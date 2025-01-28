Daniel - stock.adobe.com
NAO: UK government cyber resilience weak in face of mounting threats
The National Audit Office has found UK government cyber resilience wanting, weakened by legacy IT and skills shortages, and facing mounting threats
The National Audit Office (NAO) has found the UK government’s cyber resilience to be significantly behind where it needs to be, in the face of mounting and more dangerous threats.
In its Government cyber resilience report, the public spending watchdog warned that the cyber threat to the UK government is “severe and advancing quickly”. It found that 58 critical government IT systems, assessed in 2024, had significant gaps in cyber resilience, and the government does not know how vulnerable at least 228 “legacy” IT systems are to cyber attack.
The report does not cover the cyber resilience of local government, the NHS, or the nation as a whole. Fieldwork for the report was conducted between May and October 2024, with NAO staff interviewing officials from the Cabinet Office about efforts to support government departments in the implementation of the Government Cyber Security Strategy: 2022-2030.
The strategy included a target for key government organisations to be “significantly hardened to cyber attack by 2025”, but the government has not improved its cyber resilience fast enough to meet this aim, said the NAO.
The NAO also interviewed officials from the National Cyber Security Centre (NCSC) and the Central Digital and Data Office (CDDO), along with cyber security civil servants from government departments and the British Library.
The biggest risk to making the UK government resilient to cyber attack is a yawning skills gap, according to the report. It found one in three cyber security roles in government were vacant or filled by temporary – and more expensive – staff in 2023-24, while more than half of cyber roles in several departments were vacant, and 70% of specialist security architects were staff on temporary contracts.
The NAO said departments reported that salaries and civil service recruitment processes are barriers to hiring and keeping people with cyber skills.
Other concerns include a lack of coordination within government, which is jeopardising effective cyber defence. The NAO found that the respective roles of departments and central organisations, such as the NCSC, are “insufficiently understood”, and nor have departmental leaders “consistently recognised the relevance of cyber risk to their strategic goals”.
The government must act now, urged the report’s authors.
Gareth Davies, head of the NAO, said: “The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow.
“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.
Gareth Davies, National Audit Office
“The government will continue to find it difficult to catch up until it successfully addresses the long-standing shortage of cyber skills, strengthens accountability for cyber risk, and better manages the risks posed by legacy IT.”
Cyber resilience gaps
The NAO evaluated whether government is keeping pace with the rapidly evolving cyber threat it faces from hostile actors. It found that it is not.
It spotted that the government’s cyber assurance scheme, GovAssure, which had independently assessed 58 critical departmental IT systems by August 2024, found significant gaps in cyber resilience, with multiple fundamental system controls at low levels of maturity across departments. GovAssure assesses the critical systems of government organisations. It was set up in April 2023.
According to the NAO report, government departments were using at least 228 legacy IT systems as of March 2024, and the government does not know how vulnerable these systems are to cyber attack.
The report noted that in April 2024, the Cabinet Office Government Security Group (GSG) reported to ministers that some departments had significantly reduced their cyber security improvement programmes to fund other priorities. This was due to “cuts to programme funding, lack of access to cyber skills, challenges with delivery partners, and delays in departmental and cross-government approvals”.
As examples of how damaging cyber attacks can be, the NAO cited the instance, in June 2024, of an attack on a supplier of pathology services to the NHS in south-east London, which led to two NHS foundation trusts postponing 10,152 acute outpatient appointments and 1,710 elective procedures. It also cited the British Library ransomware attack in October 2023, which has already cost £600,000 to rebuild its services. The library expects to spend many times more as it continues to recover.
The report also gave other examples of attacks on the Ministry of Defence and Parliament. In May 2024, the MoD’s payroll contractor’s network was compromised by an attacker – a network that held armed forces staff members’ data. Further back in time, in 2021, a Chinese state-affiliated attacker was, said the report, highly likely responsible for a cyber campaign against the parliamentary email accounts of members across both Houses of Parliament.
The report stated that in March 2024, departments did not have fully funded plans to remediate around half of government’s legacy IT assets – 53%, or 120 out of 228.
The NAO recommends the government develops, shares and starts using a cross-government implementation plan for the Government Cyber Security Strategy within the next six months. It also suggests the whole of government needs to operate differently.
Within the next year, the government should make and enact plans to fill cyber skills gaps in workforces, said the NAO.
Of the technology trumpeted most by the current and previous government – artificial intelligence (AI) – the report said: “AI can improve government’s cyber security, but it can also help threat actors looking to interfere or undermine trust in our democratic system. The NCSC is collaborating with its partners to realise the benefits of AI and protect against the associated security risks.”
