The threat of cyberattack to the UK government is severe and advancing quickly, according to an investigation by the spending watchdog, the National Audit Office (NAO).
The NAO has evaluated whether government is keeping pace with the rapidly evolving cyber threat it faces from hostile actors. It identified that the government’s new cyber assurance scheme, GovAssure, which independently assessed 58 critical departmental IT systems by August 2024, found significant gaps in cyber resilience with multiple fundamental system controls at low levels of maturity across departments.
At least 228 ‘legacy’ IT systems were in use by departments as of March 2024, and the government does not know how vulnerable these systems are to a cyberattack.
In June 2024, a cyberattack on a supplier of pathology services to the NHS in south-east London led to two NHS foundation trusts postponing 10,152 acute outpatient appointments and 1,710 elective procedures. The British Library, which experienced a cyberattack in October 2023, has already spent £600,000 rebuilding its services and expects to spend many times more as it continues its recovery work.
Cyber skills gap, financial pressure, lack of coordination all affecting cyber resilience
The previous government published a strategy for improving government organisations’ cyber security in January 2022. This included a target for key government organisations to be “significantly hardened to cyberattack by 2025”. But government has not improved its cyber resilience fast enough to meet this aim, said the NAO.
One reason for this is shortages of cyber skills within government. In 2023-24, one in three cybersecurity roles in government were vacant or filled by temporary staff (contingent labour); more than 50 percent of cyber roles in several departments were vacant; and 70 percent of specialist security architects in post were temporary staff.
Departments reported that the salaries they can pay, and civil service recruitment processes are barriers to hiring and keeping people with cyber skills.
If you liked this content…
MOJ investigates after Legal Aid Agency hit by data breach
The rising risk of insider threats to the public sector in the AI-era 
Government not equipped to deal with ‘big tech’ suppliers – report
Ministers consider ban on ransomware payments for UK public bodies
Cybercriminals hope to catch public sector off-guard
Other concerns include a lack of coordination within government jeopardising effective cyber defence. The respective roles of departments and organisations at the centre, such as the NCSC, are insufficiently understood. Departmental leaders have not consistently recognised the relevance of cyber risk to their strategic goals, said the NAO.
Financial pressures have also meant that some departments have significantly reduced the scope of their work to build cyber resilience, which could increase the severity of an attack when it happens. In March 2024, departments did not have fully funded plans to remediate around half of government’s legacy IT assets (53 percent, or 120 out of 228), leaving these systems increasingly vulnerable to cyberattack. Under-investment in technology and cyber was a key factor in the British Library cyber incident.
Recommendations to government
The NAO is urging the government to act now to build its cyber capabilities and defences. It recommends government, within the next six months:
- Develops, shares and starts using a cross-government implementation plan for the Government Cyber Security Strategy.
- Sets out how the whole of government needs to operate differently, and what is needed for this transformation to be effective, so that it can achieve its goals for government cyber security and resilience.
Within the next year:
- Make and enact plans to fill cyber skills gaps in workforces.
“The risk of cyberattack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow,” said Gareth Davies, head of the NAO.
“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.
“The government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills; strengthens accountability for cyber risk; and better manages the risks posed by legacy IT.”
