The cyber threat to UK government is severe and advancing quickly and there is a need for quick action in response, according to a new report published by the National Audit Office (NAO).
It has produced the report, titled 'Government cyber resilience' and focused on central government, in response to the Government’s assessment that the cyber threat is rapidly rising.
The NAO highlights some key weaknesses in government’s security posture, notably that at least 228 legacy IT systems – which are often more vulnerable – were in use in departments in March 2024, and many system controls fundamental to resilience were at low levels of maturity.
In addition, one in three cyber security roles were vacant or filled by temporary staff, and in several departments the proportion was over 50%. Departments reported that the salaries they can pay and Civil Service recruitment processes are barriers to hiring and keeping people with cyber skills.
Jeopardising defences
Other concerns include that a lack of coordination within government jeopardises effective cyber defences. The respective roles of departments and organisations at the centre, such as the National Cyber Security Centre, are insufficiently understood, and departmental leaders have not consistently recognised the relevance of cyber risk to their strategic goals.
Further problems include the size, diversity and age of government’s digital estate and the increasing sophistication of cyber attacks, and financial pressures.
The latter have led some departments to significantly reduce the scope of their work to build cyber resilience, which could increase the severity of an attack when it happens. In March 2024, departments did not have fully funded plans to remediate around half of government’s legacy IT assets (53%, or 120 out of 228), leaving these systems increasingly vulnerable to cyber attack.
As an example, NAO says that under-investment in technology and cyber was a key factor in the cyber incident hitting the British Library, which inflicted costs of £600,000 over the next few months.
In addition, the cyber directorate of the Government Security Group (GSG) has limited resources, which is affecting the progress of its work.
Short term actions
NAO has urged the Government to act quickly, with two major recommendations for the next six months: to develop and start using an implementation plan for the Government Cyber Security Strategy; and to set out how all of government needs to operate differently and what is needed to make this effective.
It has added that over the next year the Government should make and enact plans to fill the gaps in cyber skills in its workforce.
Other recommendations include that GSG should work with the Central Digital and Data Office – now within the Government Digital Service – to take a more rigorous approach to understanding and mitigating the risk from legacy systems. This should come with GSG regularly communicating to ensure senior leaders and decision makers across government fully understand the cyber threat.
Departments should urgently strengthen their own governance, accountability and reporting arrangements around cyber risk.
Severe risk
Gareth Davies, head of the NAO, said: “The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow.
“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.”
“Government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills, strengthens accountability for cyber risk, and better manages the risks posed by legacy IT.”
His urgency was echoed by the chair of Parliament’s Public Accounts Committee, Geoffrey Clifton-Brown, who said: “Despite the rapidly evolving cyber threat, government’s response has not kept pace. Poor coordination across government, a persistent shortage of cyber skills, and a dependence on outdated legacy IT systems are continuing to leave our public services exposed.
“Today’s NAO report must serve as a stark wake-up call to government to get on top of this most pernicious threat.”
