Cyber threats: Government defences have been outpaced by hostile states and criminals

Government defences have not kept up with the severe and rapidly evolving cyber threat. In a report on cyber resilience, the Public Accounts Committee (PAC) is warning that hostile states and criminals have developed their capability to disrupt public services and critical national infrastructure faster than government expected.

Alarmingly, the government estimates that risky 'legacy' IT systems make up 28% of the public sector's IT estate, and substantial gaps also still remain in its understanding of the estate's resilience to attack. By January 2025, 319 legacy systems had been identified as in use across government, ‘red'-rating around 25% as having a high likelihood and impact of risks occurring; but government does not know how many legacy systems there are in total.

The Cabinet Office, which is responsible for leading on implementing the government's cyber security strategy, acknowledged to the PAC's inquiry that there is now a significant gap between cyber threat and government's response to it. It also stressed the importance of resilience, so that even if government does not detect an incident it is still able to respond and recover effectively. Government's current cyber resilience levels are not good enough to do this, according to the Cabinet Office.

The report finds that government's cyber resilience is far from where it needs to be as Departments have underestimated the severity of the threat, having not until recently been given a clear picture of it and what they should do about it by the Cabinet Office. Funding and prioritisation decisions in Departments have not reflected the urgency of the issue.

The resilience of Departments' critical IT systems is now independently verified, in a positive move by the Cabinet Office – but the report warns this has shown that Departments' cyber resilience is lower than expected and has fundamental weaknesses. Government's work to date has not been sufficient to meet its own aim of “critical functions [being] significantly hardened to cyberattack by 2025.” The very ambitious aim for the whole of government and wider public sector to be "resilient to known vulnerabilities and attack methods no later than 2030" is only achievable with a fundamentally different approach in future.

Government finds it hard to compete with the private sector for the best talent in cyber security. This is in part because it has not been willing to pay market-rate salaries, which would save money over the longer term compared to using contractors, especially if it helps to reduce risk. While government has successfully expanded its digital profession to 23,000 people, or 6% of the total civil service, one in three cyber security roles in central government are vacant or filled by expensive contractors.

Improvements could also be made in diversity in the cyber security community; only 20% of such professionals in government are women. The amount Departments can pay cyber security professionals is set to increase, and the Committee's report calls on the Cabinet Office to set out how many of the cyber vacancies in government its interventions will fill.

Sir Geoffrey Clifton-Brown MP, Chair of the Committee, said: “Government Departments are beginning to wake up to the serious cyber threat they face. It is positive to see independent verification now in place to gain a better picture on critical systems resilience. Unfortunately, this has only served to confirm that our battlements are crumbling. A serious cyberattacks is not some abstract event taking place in the digital sphere. The British Library cyberattack is a prime example of the long-lasting cost and disruption that these events can cause.  Hostile states and criminals have the ability to do serious and lasting harm to our nation and people's lives.

“If the Government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required. This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the civil service for greater threat awareness and digital transformation.

“Part of this will be government finally grasping the nettle on offering competitive salaries for digital professionals, and we were encouraged to hear the Cabinet Office thinking in these terms. For too long, Whitehall has been unwilling to offer attractive remuneration for experts who are able to secure high-paid work elsewhere. Making sure that the right people are in the right jobs to defend the UK against this serious threat, and reducing the use of expensive contractors at the same time, is clearly sound value for money. This is an issue our Committee will continue to scrutinise closely. It must not take a devastating attack on a critical piece of the country's infrastructure for defensive action to be taken.”

PAC report conclusions and recommendations 

Government has not kept up with the severe and rapidly evolving cyber threat. Government's adversaries, both hostile states and criminals, have developed their capability faster than government expected. Government is concerned by the growing intent of hostile states to disrupt public services and critical national infrastructure. Ransomware attacks by criminal groups are prolific and recovery from attacks is costly. For example, the British Library's response to its October 2023 attack has cost around £7 million so far. Cyber attacks have devastating effects on people's lives. In June 2024, the cyber attack on a supplier of NHS pathology services (Synnovis) in south-east London led to two NHS foundation trusts postponing over 10,000 appointments. The UK is part of an accelerating “technology race”. New technologies, such as AI, are both a threat and an opportunity for cyber security. Government will need to keep updating its plans in response to this ever-changing threat and technology landscape. However, government has not been as alive to the cyber threat as it should have been. As the Cabinet Office acknowledges, there is now a significant gap between the threat and government's response to it.

Recommendation 1: In one year's time, the Cabinet Office should write to the Committee setting out their assessment of: how the cyber risk to government has continued to change; how government's approach has evolved in response; and the extent to which the gap between the cyber threat and government's cyber resilience has grown or reduced.

There is a longstanding shortage in government of the experienced, technical cyber skills required. Skilled cyber security professionals are scarce and in high demand nationally and globally. As this Committee has frequently reported over the years, government finds it hard to compete with the private sector for the best talent, in part because it has not been willing to pay market-rate salaries. The Cabinet Office reports that government has successfully expanded its digital, data and technology profession to 23,000 people, which represents 6% of the total civil service, and it wants to further expand this to 10%. However, significant vacancies remain, particularly for expert cyber skills. Right now, one in three cyber security roles in central government are vacant or filled by expensive contractors. In addition, civil service recruitment processes, which can take up to nine months, are not quick enough. The Cabinet Office and DSIT are intervening to address these issues, including by increasing the amount departments can pay cyber professionals. If government paid higher, market-rate salaries, it would save money over the longer term compared to using contractors, especially if it helps to reduce risk. The Cabinet Office noted it could do better at improving diversity in government's cyber security community. Only 20% of cyber security professionals in government are women.

Recommendation 2. Following the conclusion of the 2025 Spending Review, the Cabinet Office should set out: how many of the estimated cyber vacancies in government that its central interventions will fill; and how it will support departments' plans to fill the remaining gaps in their workforces.

Departments have not done enough to prioritise cyber security, meaning that government's cyber resilience is far from where it needs to be. Accounting officers are responsible for protecting the security of their organisations. Until recently, the Cabinet Office had not given departments a clear picture of the cyber threat and what they should do about it. Departments have underestimated the severity of the threat, and their funding and prioritisation decisions have not reflected the urgency of the issue. All departments must ensure their senior management and decision-making boards include senior and expert digital and security leaders. The Cabinet Office has mandated that its own board has at least one digital expert and it now expects all other departments to do the same. The British Library has set a good example by sharing the lessons it learned from the ransomware attack it suffered. However, there is not a good enough culture across government whereby departments openly share learning and information from cyber incidents with each other. The Cabinet Office assured us that the new Government Cyber Coordination Centre is increasing the flow of data across government and helping it to better 'defend as one'.

Recommendation 3. The Cabinet Office should set out how it is supporting accounting officers to: improve accountability by appointing an appropriately experienced and expert Chief Information Officer and Chief Security Officer at senior management and board-level; include cyber resilience in departmental plans and activities; and create a strong cyber security culture in their organisations.

Government still has substantial gaps in its understanding of how resilient its IT estate is to cyber attack. In July 2024, GovAssure's assessment of 72 critical IT systems across 35 organisations, identified that government cyber resilience was substantially lower than the Cabinet Office expected. Departments had multiple fundamental control failures, including in risk management and response planning. The GovAssure scheme collects data about departments' ‘critical' IT systems to assess their cyber resilience. This is a clear improvement compared with the previous reliance on departments' optimistic self-assessments, but government should have collected reliable data sooner. We recognise the need to balance effort between assurance and frontline security, but there is also scope for GovAssure to assess more systems, faster. Separately, DSIT's understanding of Government's 'legacy' IT assets relies on self-assessments by departments. By January 2025, 28 public sector organisations had identified 319 legacy systems in use across government, rating around 25% as 'red' because there was a high likelihood and impact of risks occurring. However, DSIT does not know how many legacy systems there are in total. Departments need to make a more complete and reliable assessment of their legacy systems so that government can take informed decisions about funding, prioritisation and risk.

Recommendation 4. The Cabinet Office should set out: what proportion of critical and legacy IT systems it has assessed so far; the optimal scale and frequency of assessment activity needed; a deadline for when this will be achieved by; and how it will prevent departments from diverting funding away from this activity.

The scale and diversity of government's supply chains, and the size of the public sector, makes it significantly harder for government to manage cyber risk. The Cabinet Office expects departments to understand and tackle the cyber risk to their arm's-length bodies and the wider public sector that they are responsible for. Departments should work closely with the Cabinet Office, in particular the Government Security Group, in assuring this risk as arm's-length bodies may be an entry point for cyber attackers. Departments have not always met this expectation because of insufficient funding, staff, and oversight mechanisms. Lessons can be learned from the Department of Health and Social Care, which has begun to improve the resilience of its sector by putting in place a cyber security strategy, strengthening assurance processes, investing in common services, and setting clear policies. Departments also need to understand and manage the risks to security from their supply chains, which can be vulnerable to adversaries seeking to gain access to or disrupt government networks. The ransomware attack on Synnovis is an example of a supply chain attack that had serious consequences for individuals and disrupted services. The Cabinet Office says it is giving departments text to include in contracts so that suppliers put appropriate cyber security measures in place, and that it plans to work with strategic suppliers to help improve government's resilience.

Recommendation 5. The Cabinet Office should secure clear assurance from departments that they understand and are effectively managing the cyber risk from their arm's-length bodies and supply chains.

Government's work to date has not been sufficient to make it resilient to cyber attack by 2025, and meeting its 2030 aim to make the wider public sector cyber resilient will require a fundamentally different approach. The Cabinet Office's focus on implementing its initiatives, such as GovAssure, has been at the expense of it coordinating a cross-government plan that challenges departments to meet their cyber resilience targets. The cyber risk to government is now extremely high and the Cabinet Office does not expect to meet its aim for "government's critical functions to be significantly hardened to cyber attack by 2025". Its aim for the whole of government and the wider public sector to be "resilient to known vulnerabilities and attack methods no later than 2030" is very ambitious. This is only achievable if government moves further and faster than it has before. The Cabinet Office assured us it is planning to take a fundamentally different approach for how it operates in future. It is reassuring that the Cabinet Office is learning from the experience of Australia, Canada and other international governments as it designs its new approach to improving government's cyber security and resilience. We would welcome the greater transparency on public sector resilience levels that the Australian Government has used successfully to improve accountability.

Recommendation 6. Following the conclusion of the 2025 Spending Review, the Cabinet Office should set out what levers and instruments the centre of government will use to take a fundamentally different approach to cyber resilience.