Report found government resilience to be ’substantially lower than the Cabinet Office expected,’ with departments having multiple failures.
Government IT defences have not kept up to speed with the rapidly evolving cyber threats posed by criminals and hostile state actors, a group of MPs has warned.
It added that it found government resilience to be “substantially lower than the Cabinet Office expected,” with departments having “multiple fundamental control failures, including risk management and response planning.”
The report also detailed that a number of the public sector’s IT systems are classed as “legacy,” meaning they are comprised of ageing and outdated systems, with 28 percent of the public sector’s IT estate fitting into this category.
The Department for Science, Innovation, and Technology (DSIT) told the committee that a total of 28 public sector organisations had assessed that they had 319 legacy systems, of which 25 percent were categorised as “red” because there was a “high likelihood” and impact of security risks occurring.
When asked how many systems across the whole of government were legacy, DSIT told PAC it did not know, and that 15 percent of the bodies it had spoken to also did not know what the state of legacy IT was in its own systems.
‘Technology Race’
The report cited recent major cyber attacks which had come at considerable cost or had caused major disruptions. These included the October 2023 attack on the British Library—which to date has cost around £7 million to recover from—and the June 2024 attack on NHS services supplier Synnovis, which resulted in the postponement of 10,000 appointments.
Related Stories
Authors wrote that the UK is now part of an accelerating “technology race,” where new technologies like AI pose both a risk and a solution to cyber security.
“Government will need to keep updating its plans in response to this ever-changing threat and technology landscape. However, government has not been as alive to the cyber threat as it should have been. As the Cabinet Office acknowledges, there is now a significant gap between the threat and government’s response to it,” the report said.
Sir Geoffrey Clifton-Brown, chairman of the committee, said that the findings of the report have served to confirm “that our battlements are crumbling.”
“If the Government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required.
“This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the civil service for greater threat awareness and digital transformation,” Clifton-Brown said.
Salaries Not High Enough
The PAC also noted that the government was finding it difficult to compete with the private sector to recruit and retain the best talent in cyber security, in part “because it has not been willing to pay market-rate salaries.”
The committee said that if departments did pay competitive salaries, it would save money in the long-run, compared with using expensive contractors to fill the gaps in permanent personnel.
The report revealed that one in three cyber security roles in central government are either empty or are filled with contractors, with Clifton-Brown saying that the government will have to “grasp the nettle on offering competitive salaries for digital professionals.”
Authors did acknowledge that there is set to be an increase in the amount that departments can pay cyber security professionals.
A street sign giving directions to Parliament Street and Whitehall in London, on Jan. 22, 2022. Yui Mok/PA Wire
In response to the report, a government spokesperson said: “Just this week, we announced action to boost our country’s cyber security, helping to grow the economy and create jobs through the Plan for Change. This includes backing for the rollout of cutting-edge CHERI technology which could prevent up to 70% of the most common cyber attacks.”
AI-Enhanced Hacking
The report was published days after GCHQ’s National Cyber Security Centre (NCSC) warned that by 2027, AI tools will significantly increase the ability of malicious actors to find and exploit vulnerabilities in Britain’s systems.
It said that in order to protect themselves, organisations must implement advanced strategies to counter AI-driven attacks, including continued monitoring and using AI-based defence systems.
The NCSC said that malicious actors are very likely already using AI to enhance their existing tactics to penetrate systems, including through victim reconnaissance, vulnerability research, and malware generation.
PA Media contributed to this report.