At the Department for Environment, Food and Rural Affairs (Defra), years of low investment in technology have resulted in a serious risk of critical service failure or cyber-attack, according to a report by the official auditors the NAO (National Audit Office).
In July 2021 the NAO identified IT legacy systems as one of six key areas of concern across government, stating that digital programmes have shown “a consistent pattern of underperformance” over 25 years; and that central government departments typically do not have a good understanding of their IT estate; and legacy systems are often poorly understood because of their age. The report, omn the theme of ‘value for money’, also spoke of inconvenience for service users and extra staff and maintenance costs due to old (‘legacy’) IT.
Head of the NAO Gareth Davies said: “Government continues to rely on many outdated IT systems at significant cost. Defra faces a particularly challenging task in replacing its legacy applications and has begun to tackle it in a structured way. The full potential of technology in improving public services and reducing cost to the taxpayer can only be accessed if this programme and others like it across government are delivered effectively.”
As in most government departments, some of the greatest risks to the services Defra provides arise from legacy systems and technology, the report found. Major security incidents and risks to business resilience are the two top risks on Defra’s corporate risk register, according to the report. “Defra has been trying to deal with its legacy issues for more than a decade, but it was not until the 2021 Spending Review that it had the funding to start to tackle the problem,” the report said.
Defra estimates it needs ten years for the full transformation of its business applications; meanwhile only one third of its customer transactional services, 34 of 101, are fully online. Similarly of Defra’s 21 million customer transactions each year only around one-third are fully digital (not requiring paper forms). Defra has many duplicated and overlapping applications with versions of products that perform the same or similar functions, the audit found. Many of these applications were built using software that is now outdated, and 30pc of them are unsupported, the report said.
Defra has so far escaped major cyber incident but there are many examples across UK Government of attacks with serious consequences, the report noted. In 2017, the NHS was attacked by the global ransomware WannaCry; at least 80 out of 236 trusts across England were affected, and hundreds more healthcare bodies, due to legacy IT; that is, unsupported Windows operating systems.
Yet Defra has found it hard to develop and maintain long-term plans for tackling legacy IT, because IT budgets are often cut to meet other departmental priorities, the report added. Agreed funding for Defra’s IT to 2025 is enough, according to Defra, ‘to resolve some major operational and cyber risks and automation, but not enough to fund a broader digital transformation of all legacy services or reduce cyber security and resilience risks to an acceptable level’, the report said.
As for the UK-wide digital skills shortage, Defra finds it hard to recruit and retain digital talent; in part because government departments cannot match private sector pay.
You can download the report from the NAO website.
Photo by Mark Rowe; fishing vessels, Fraserburgh, Scotland, summer morning.
