrastructure, the Transport Secretary would, and so on. [...] If something looked like it could be a sovereign attack, that would clearly be for the Prime Minister.

James Quinault described the role of the Cyber Security Operations Centre (CSOC) as: "monitoring and triaging incidents and making sure there is a single version of the truth for Government to act on".[157] CSOC is hosted by and reports to GCHQ rather than the Cabinet Office.[158]

In a previous inquiry we expressed concern that no one government department was identified to take immediate lead responsibility should there be a severe space weather event.[159] The machinery in the event of a cyber attack appears to be under development, with an important role being played by the Cyber Security Operations Centre. However, before a 'lead Government Department' is identified for a particular cyber incident there is a potential gap during which the Cabinet Office has a coordinating role but the location of executive authority is not clear. It is vital that clear procedures are in place, and communicated, about how ownership of incident response is escalated when necessary from individual departments to higher, central authorities. We recommend that the National Security Council review these arrangements to ensure that the UK's response to major cyber-incidents is as streamlined, rapid and effective as it can be, and that a programme of regular exercises, involving ministers as well as officials, is put in place to test the arrangements. The MoD should also conduct exercises for its own internal arrangements and their interface with the rest of government.