The Cabinet Office is behind schedule to meet the UK government’s “cyber resilient” goal by the end of 2025. A report from the Public Accounts Committee (PAC) highlights the need for better support and accountability among government departments.
The report, released on May 9, 2025, offers a mixed review. It acknowledges the Cabinet Office for verifying the resilience of critical IT systems. However, it points out that many systems show serious weaknesses. A July 2024 assessment of 72 critical systems across 35 departments uncovered significant gaps in cyber resilience, particularly in risk management and incident response. The PAC criticized the slow progress and the over-reliance on self-assessment to identify vulnerable legacy assets. They found it troubling that risky legacy systems, estimated to make up 28% of the public sector’s IT landscape, haven’t undergone independent checks.
PAC Chairman Geoffrey Clifton-Brown stated that while managing cyber risk in the public sector is tough due to its complexity, it’s unacceptable that the central government lacks knowledge about legacy IT systems.
Furthermore, government departments aren’t prioritizing cyber security adequately, compounded by unclear guidance from the Cabinet Office. Many organizations are underestimating the cyber threat, and decisions aren’t reflecting its urgency. The report stresses that security leaders need a seat at the decision-making table.
Looking ahead, it’s clear that the Cabinet Office won’t reach its target for cyber resilience by 2025. They acknowledge that achieving this for the wider public sector by 2030 will require a major shift in approach. The PAC believes the Cabinet Office is making progress and is interested in more transparency regarding cyber resilience efforts.
The report also criticizes the government for not offering competitive salaries to attract skilled cyber security professionals. While the digital workforce has grown to about 23,000, a third of cyber roles remain unfilled or are done by contractors. The report emphasizes the need for experienced leaders in senior roles across departments, noting that many still don’t fully grasp the severity of cyber threats.
Overall, the PAC found the government isn’t keeping pace with rising cyber threats, especially from foreign states and cybercriminals. Recent incidents, like the ransomware attack on the British Library and issues affecting NHS supplier Synnovis, illustrate this growing gap between threat levels and government response.
The report highlights concerns about risks in government supply chains, where a lack of resources and oversight can lead to serious fallout. This was evident in the Synnovis incident, which disrupted healthcare services and forced thousands of appointment cancellations.
The PAC urges the Cabinet Office to clarify its plans for addressing cyber resilience after the 2025 Spending Review. The National Cyber Security Centre recently warned that over the next two years, a divide may develop between organizations that can adapt to evolving cyber threats and those that cannot.