The threat of potentially devastating cyber-attacks against UK government departments is “severe and advancing quickly”, with dozens of critical IT systems vulnerable to an expected regular pattern of significant strikes, ministers have been warned.
The National Audit Office (NAO) found that 58 critical government IT systems independently assessed in 2024 had “significant gaps in cyber-resilience”, and the government did not know how vulnerable at least 228 ageing and outdated “legacy” IT systems were to cyber-attack. The NAO did not name the systems for fear of helping attackers choose targets.
It assessed data held by the Cabinet Office and said the challenge of cyber-resilience in central government applied to a range of organisations, including, for example, HMRC and the Department for Work and Pensions.
The warning comes after two recent cyber-attacks that included one on the British Library by a criminal ransomware gang in 2023, which continues to limit its functions and is costing well over the gang’s £600,000 demand to fix.
In May 2024, it emerged that suspected Chinese hackers had gained access to part of the armed forces payment network. In the following month, an attack on two south-east London NHS foundation trusts led to the postponement of 10,000 outpatient appointments and 1,700 operations.
The NAO said senior civil servants had failed to grasp the importance of resilience to cyber-attack, with inadequate investment and staffing, and that the government was on course to fail in its aim to have “significantly hardened” its defence posture by 2025.
The assessment by the spending watchdog is the latest of several into UK resilience after the Covid-19 pandemic, with previous topics including flooding and extreme weather.
Last month, GCHQ’s National Cyber Security Centre warned of “a widening gap” between increasingly complex threats and the UK’s capability to defend critical national infrastructure.
It said ransomware attacks continued to pose the most immediate and disruptive threat, with China, Russia, Iran and North Korea named as key adversaries. Groups such as the Chinese state-sponsored threat actor Volt Typhoon, the Cyber Army of Russia Reborn and the Islamic State Hacking Division are all believed to pose a threat.
Sir Geoffrey Clifton-Brown, the Conservative MP and chair of the House of Commons public accounts committee, said: “Despite the rapidly evolving cyber-threat, government’s response has not kept pace.
“Poor coordination across government, a persistent shortage of cyber-skills and a dependence on outdated legacy IT systems are continuing to leave our public services exposed. Today’s NAO report must serve as a stark wake-up call to government to get on top of this most pernicious threat.”
A government spokesperson conceded that cyber-defences had been neglected by successive administrations, but said repairs had been under way since July with “new legislation to give us powers to protect critical national infrastructure from cyber-attacks, delivering 30 new regional cyber-skills projects to strengthen the country’s digital workforce, and merging digital teams into one central government digital service led by the Department for Science, Innovation and Technology”.
after newsletter promotion
But the NAO reported that in April 2024 an investigation into those 58 critical IT systems resulted in ministers being warned the cyber-resilience risk to the government was “extremely high”.
It said the increasing digitisation of government services also meant it was becoming easier for malicious actors to “create disruption which can have a devastating impact on individuals, government organisations and public services”.
“The risk of cyber-attack is severe, and attacks on key public services are likely to happen regularly,” said Gareth Davies, the head of the NAO.
“Yet government’s work to address this has been slow. To avoid serious incidents, build resilience and protect the value-for-money of its operations, government must catch up with the acute cyber-threat it faces.
“The government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber-skills; strengthens accountability for cyber-risk; and better manages the risks posed by legacy IT.”
One in three cybersecurity roles in government were vacant or filled by temporary staff in 2023-24. Relatively low salaries in public sector roles and arduous civil service recruitment procedures were partly to blame, the NAO said.
Article by:Source: Robert Booth UK technology editor
