The National Audit Office (NAO) just dropped a report highlighting that the UK government’s cyber resilience is lagging, especially with threats on the rise. They’ve sounded the alarm: the cyber threat level is severe and evolving quickly. An assessment of 58 critical IT systems in 2024 showed major gaps in their defenses. To make matters worse, the government doesn’t even know how vulnerable at least 228 older IT systems are to potential attacks.
This report zooms in solely on the national government, leaving out local governments, the NHS, and the broader public context. The NAO conducted interviews from May to October 2024 with officials from the Cabinet Office, probing efforts around the Government Cyber Security Strategy for 2022-2030. This strategy aimed for key departments to be significantly hardened against cyber attacks by 2025. However, the NAO argues there’s been too little progress to meet that goal.
The skills shortage in the cybersecurity field poses the biggest risk. One-third of government cybersecurity roles were either vacant or filled by temporary staff during 2023-24. Certain departments had more than half their cybersecurity positions unfilled. About 70% of specialized security architects were on temporary contracts. Pay scales and slow civil service hiring processes make it tough to attract and retain talent.
Coordination is also a significant issue. The NAO noted that organizational roles aren’t clearly defined, leaving departments unclear on how cyber risks fit into their strategic priorities. The report’s authors are urging immediate action. Gareth Davies from the NAO emphasized that threats to public services will only grow more frequent if the government doesn’t step up its response.
Their findings stress that efforts to catch up with cyber threats will remain stymied without addressing the skills shortage and refining accountability for cyber risks. The NAO looked at the government’s assurance scheme, GovAssure, which flagged serious shortcomings across those 58 IT systems. Many basic security controls are still underdeveloped.
By March 2024, at least 228 legacy IT systems were still in use, with no solid plans to assess their vulnerability. In April 2024, budget cuts forced some departments to scale back on vital cybersecurity improvement initiatives, citing barriers like funding reductions and difficulties with delivery partners.
The report underscores real instances of cyber breaches. For example, a June 2024 attack on an NHS pathology services supplier resulted in over 10,000 postponed appointments. The British Library faced a ransomware attack a year prior, costing them around £600,000 to begin recovery, with total recovery costs expected to escalate.
Other government agencies weren’t spared either. A cyber incident in May 2024 compromised a payroll contractor’s network holding sensitive military data. Back in 2021, a state-affiliated attacker was likely responsible for targeting parliament email accounts. As of March 2024, nearly half of the government’s legacy IT assets still lacked solid remediation plans.
The NAO urges the government to quickly develop a cross-government implementation plan for the Cyber Security Strategy. There’s also a call for a more unified approach across departments. Within the next year, filling those cybersecurity skill gaps should be a priority. Interestingly, while artificial intelligence (AI) could enhance cybersecurity efforts, it also presents new risks and could potentially be weaponized against democratic processes. The NCSC is working to capitalize on AI benefits while grappling with these emerging threats.