Government defences “outpaced” by hostile states and criminals – report

A new report by the Public Accounts Committee (PAC) warns that government defences have not kept up with the “severe and rapidly evolving cyber threat.”

The PAC is warning that hostile states and criminals have developed their capability to disrupt public services and critical national infrastructure faster than government expected.

Alarmingly, the government estimates that legacy IT systems make up 28 percent of the public sector’s IT estate, and substantial gaps also still remain in its understanding of the estate’s resilience to attack. By January 2025, 319 legacy systems had been identified as in use across government, ‘red’-rating around 25 percent as having a high likelihood and impact of risks occurring; but government does not know how many legacy systems there are in total.

The Cabinet Office, which is responsible for leading on implementing the government’s cybersecurity strategy, acknowledged to the PAC’s inquiry that there is now a significant gap between cyber threat and government’s response to it.

It also stressed the importance of resilience, so that even if government does not detect an incident it is still able to respond and recover effectively. Government’s current cyber resilience levels are not good enough to do this, according to the Cabinet Office.

The report finds that Departments have underestimated the severity of the threat, having not until recently been given a clear picture of it and what they should do about it by the Cabinet Office. Funding and prioritisation decisions in Departments have not reflected the urgency of the issue.

The resilience of Departments’ critical IT systems is now independently verified, but the report warns this has shown their cyber resilience is lower than expected and has fundamental weaknesses, says the PAC.

“Government’s work to date has not been sufficient to meet its own aim of ‘critical functions [being] significantly hardened to cyberattack by 2025.’ The very ambitious aim for the whole of government and wider public sector to be “resilient to known vulnerabilities and attack methods no later than 2030” is only achievable with a fundamentally different approach in future,” it noted.

Sir Geoffrey Clifton-Brown MP, Chair of the Committee, said: “If the Government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required. This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the civil service for greater threat awareness and digital transformation.

“Part of this will be government finally grasping the nettle on offering competitive salaries for digital professionals, and we were encouraged to hear the Cabinet Office thinking in these terms. For too long, Whitehall has been unwilling to offer attractive remuneration for experts who are able to secure high-paid work elsewhere. Making sure that the right people are in the right jobs to defend the UK against this serious threat, and reducing the use of expensive contractors at the same time, is clearly sound value for money. This is an issue our Committee will continue to scrutinise closely. It must not take a devastating attack on a critical piece of the country’s infrastructure for defensive action to be taken.”