A skills shortage and “chaotic” handling of personal data breaches are undermining confidence in the government’s ability to protect the UK from cyber attacks, MPs have warned.
The Commons Public Accounts Committee said ministers had taken too long to consolidate the “alphabet soup” of agencies tasked with stopping attacks.
Cyber attacks are ranked among the top four risks to UK national security.
The government said it had acted with “pace and ambition” on the issue.
In November, Chancellor Philip Hammond said that hostile “foreign actors” were developing techniques that threatened the country’s electrical grid and airports.
And in a speech on Thursday night, Defence Secretary Sir Michael Fallon warned that Russia was carrying out a sustained campaign of cyber attacks targeting democracy and critical infrastructure in the West.
Moscow was “weaponising misinformation” in a bid to expand its influence and destabilise Western governments and weaken Nato, he said.
The committee of MPs found that the role of the Cabinet Office, which is responsible for protecting all government information from attack, remained unclear.
“Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks,” said Labour MP Meg Hillier, who chairs the committee.
“In this context, it should concern us all that the government is struggling to ensure its security profession has the skills it needs.”
Reporting of data breaches varied across Whitehall, with some departments highlighting thousands while others recorded none at all, a system the MPs described as “inconsistent and chaotic”.
“Without a consistent approach across Whitehall to identifying, recording and reporting security incidents, the Cabinet Office is unable to make informed decisions about where to direct and prioritise its attention,” the committee said.
A spokesman for the Cabinet Office said: “The government has acted with a pace and ambition that has been welcomed by industry and our international partners right across the globe.
“Our comprehensive and ambitious national cyber security strategy, underpinned by £1.9bn of investment, sets out a range of measures to defend our people, businesses, and assets; deter and disrupt our adversaries; and develop capability and skills.”
A spokesman for the UK’s National Cyber Security Centre, which has been operational for four months, said the unit had “transformed how the UK deals with cybersecurity”.
It had provided “real-time cyber-threat information to 3,000 organisations from over 20 different industries, offering incident management handling and fostering technical innovation”.
Prof Alan Woodward, a computer security expert from the University of Surrey, said the report was “a little unfair”.
The weakest link?
“Could we say that we are cyber-bomb proof? Probably not, but I’m not sure anyone could,” he said.
“But we are getting better, and the government is taking strides to get its own house in order.”
The weakest link in any cybersecurity clampdown remained people, Prof Woodward said.
“There are still people who copy things they shouldn’t on to laptops or people who decide to connect a nuclear power station to the internet,” he said.
MPs question UK’s cyber attack defences