Cyber threat against UK Government severe and advancing quickly, warns watchdog

The cyber threat towards the UK Government is “severe and advancing quickly”, according to a new report from the Government’s spending watchdog, with cyber resilience levels “lower” than Whitehall had estimated.

Officials have been told that Wednesday’s report from the National Audit Office should serve as a “wake-up call” and push them to “get on top of this most pernicious threat”.

A shortage of cyber skills within Government and risks posed by old IT systems are among the concerns officials have been told they must address if they are to “catch up with the acute cyber threat”.

According to the NAO report, more than 50% of roles in several departments’ cyber security teams were vacant on 2023/24, and at least 228 so-called legacy IT systems were in use across Government in March 2024, with officials unable to know how vulnerable those older systems may be to attack.

Among recent high-profile cyber attacks are one against the British Library in 2023, which saw employee data leaked, and a ransomware attack last summer that saw thousands of appointments cancelled at two London NHS trusts.

The National Cyber Security Centre managed 430 cyber incidents between September 2023 and August 2024 because of their potential severity. Of these, 89 were deemed to be “nationally significant”.

The report concluded that “the cyber threat to the Government is severe and advancing quickly”, and although the Government has started work to implement a cyber strategy, “progress is slow and cyber incidents with a significant impact on Government and public services are likely to happen regularly, not least because of the growing cyber threat”.

It found that resilience levels are “lower” than Government had previously estimated and that some departments have “significant gaps” in the functions important to cyber resilience.

The report states: “To avoid serious incidents, build resilience and protect the value for money of its operations, Government must catch up with the acute cyber threat it faces.

“The Government will continue to find it difficult to do so until it successfully addresses the long-standing shortage of cyber skills, strengthens accountability for cyber risk and better manages the risks posed by legacy IT.”

The head of the NAO has told the Government they must now “catch up” with the risk.

Gareth Davies said: “The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet Government’s work to address this has been slow.

“To avoid serious incidents, build resilience and protect the value for money of its operations, Government must catch up with the acute cyber threat it faces.

“The Government will continue to find it difficult to catch up until it successfully addresses the long-standing shortage of cyber skills; strengthens accountability for cyber risk, and better manages the risks posed by legacy IT.”

The head of a cross-party committee of MPs has said that public services have been left “exposed” as Government response has “not kept pace” with the evolving cyber threat.

Sir Geoffrey Clifton-Brown MP, chairman of the Public Accounts Committee, said: “We have seen too often the devastating impact of cyber attacks on our public services and people’s lives.

“Despite the rapidly evolving cyber threat, the Government’s response has not kept pace. Poor co-ordination across Government, a persistent shortage of cyber skills, and a dependence on outdated legacy IT systems are continuing to leave our public services exposed.

“Today’s NAO report must serve as a stark wake-up call to Government to get on top of this most pernicious threat.”

A Government spokesperson said: “Many of the NAO’s findings mirror the Government’s own findings in the state of digital government review published last week.

“Since July, we have taken action to repair cyber defences neglected by successive governments – introducing new legislation to give us powers to protect critical national infrastructure from cyber attacks, delivering 30 new regional cyber skills projects to strengthen the country’s digital workforce, and merging digital teams into one central Government Digital Service led by the Department for Science, Innovation and Technology.

“And last week we went further, announcing plans to upgrade technology across Government, both strengthening our defences against attack and transforming public services as part of the plan for change.”