Hostile states and criminals have developed their capability to disrupt public services and critical national infrastructure faster than government expected.

The most recent Government Cyber Security Strategy: 2022 to 2030 stated that government’s critical functions should be significantly hardened to cyber-attack by 2025, “with all government organisations across the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030.”

However according to a new report on cyber resilience by the Public Accounts Committee (PAC), risky 'legacy' IT systems make up 28 percent of the public sector's IT estate, and by January 2025, 319 legacy systems had been identified as in use across government.

Recommendations

The report marks six conclusions and recommendations where government has apparently failed in the past few years, and continues to fail:

1. Government has not kept up with the severe and rapidly evolving cyber threat - In one year’s time, the Cabinet Office should write to the Committee setting out their assessment of: how the cyber risk to government has continued to change; how government’s approach has evolved in response; and the extent to which the gap between the cyber threat and government’s cyber resilience has grown or reduced.

2. There is a longstanding shortage in government of the experienced, technical cyber skills required - Following the conclusion of the 2025 Spending Review, the Cabinet Office should set out: how many of the estimated cyber vacancies in government that its central interventions will fill; and how it will support departments’ plans to fill the remaining gaps in their workforces.

3. Departments have not done enough to prioritise cyber security, meaning that government’s cyber resilience is far from where it needs to be - The Cabinet Office should set out how it is supporting accounting officers to: improve accountability by appointing an appropriately experienced and expert chief information officer and chief security officer at senior management and board–level; include cyber resilience in departmental plans and activities; and create a strong cyber security culture in their organisations.

4. Government still has substantial gaps in its understanding of how resilient its IT estate is to cyber attack - The Cabinet Office should set out: what proportion of critical and legacy IT systems it has assessed so far; the optimal scale and frequency of assessment activity needed; a deadline for when this will be achieved by; and how it will prevent departments from diverting funding away from this activity.

5. The scale and diversity of government’s supply chains, and the size of the public sector, makes it significantly harder for the government to manage cyber risk - The Cabinet Office should secure clear assurance from departments that they understand and are effectively managing the cyber risk from their arm’s–length bodies and supply chains.

6. Government’s work to date has not been sufficient to make it resilient to cyber attack by 2025, and meeting its 2030 aim to make the wider public sector cyber resilient will require a fundamentally different approach - Following the conclusion of the 2025 Spending Review, the Cabinet Office should set out what levers and instruments the centre of government will use to take a fundamentally different approach to cyber resilience.

Underestimated Severity

The report also finds that the government's cyber resilience is far from where it needs to be, as departments have “underestimated the severity of the threat, having not until recently been given a clear picture of it and what they should do about it by the Cabinet Office.”

Sir Geoffrey Clifton-Brown MP, Chair of the Committee, said: “Government Departments are beginning to wake up to the serious cyber threat they face. It is positive to see independent verification now in place to gain a better picture on critical systems resilience.

“Unfortunately, this has only served to confirm that our battlements are crumbling. A serious cyber-attack is not some abstract event taking place in the digital sphere.”

Step Change

Clifton-Brown went on to say that if the government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required.

“This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the civil service for greater threat awareness and digital transformation.”

Chris Dimitriadis, chief global strategy officer at ISACA, said it is encouraging to see the Government recognising the importance of cyber resilience in an era where we are increasingly dependent on software for everyday operations.

“Today’s report published by the UK Parliament’s Public Account Committee underlines the sheer scale of the UK’s cyber resilience challenge, concluding that the UK government needs to adopt a fundamentally different approach to achieve cyber resilience by 2030,” he said. 

“Beyond Government, it is crucial that organisations, whether public or private, move beyond seeing cyber resilience as a compliance issue and focus on cybersecurity as a fundamental strategic and operational priority. Failure to do so will mean high-profile attacks like we've seen on the retail sector recently will become more commonplace, complex, and severe.

“To do so, the prioritisation of cyber resilience should come from the very top - we need board-level accountability. This should involve the adoption of frameworks and tools, such as the Cyber Governance Code of Practice, which sets out clear, practical steps boards and directors can take to govern cyber risk and protect the organisation from cyber threats.” 

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.