How the government spent £860m on cyber security that 'hasn't worked'

Almost £1bn spent on cyber security, while legacy IT issues were ignored

The government has released details of how it has spent £860m over the past five years on the National Cyber Security Programme, just a month after Alex Dewedney, the director of cyber security at GCHQ's information security arm CESG, suggested that the money spent "hasn't worked".

In a Cabinet Office report looking at the UK Cyber Security Strategy between 2011 and 2016, the government said it spent £441.8m on what it called a "National Sovereign capability to detect and defeat high-end threats", accounting for more than half of the £860m budget.

It said that it had come within one per cent of this budget through "rigorous financial management", with incremental increases coming over the past five years.

It spent just over £100m on cyber security back in 2011/12, rising to over £150m in 2012/13, and more than £175m in 2013/14. It has spent more than £200m in each of the last two years.

Aside from the capability to detect and defeat high-end threats, the government has spent £117m on law enforcement and combating cyber crime and £80.6m on what it called "support to full spectrum effects capability" which Sean Sullivan, security advisor at F-Secure said was the government's "attack capabilities". A further £39.6m was spent on improving the resilience of the Public Sector Network (PSN), and £40.4m on "mainstreaming cyber throughout defence".

But Dewedney said last month that there had been a "mantra in the UK" that the solution to all of its cyber security problems was through information sharing and partnerships - more than £60m was spent on private-sector engagement and awareness.

"[People believe that] if we keep doing that, then somehow it will magically cause improvement to happen. That approach by itself is not sufficient," said Dewedney.

Dewedney also criticised the government for "not... spending money on fixing legacy IT issues" that have left a situation that, he said, "is killing us". The Cabinet Office breakdown does not include a section on fixing legacy IT issues; it seems as if the government has attempted to build on top of what it already has, rather than starting with a clean slate.

The government - as well as the IT industry - have spoken quite frankly about what is deemed a cyber security skills gap, and Whitehall chiefs have spent £32.8m on education and skills in order to help to fill this gap. Dewedney argued that this was the crucial area.

He said the problem was "not so much a money issue as it is a human resources issue".

The Cabinet Office said it spent £24.4m on incident management, response and trend analysis, £8.1m on international engagement and capacity building, and £7.8m on programme management, coordination and policy.

But while the government may claim to have kept within its budget, Dewedney suggested that the near-£1bn spent on cyber security by the government simply "hasn't worked".

"I think the best way to sum up the challenge we face is that while we've done a lot over the past five years and spent quite a lot of money as a government, particularly in those years of austerity we've been through, the bottom line is it hasn't worked," said Dewedney.

The Cabinet Office said that it would be releasing a new UK Cyber Security strategy later this year. The new strategy will detail how the government plans to spend £1.9bn a year by 2020, a spending commitment first announced by Chancellor George Osborne in a speech at GCHQ in November.