Central government needs to step up its efforts in cyber security, including recruiting more people with the technical skills and building a better understanding of the resilience of its digital estate, according to a report from Parliament’s Public Accounts Committee.
It has published a report on the state of cyber resilience in government, saying that defences have not kept up with the severe and rapidly evolving cyber threat from hostile states and criminals.
This has led to the creation of a significant gap between the growing cyber threat and the capacity to respond.
Among the findings of the report is that departments have underestimated the severity of the threat, having not until recently been given a clear picture of it and what they should do about it by the Cabinet Office – the lead department on the issue.
Subsequently, funding and prioritisation decisions in departments have not reflected the urgency, and there are fundamental weaknesses in their resilience.
Legacy weaknesses
There are specific weaknesses around the digital estate, of which risky legacy systems comprise 28% – although it is not completely clear how many there are in total.
The Government’s work to date has not been sufficient in ensuring that critical functions are significantly hardened by this year and a fundamentally different approach is required in the future, the report says.
In addition, organisations have traditionally not kept up with the private sector in the pay levels for cyber security specialists, leaving significant vacancies unfilled. One in three cyber security roles in central government are vacant or filled by expensive contractors, and Civil Service recruitment processes make it hard to fill the gaps at speed.
This prompts one of the recommendations in the report, for the Cabinet Office to follow up this year’s Spending Review with an estimate of how many cyber vacancies need to be filled and provide support for departments in filling them.
This would be complemented by setting out how it is supporting the appointment of experienced chief information officers and chief security officers, and the inclusion of cyber resilience in departmental plans, along with building a strong security culture in organisations.
Another recommendation involves the Cabinet Office being clear on its assessments of critical and legacy IT systems and how it will prevent departments from diverting funding away from the activity.
Others cover securing clear assurance from departments on their management of cyber risk, and setting out what can be done to take a new approach to resilience.
Waking up to threat
Chair of the PAC Sir Geoffrey Clifton-Brown said: “Government departments are beginning to wake up to the serious cyber threat they face. It is positive to see independent verification now in place to gain a better picture on critical systems resilience. Unfortunately, this has only served to confirm that our battlements are crumbling.
“A serious cyber attack is not some abstract event taking place in the digital sphere. The British Library cyber attack is a prime example of the long lasting cost and disruption that these events can cause. Hostile states and criminals have the ability to do serious and lasting harm to our nation and people’s lives.
“If the Government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required. This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the civil service for greater threat awareness and digital transformation.
“Part of this will be government finally grasping the nettle on offering competitive salaries for digital professionals, and we were encouraged to hear the Cabinet Office thinking in these terms. For too long, Whitehall has been unwilling to offer attractive remuneration for experts who are able to secure high paid work elsewhere.
“Making sure that the right people are in the right jobs to defend the UK against this serious threat, and reducing the use of expensive contractors at the same time, is clearly sound value for money. This is an issue our committee will continue to scrutinise closely. It must not take a devastating attack on a critical piece of the country’s infrastructure for defensive action to be taken.”
The PAC’s warnings have come after the National Audit Office expressed similar concerns in its own report last January.
