Britain’s flagship £1.3 billion policy to prevent cyber attacks by hostile states like Russia risks repeating mistakes after a series of false starts, a report found.
The country remains vulnerable to crippling digital hacks that could affect crucial infrastructure, the NHS, domestic networks, and businesses, a review by the independent National Audit Office (NAO) said.
The National Cyber Security Programme is led from Whitehall by the Cabinet Office, and has already had some success in establishing new systems, but the NAO said its launch in 2015 was bungled by officials who did not initially know how much it would cost.
The programme was further delayed for almost two years after planned funding was hurriedly re-allocated to cope with emerging terrorist threats, the report said.
The delays affected fundamental work to understand what cyber threats existed. It is now unclear whether the programme will achieve its objectives ahead of its planned end date in 2021 and despite a further half-a-billion left to spend.
And the problems coincided with a week-long attack by hackers on NHS computer systems, which crippled health service networks in May 2017 costing £92 million. A global ransomware attack, known as WannaCry, hit a range of systems and industries.
A report into the incident found the attack could have been avoided through basic security measures.
Some 72% of large UK businesses reported a cyber attack in the previous 12 months, with many reporting multiple attacks per day.
But despite the rising threat, just three of the government cyber programme’s 12 objectives were assessed as being “on track”.
And auditors cast doubt on the Cabinet Office’s ability to forecast what it might need to continue to combat cyber attack threats beyond 2021 by a deadline this autumn.
Amyas Morse, the head of the NAO, said: “Improving cyber security is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services.
“The government has demonstrated its commitment to improving cyber security. However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021.
“Government needs to learn from its mistakes and experiences in order to meet this growing threat.”
A Cabinet Office spokesperson said: “The UK is safer since the launch of our cyber strategy in 2015. We have set up the world-leading National Cyber Security Centre, taken down 140,000 scam websites in the last year, and across government have helped over a million organisations become more secure.
“We recognise that there is always more to do, and are pleased that the NAO has endorsed our plans for the future through their recommendations.”