Hostile states and criminals have developed capability to disrupt public services and critical national infrastructure faster than expected
The government’s cyber defences have failed to keep up with severe and fast-evolving threats posed by hostile states and criminals. That’s the conclusion a new report by the Public Accounts Committee (PAC), a parliamentary body that has been hearing from experts.
The report is timely given recent, high-profile cyber attacks on well-known retailers in the UK including Marks & Spencer and Co-op. Other targets have included hospital IT systems and even the British Library.
Within public sector systems in particular, the report highlights the government’s own estimate that outdated, ‘legacy’ systems, which are especially prone to attack, account for 28% of the total public sector IT estate. What’s more, ‘substantial gaps’ remain in understanding the resilience of that estate.
In January this year, 319 such legacy systems had been identified as in use across government, some 25% of them rated ‘red’, meaning they had a high likelihood and impact of risks occurring. However, the government still does not know how many legacy systems there are in total.
The Cabinet Office takes the lead in implementing the government’s cyber security strategy but admitted to the PAC inquiry that there is a significant discrepancy between the threat posed to systems and the government’s response.
There is also inadequate ‘cyber resilience’ across government, meaning the ability to respond to and recover from attacks. In fact, the report says government departments have underestimated the severity of threats, in part because the Cabinet Office has not made the risks clear. A lack of urgency around the issue is also noted in such matters as funding and the way decisions are prioritised within departments.
- Read the PAC report in full: Government cyber resilience – 24th Report of Session 2024–25
The report notes some positives – such as the fact that the resilience of critical IT systems of government departments are now independently verified – and digs into some reasons why things are in such a parlous state. One key issue is that the government struggles to compete with the private sector for the best talent in the cyber security world. While some 5% of the total civil service, or 23,000 people, currently work in digital, a third of all cyber security roles across government are either currently vacant and/or filled by outside contractors.
Among the recommendations made in the report are greater diversity in the cyber security workforce. Women currently comprised just 20% of such staff in government, for example. The report also recommends an increase in what such workers are paid.
Sir Geoffrey Clifton-Brown MP, Chair of the Public Accounts Committee, says: ‘Government departments are beginning to wake up to the serious cyber threat they face. It is positive to see independent verification now in place to gain a better picture on critical systems resilience.
‘Unfortunately, this has only served to confirm that our battlements are crumbling. A serious cyber attack is not some abstract event taking place in the digital sphere. The British Library cyber attack is a prime example of the long-lasting cost and disruption that these events can cause. Hostile states and criminals have the ability to do serious and lasting harm to our nation and people’s lives.
‘If the Government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required. This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the civil service for greater threat awareness and digital transformation.’
In related news:
Needin’ you: ’25 top tech minds’ wanted for government roles
Cumberland Council hunts for innovation chief to lead on ‘major change’
What we don’t know about automated decision-making in government
Leave a Reply