“The need for the government to improve its cyber resilience is becoming more urgent in an increasingly digital world.” That’s according to a report by the public spending watchdog the National Audit Office (NAO).
The NAO identified that the government’s new cyber assurance scheme, GovAssure, which independently assessed 58 critical departmental IT systems by August 2024, found significant gaps in cyber resilience with multiple fundamental system controls at low levels of maturity across departments.
‘Legacy’ IT
At least 228 ‘legacy’ IT systems were in use by departments as of March 2024, and UK Government does not know how vulnerable these systems are to a cyber attack. Gareth Davies, head of the NAO said: “The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow. To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.
“The government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills; strengthens accountability for cyber risk; and better manages the risks posed by legacy IT.”
Attacks
The auditors noted that if successful, cyber attacks can have devastating effects on government, public services, and people’s lives. In June 2024, a cyber attack on a supplier of pathology services to the NHS in south-east London led to two NHS foundation trusts postponing 10,152 acute outpatient appointments and 1,710 elective procedures. The British Library, which experienced a cyber attack in October 2023, has already spent £600,000 rebuilding its services and expects to spend many times more as it continues its recovery work. UK Government has been working for at least a decade on the UK’s cyber resilience, according to the report, including publishing a strategy for improving Government organisations’ cyber security in January 2022. This strategy included a target for key government arms to be “significantly hardened to cyber attack by 2025”. But UK Government has not improved its cyber resilience fast enough to meet this aim, the audit found.
Shortages
One reason is shortages of cyber skills within UK Government. In 2023-24, according to the NAO: one in three cyber security roles in government were vacant or filled by temporary staff; more than half of cyber roles in several departments were vacant; and most, 70 per cent of specialist security architects in post were temporary staff.
Departments reported that the salaries they can pay and civil service recruitment processes are barriers to hiring and keeping people with cyber skills.
Other concerns include a lack of coordination jeopardising cyber defence. The respective roles of departments and organisations at the centre, such as the National Cyber Security Centre (NCSC), are not well enough understood. Departmental leaders have not consistently recognised the relevance of cyber risk to their strategic goals, the report said.
Financial pressures have also meant that some departments have significantly reduced the scope of their work to build cyber resilience, which could increase the severity of an attack when it happens. In March 2024, departments did not have fully funded plans to remediate around half of government’s legacy IT assets (53 per cent, or 120 out of 228), leaving these systems increasingly vulnerable to cyber attack. Under-investment in technology and cyber was a key factor in the British Library cyber incident, the NAO noted.
Legacy systems are often more vulnerable to cyber attack because: their creators no longer update or support their use; few people have the skills to maintain them; and they have known vulnerabilities. The government estimated that it used nearly half of its £4.7 billion IT expenditure in 2019 to keep legacy systems running. Risks to public services posed by legacy technology have built up. The NCSC assessed that 89 of the 430 incidents it managed because of their potential severity, between September 2023 and August 2024, were “nationally significant”.
For the 50-page report in full, visit https://www.nao.org.uk/reports/government-cyber-resilience/.
Comments
Jake Moore, Global Cybersecurity Advisor, at the anti-virus software firm ESET, said: “The UK government’s struggle to attract and retain infosec professionals is not just a workforce or financial challenge, it’s a serious risk to national cybersecurity. With a large number of cybersecurity roles unfilled and a heavy reliance on contractors, the Government is struggling to build its defence against growing threats in the country. Salary differences between private and public sector contribute to stand out but this also shines a light on the fact Whitehall needs to modernise its approach to cybersecurity and holding onto valuable human expertise.
“At a time when cyber resilience has never been so critical, making sure that the public sector can compete to employ the right people should be a top priority.”
And Dominic Trott, Director of Strategy and Alliances at Orange Cyberdefense UK, said the findings highlight the importance of adopting a cyber resilience mindset. “This is important because cyber resilience aims to maximise uptime and availability, let alone mitigate the threat to life and the economy that an attack on critical national infrastructure (CNI) represents.
“We know that threat actors, many state-sponsored, are increasingly using new sophisticated tools, including generative AI, to attack operational technology and cause as much disruption as possible. These findings should be a wake-up call that our national security posture is not keeping pace with these new threats.
“Cyberattacks continue to gather momentum, becoming more comprehensive and sophisticated. Therefore the institutions, whether governmental or otherwise, must ensure they understand the evolving ecosystem of cyber extortion incidents and how to alleviate the risk. Government organisations must implement intelligent and agile security measures to diminish the risk of a successful attack.
“It is imperative that government departments develop well-defined incident response plans, should the worst happen, to ensure a continuation of services. To build readiness for cyber resilience into the UK’s public sector and CNI, there needs to be investment into areas such as comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance.”
