Cyber threat to UK government is severe and advancing quickly, spending watchdog finds

Wednesday, 29 January 2025 00:01

The cyber threat to UK government is severe and advancing quickly; government must act now1 to protect its own operations and key public services, according to a new report published by the public spending watchdog. The National Audit Office (NAO) evaluated2 whether government was keeping pace with the rapidly evolving cyber threat it faces from hostile actors. It identified that the government's new cyber assurance scheme, GovAssure, which independently assessed 58...Request free trial

The cyber threat to UK government is severe and advancing quickly; government must act now¹ to protect its own operations and key public services, according to a new report published by the public spending watchdog.

The National Audit Office (NAO) evaluated² whether government was keeping pace with the rapidly evolving cyber threat it faces from hostile actors.

It identified that the government's new cyber assurance scheme, GovAssure, which independently assessed 58 critical departmental IT systems by August 2024, found significant gaps in cyber resilience with multiple fundamental system controls at low levels of maturity across departments.

At least 228 ‘legacy' IT systems³ were in use by departments as of March 2024, and the government does not know how vulnerable these systems are to a cyber attack.

If successful, cyber attacks⁴ can have devastating effects on government organisations, public services, and people's lives. In June 2024, a cyber attack on a supplier of pathology services to the NHS in south-east London led to two NHS foundation trusts postponing 10,152 acute outpatient appointments and 1,710 elective procedures. The British Library, which experienced a cyber attack in October 2023, has already spent £600,000 rebuilding its services and expects to spend many times more as it continues its recovery work.

Successive governments have been working for at least a decade to build the UK's cyber resilience, including publishing a strategy for improving government organisations' cyber security in January 2022. This strategy included a target for key government organisations to be “significantly hardened to cyber attack by 2025”. But government has not improved its cyber resilience fast enough to meet this aim.

One reason for this is shortages of cyber skills within government. In 2023-24:

one in three cyber security roles in government were vacant or filled by temporary staff (contingent labour);
more than 50% of cyber roles in several departments were vacant; and
70% of specialist security architects in post were temporary staff.

Departments reported that the salaries they can pay and civil service recruitment processes are barriers to hiring and keeping people with cyber skills.

Other concerns include a lack of coordination within government jeopardising effective cyber defence. The respective roles of departments and organisations at the centre, such as the NCSC, are insufficiently understood. Departmental leaders have not consistently recognised the relevance of cyber risk to their strategic goals⁵.

Financial pressures have also meant that some departments have significantly reduced the scope of their work to build cyber resilience, which could increase the severity of an attack when it happens. In March 2024, departments did not have fully funded plans to remediate around half of government's legacy IT assets (53%, or 120 out of 228), leaving these systems increasingly vulnerable to cyber attack. Under-investment in technology and cyber was a key factor in the British Library cyber incident.

The NAO is urging the government to act now to build its cyber capabilities and defences. It recommends government:

Within the next six months:
- develops, shares and starts using a cross-government implementation plan for the Government Cyber Security Strategy.
- sets out how the whole of government needs to operate differently, and what is needed for this transformation to be effective, so that it can achieve its goals for government cyber security and resilience.
Within the next year:
- make and enact plans to fill cyber skills gaps in workforces.

Gareth Davies, head of the NAO said:

“The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet government's work to address this has been slow.

“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.

“The government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills; strengthens accountability for cyber risk; and better manages the risks posed by legacy IT.”

Notes to editors

We have undertaken this report at this time because the government: has assessed that the cyber threat is rapidly increasing; has started collecting detailed and reliable data on its cyber resilience in 2024; and planned to achieve key parts of the Strategy by 2025. This report focuses on the cyber resilience of the ministerial and non-ministerial departments and their arm's-length bodies (which we refer to in this report as ‘departments'). This report does not cover the cyber resilience of local government, public corporations, businesses or UK society more widely. This report focuses on the cyber resilience of IT systems at the ‘official' level of security classification and not systems classified as ‘secret' or above.
This report examines whether the government's efforts to improve its cyber resilience are keeping pace with the cyber threat it faces. The report aims to: hold government to account for its performance; increase transparency about how cyber resilient government is; and help government improve its cyber resilience. To do this, we examined:

- the threat to government cyber security;
- progress with implementing the Government Cyber Security Strategy;
- the government's cyber resilience position in 2024; and
- the challenges for departments in building cyber resilience.

Legacy systems are often more vulnerable to cyber attack because: their creators no longer update or support their use; few people have the skills to maintain them; and they have known vulnerabilities. The government estimated that it used nearly half of its £4.7 billion IT expenditure in 2019 to keep legacy systems running. Risks to public services posed by legacy technology have built up over many years.
Between September 2020 and August 2021, around 40% (around 310) of the 777 incidents managed by the NCSC because of their potential severity, were aimed at public sector organisations, including central and local government; emergency and health services; and law enforcement. The NCSC assessed that 89 of the 430 incidents it managed because of their potential severity, between September 2023 and August 2024, were “nationally significant”. Cyber attacks can affect every aspect of an organisation's operation and recovery is often lengthy and costly.
In April 2024, the Government Security Group (GSG) recommended to ministers that departments strengthen their accountability for cyber risk through improved reporting and risk management. In 2024, GovAssure data showed that departments were not meeting their responsibility to be cyber resilient. Additionally, the government did not have sufficient oversight of the cyber resilience of the wider public sector, which lead government departments are responsible for. In April 2024, GSG reported that departments cited insufficient funding, number of staff, and oversight mechanisms as barriers to understanding and improving cyber resilience across the bodies they oversee. Some departments have been reluctant to share information about their cyber incidents with other parts of government, which has limited the opportunities for other organisations to learn and improve their own cyber resilience.