Cyber attackers are already disrupting public services, and will continue to do so without significant improvements to UK Government’s resilience, warns the Public Accounts Committee (PAC) of members of Parliament, in a report on resilience.
The UK Government has not kept up with what the report termed ‘the severe and rapidly evolving cyber threat’, from hostile states and criminals. Besides the British Library cyber attack of 2023, the report quotes the June 2024 cyber attack on a supplier of NHS pathology services, Synnovis, in London; and numerous ransomware attacks on councils.
Sir Geoffrey Clifton-Brown, a Conservative Cotswolds MP who chairs the committee, said: “Government departments are beginning to wake up to the serious cyber threat they face. It is positive to see independent verification now in place to gain a better picture on critical systems resilience. Unfortunately, this has only served to confirm that our battlements are crumbling. A serious cyberattack is not some abstract event taking place in the digital sphere. The British Library [pictured] cyberattack is a prime example of the long-lasting cost and disruption that these events can cause. Hostile states and criminals have the ability to do serious and lasting harm to our nation and people’s lives.
“If the Government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required. This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the civil service for greater threat awareness and digital transformation.
“Part of this will be government finally grasping the nettle on offering competitive salaries for digital professionals, and we were encouraged to hear the Cabinet Office thinking in these terms. For too long, Whitehall has been unwilling to offer attractive remuneration for experts who are able to secure high-paid work elsewhere. Making sure that the right people are in the right jobs to defend the UK against this serious threat, and reducing the use of expensive contractors at the same time, is clearly sound value for money. This is an issue our committee will continue to scrutinise closely. It must not take a devastating attack on a critical piece of the country’s infrastructure for defensive action to be taken.”
According to the report, one in three cyber security roles in government remain either vacant or filled by ‘expensive’ contractors. The MPs found that ‘the centre of government does not know how many legacy IT systems exist in government and therefore cannot manage the associated cyber risks’. The Cabinet Office will not meet its target for government to be cyber resilient by the end of 2025, the MPs noted. The scale and diversity of government’s supply chains, and the size of the public sector, makes it significantly harder for government to manage cyber risk, the report said.
Comments
Graeme Stewart, head of public sector at Check Point Software, pointed to ‘three key issues’. “First, there’s a lack of political will to regulate and enforce cybersecurity standards. This was echoed at this week’s speeches at CyberUK, where officials spoke about encouraging companies to report breaches and improve resilience. But without meaningful regulation and enforcement, it’s just more talk. You can draw a parallel with construction sites in the ’50s and ’60s when deaths were common until regulation changed everything: no hard hat, no boots, no job. It was tough but effective. The same urgency is missing in cybersecurity. Breach fatigue has also set in with the public – another scam text, another phishing email – people are numb, and until we have a truly catastrophic “cyber earthquake,” there’s unlikely to be the public pressure needed to drive action.
“Second, we’re dealing with legislative lag. Technology is moving too fast for government to keep up. It’s like still having 1960s motorway speed limits in the era of self-driving cars; the pace of change has outstripped the pace of lawmaking. Finally, cyber threats are a constantly moving target. The actors, tactics, and scale of attacks are evolving all the time. Unless government rapidly adapts, it risks falling further behind; not just missing current targets but being completely unprepared for what’s coming in the next five years. It’s not hopeless, but without urgent and sustained action, it’s getting dangerously close.”
Dray Agha, senior manager of security operations at the platform Huntress, said the firm sees how legacy systems are routinely exploited. “The fact that the government doesn’t have a full inventory of these systems means attackers will always have a head start. You can’t defend what you can’t see, and what’s worse is that legacy technologies often cannot be secured to the same depth as modern technologies.
“The report confirms what threat responders have long known: cyber resilience isn’t just about strategy but speed and visibility. Without real-time telemetry and response capabilities across government systems, even the best policy won’t stop an attack in progress. Information Security – as a function of many organisations – can often overrotate and overemphasise the importance of paperwork and theory. Cyber security resilience must prioritise prevention, detection, response, and containment above all things, not checklists and audits.
“We routinely handle incidents stemming from third-party suppliers. It is clear that attackers don’t need to breach a department directly if they can walk in from a ‘trusted’ third party they have already compromised. The lack of consistent supplier assurance and monitoring leaves the government exposed to preventable compromises.
“The Cabinet Office’s acknowledgment that the 2025 target won’t be met should be a wake-up call. Our experience shows that every missed year is another year adversaries operate with impunity. Tactical response and managed detection need to be embedded and prioritised, not bolted on and kicked down the road.”
