Spending watchdog blasts UK govt over sloth-like progress to shore up IT defenses

The UK government is significantly behind on its 2022 target to harden systems against cyberattacks by 2025, with a new report from the spending watchdog suggesting it may not achieve this goal even by 2030.

As part of the Government Cyber Strategy 2022, the UK government pledged to have its critical functions markedly more resilient to attacks by, well, this year. However, the National Audit Office (NAO) said today that meeting those targets even by 2030 would be "ambitious."

In fact, by that time, the same pledge made in January 2022 aimed to improve resilience across the public sector to known vulnerabilities and prevalent attack methods. This aim, like the lesser one before it, is also delayed.

The report from the NAO's comptroller and auditor general notes that the cyber threat to the UK government is "severe and advancing quickly" – a fact of which parliament is aware. 

However, the state of security across government remains a sorry one, according to the report, which focused only on the cyber resilience of ministerial and non-ministerial departments' IT systems, and those of their arm's-length bodies, with "official" security classification. "Secret" classifications and above are not in scope here.

For the uninitiated, examples of the 24 ministerial departments include the Ministry of Defence and the Cabinet Office, both led by ministers. Non-ministerial departments, like the Crown Prosecution Service and HM Revenue & Customs, are led by civil servants.

The in-scope governmental departments were assessed by the Government Security Group's (GSG) GovAssure scheme. GSG then gathered this data and sent it off to independent reviewers – a change of pace from previous years that saw bodies assess their own cyber resilience.

Of the 72 IT systems deemed critical to running the government's most important services, 58 were independently reviewed. GovAssure data found "significant gaps" in departments' cyber resilience, such as "multiple fundamental system controls that were at low levels of maturity."

Examples from the report included asset management, protective monitoring, and response planning. These are all considered fundamental aspects of cyber resilience that need substantial improvement to meet the government's earlier targets. The findings led GSG to advise ministers that the risk to government cybersecurity is "extremely high."

Also assisting in the data collection was the government's Central Digital and Data Office (CDDO), which by March 2024 identified at least 228 legacy IT systems across the in-scope government departments. It's believed this number is likely higher, however.

Of these, 28 percent (63) were red-rated, meaning they presented a high likelihood of operational and security risks occurring. The other 72 percent were not red-rated but still presented a risk, the report stated.

The NAO said the government still lacks a thorough understanding of just how vulnerable these 228 legacy systems are to a cyberattack. The CDDO's data was collected using a framework based on seven criteria that differed from GovAssure's, one that examined cybersecurity in part but was broader in scope beyond just cyber. The data suggested that vulnerabilities exist in those systems but they weren't detailed.

The reason for not using GovAssure's method of data collection and ensuring a more uniform set of conclusions were drawn was that the GSG's recommended system controls wouldn't apply to systems as old as the ones in question, so they weren't included in the GovAssure assessment.

We have seen too often the devastating impact of cyber-attacks on our public services and people's lives

This means that there remains an incomplete understanding of the cybersecurity risks presented by these myriad legacy systems and how well in-scope departments have managed the risks. The NAO wasn't made aware of basic matters such as whether these aging systems were isolated from other areas of the network or whether vulnerability assessments were carried out on them.

Just as a reminder, the UK government said back in 2019 that it was spending nearly half of its £4.7 billion ($5.8 billion) IT budget to keep these legacy systems running. Six years later, it does not know how much of a risk they present to the overall cybersecurity of government.

"We have seen too often the devastating impact of cyber-attacks on our public services and people's lives," said Geoffrey Clifton-Brown, MP and chair of the Public Accounts Committee.

"Despite the rapidly evolving cyber threat, government's response has not kept pace. Poor coordination across government, a persistent shortage of cyber skills, and a dependence on outdated legacy IT systems are continuing to leave our public services exposed. 

"Today's NAO report must serve as a stark wake-up call to government to get on top of this most pernicious threat."

Mind the (skills) gap

Despite the glaring technical issues residing in the government's most critical systems, the NAO determined that the government's inability to attract the top talent for tech roles, or any talent at all in a lot of cases, was the leading risk to building cyber resilience.

Among the key findings here were that one in three government cyber roles were either left unfilled or being carried out by temporary staff which cost at least twice as much as salaried civil servants.

Reliance on temporary staff is a common theme, especially in the more experienced or specialist roles, with up to 70 percent of security architect posts filled by temps.

Several in-scope departments also reported more than half of their cybersecurity positions remaining vacant, preventing the overall function from performing effectively.

The NAO noted that the cybersecurity skills gap is one experienced by many organizations, not just the UK government, whose departments acknowledge that their respective spending powers limit their ability to fill vacant posts.

The difference between the salaries on offer in the private sector compared to the public sector equivalents is in a lot of cases gulf-like, and the subject of much critique from the wider industry.

A quick glance at the Civil Service job ads currently open shows a series of managers and team leads with advertised salaries standing at fractions of those available in the private sector. Even heads of cybersecurity operations are being compensated as little as £68,568 ($85,330). Sure, the pension contributions are sizeable, but similar roles in the industry can easily net the right people six-figure sums.

• Why does the UK keep getting beaten up by IT suppliers?
• Severity of the risk facing the UK is widely underestimated, NCSC annual review warns
• UK government tech procurement lacks understanding, says watchdog
• Billions lost to fraud and error during UK's pandemic spending spree

State of play

As the NAO stated, the cyber risk to the UK is severe. Events of the past two years have starkly illustrated the intense and long-lasting disruption that attacks on public services can cause.

The British Library's incident is often cited as one such attack, and more recently the attack on Synnovis, which disrupted thousands of procedures and appointments at two NHS London hospitals, is arguably the most serious of modern times.

That's not to mention the hits on other NHS organizations, children's hospitals, transport networks, local councils, schools, and other critical infrastructure providers.

The NAO's report follows a similarly bleak one from the National Cyber Security Centre (NCSC) in December which warned the severity of the cyber threat facing the UK was widely underestimated.

In it, the NCSC said the number of maximum severity incidents tripled in 2024 compared to the previous year and the number of nationally significant incidents rose from 62 to 89, including an undisclosed number of attacks on government.

To avoid serious incidents, build resilience, and protect the value for money of its operations, government must catch up with the acute cyber threat it faces

The NAO laid out a trio of recommendations to the UK government. In the next six months, it should develop, share, and start using a cross-government plan to implement the Cyber Security Strategy and also clearly define what transformations need to take place so it can achieve its long-term goals.

By this time next year, the NAO also said it would be a good idea to develop and execute plans to tackle the cyber skills gap.

"The risk of cyberattack is severe, and attacks on key public services are likely to happen regularly, yet government's work to address this has been slow," said Gareth Davies, head of the NAO.

"To avoid serious incidents, build resilience, and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.

"The government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills, strengthens accountability for cyber risk, and better manages the risks posed by legacy IT." ®