Cyber risk is a challenge facing not just government, but our entire society. So says Ian Murray, Minister of State at the Department for Science, Innovation and Technology (DSIT) in an introduction to the UK Government’s Cyber Action Plan.
He goes on to acknowledge that central government and the public sector needs to urgently invest ‘in replacing legacy systems and fixing foundational vulnerabilities’. He says: “Too often, however, we are let down by underlying existing infrastructure which is not adequately resilient. Our legacy systems often cannot be defended by modern cyber security measures. We know that historical underinvestment in both technology estates and proportionate cyber security measures have left us with a significant technical debt whilst the threat we face is rapidly evolving and is the most sophisticated it has ever been.” Meanwhile, as the document adds, government is looking to digitalise; only, ‘increasing digitisation exposes us to increasing levels of cyber and digital resilience risk’.
Hence the ‘Action Plan’, that seeks to defines how the UK will secure public services so they are trustworthy and resilient. The document admits that the ‘challenge is significant, and cyber risk to the public sector is currently critically high’. The document covers ‘cultural change’ , accountability, the nature of the risk, and ‘how scaled cyber services will be developed, delivered, and accessed’.
Malicious and not
The threats can be malicious cyber attack or a non-malicious outage (such as CrowdStrike in 2024), and ‘the impacts are immediate and profound’. The document gives the example of the cyber attack on the supplier to the NHS Synnovis, ‘which halted blood testing and forced the cancellation of surgeries across London’ in 2024; and the British Library (pictured) ransomware attack of autumn 2023. Some 28 per cent of the government technology estate is estimated to be legacy technology, ‘and therefore highly vulnerable to attack’. A target set in 2022, for all government organisations to be resilient to known vulnerabilities and attack methods, is not achievable by the original target date of 2030, the document admits.
Lessons learned?
According to the document, it ‘sets out how the whole of government will operate differently to manage the cyber security and resilience threat we face, enabled by a strong, active centre in the Government Cyber Unit’, to be based within DSIT and ‘backed by over £210m’. That will ‘work with government organisations to build and maintain an understanding of their service needs according to the risks they manage’. Given resource limitations, the unit will have to prioritise, the document admits. It also admits that ‘lessons learned’ rarely happens, ‘and the lessons identified during incidents are often not fully recognised let alone exploited’.
Skills
As for skills, the plan admits that ‘the demand for cyber security and resilience understanding and skills across government is growing faster than the supply of available talent. Leaders, functional professionals, and the wider workforce lack understanding of cyber risks and business impact’. As for how to recruit and then retain cyber people (who can earn more working in the private sector), the plan promises a ‘Government Cyber Profession’ and a ‘competitive total employee offer’.
Four objectives
The plan sets out four objectives: ‘better visibility of cyber security and resilience risk’; ‘identify and assess severe and complex risks across government, and invest in central levers and capability improvements to remediate’; improve the ‘capability to respond’; and ‘transform’ ‘resilience capabilities’. For the plan, visit https://www.gov.uk/government/publications/government-cyber-action-plan/government-cyber-action-plan.
Comments
Katie Barnett, Director of Cyber Security, at the consultancy Toro Solutions, welcomed the plan, saying it reflects the issues set out in the State of Digital Government Review, particularly fragmentation, legacy technology, and the impact of outages on public services. She said: “Stronger coordination across government is the right direction. The review makes clear that resilience risks do not sit neatly within individual systems or organisations and need to be addressed in a more joined up way.
“From our experience, resilience improves when cyber security, operational resilience and incident response are treated as a single capability, centred on protecting critical services rather than meeting isolated compliance requirements. That matters even more in an environment shaped by legacy systems and shared dependencies. Testing is where this becomes real. Many of the failures described point to plans that look sound on paper but are rarely exercised in realistic conditions. Regular testing of incidents, recovery and dependencies is what exposes weaknesses and builds confidence.
“Leadership plays a big role. Where responsibility for security and resilience is clear and visible at senior level, progress tends to be quicker and more durable. Where ownership is split or pushed too far down the organisation, risk builds over time. Overall, Toro supports the direction of the plan. Whether it delivers will come down to how far convergence, testing and accountability are built into everyday operations, not just central policy.”
Trevor Dearing, Director of Critical Infrastructure at Illumio said it was encouraging to see increased investment across government and the public sector, especially the focus on resilience, visibility, and reducing risk through the new cyber unit. He said: “That’s critical because chaos is now driving most attacks, and we’re seeing more organisations forced to shut down operations as a result.
“But £210m is nowhere near enough to address the scale of the problem. And while the plans centre on government and digital services, they overlook the private organisations that manage much of our critical infrastructure. If we want real progress, response teams need to cover both public and private sectors.
“Also, investment alone won’t fix the problem. The public sector continues to lag behind the private sector in attracting cyber talent. To build effective teams, it must compete on salaries and benefits and ensure strong coordination and clear accountability across agencies to defend against increasingly sophisticated threats.”
Ric Derbyshire, Principal Security Researcher at Orange Cyberdefense, welcomed the cyber unit. He said: “Central coordination and sustained funding have often been fragmented or short-lived in the past, so it’s encouraging to see both called out explicitly. Coming alongside the Cyber Security and Resilience Bill, this is a necessary companion. As expectations are raised across critical sectors and supply chains, it’s right that government also focuses on addressing its own cyber security challenges and getting a better grip on systemic risk, rather than only pushing requirements outward, which is genuinely positive to see.
“That timing also matters in the current geopolitical climate. Cyber-attacks against public services are an obvious vector in hybrid warfare, where disrupting service delivery can undermine societal trust and cohesion. Early days, and delivery will matter more than structure, but this looks like a constructive step for government and a useful signal for the wider cyber community.”
And John Smith, EMEA CTO at Veracode described the plan as a signal that securing public sector digital services is finally being taken seriously. He said: “With a central Government Cyber Unit and Software Security Ambassador Scheme now in place to drive consistent security standards across departments and suppliers, an important step forward has been taken towards addressing the fragmentation that has long hampered resilience.
“But, ambition must meet delivery: 79 per cent of public services applications have at least one security flaw, leaving the sector more vulnerable than most. As digital transformation accelerates and emerging technologies like AI become more prevalent, securing code from the ground up is no longer optional—it’s essential. This means embedding security into every stage of the software development lifecycle to protect critical infrastructure and maintain public trust in online services. Collaboration between government, industry, and the security community is vital to the success of these initiatives.
“By working together to adopt secure coding practices and address vulnerabilities proactively, we can ensure that these measures deliver meaningful, long-term improvements to the UK’s cyber resilience.”
