‘Crumbling’ Government cyber defences outpaced by cyber criminals – report
9 May 2025, 00:04
The report from the Public Accounts Committee warned there are significant gaps in public sector IT systems, leaving them vulnerable.
Government cyber defences have not kept up with the dangerous and evolving threats from hackers, a report from MPs has warned.
The Public Accounts Committee (PAC) said hostile states and criminals have developed the ability to severely disrupt public services and critical national infrastructure faster than the Government expected.
According to Government estimates, vulnerable “legacy” IT systems make up 28% of all public sector IT, and the PAC report said the Cabinet Office had acknowledged that there was now a significant gap between the cyber threat and the Government’s response to it.
The report comes in the wake of high-profile cyber attacks on UK retailers, including Marks and Spencer and Co-op, incidents which Chancellor of the Duchy of Lancaster Pat McFadden said should be a “wake-up call” for British businesses, as he announced a new £16 million package to boost cyber defences during a cyber security conference earlier this week.
In its report conclusions, the PAC also said there was a shortage in Government of technical cyber skills and experience, cyber security had not been prioritised as a key issue, gaps remained in the Government’s understanding of how resilient public sector IT systems were to attack, and that existing supply chains were complicated to properly secure.
It called on the Cabinet Office to carry out a major audit of IT systems and report back with details on how it plans to fix the range of issues raised.
Sir Geoffrey Clifton-Brown, chairman of the committee, said: “Government departments are beginning to wake up to the serious cyber threat they face.
“It is positive to see independent verification now in place to gain a better picture on critical systems resilience.
“Unfortunately, this has only served to confirm that our battlements are crumbling.
“A serious cyber attack is not some abstract event taking place in the digital sphere.
“The British Library cyber attack is a prime example of the long-lasting cost and disruption that these events can cause.
“Hostile states and criminals have the ability to do serious and lasting harm to our nation and people’s lives.
“If the Government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required.
“This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the Civil Service for greater threat awareness and digital transformation.
“Part of this will be Government finally grasping the nettle on offering competitive salaries for digital professionals, and we were encouraged to hear the Cabinet Office thinking in these terms.
“For too long, Whitehall has been unwilling to offer attractive remuneration for experts who are able to secure high-paid work elsewhere.
“Making sure that the right people are in the right jobs to defend the UK against this serious threat, and reducing the use of expensive contractors at the same time, is clearly sound value for money.
“This is an issue our committee will continue to scrutinise closely.
“It must not take a devastating attack on a critical piece of the country’s infrastructure for defensive action to be taken.”
A Government spokesperson said: “Just this week, we announced action to boost our country’s cyber security, helping to grow the economy and create jobs through the Plan for Change. This includes backing for the rollout of cutting-edge CHERI technology which could prevent up to 70% of the most common cyber attacks.
“Last month we also unveiled details of our Cyber Security and Resilience Bill which will be introduced to Parliament later this year, ensuring our critical national infrastructure and digital economy are better protected and less vulnerable to attack.”
