Is the UK Government Ready to Face Severe Cyber Threats?

Back in January 2022, the UK Cabinet Office published the Government Cyber Security Strategy: 2022-2030, setting out for the first time the complex challenges facing government cyber security and a comprehensive vision and strategy for improvement. 

The strategy’s overarching vision is to ‘ensure that core government functions, from the delivery of public services to the operation of national security apparatus, are resilient to attack’. 

A cyber attack is one of the most serious risks to the UK and the government’s resilience, with the disruption caused by the COVID-19 pandemic highlighting the need to strengthen national resilience and prepare for future emergencies in an increasingly digital world.

The government planned to achieve key parts of the 2022-2030 strategy by 2025, including being ‘significantly hardened’ to cyber attack.

To assess progress against the strategy, and to consider whether the UK is keeping pace with the rapidly evolving cyber threat it faces from a growing number of hostile actors, the National Audit Office (NAO) – the UK’s spending watchdog – has evaluated government action.

It finds that the cyber threat is ‘severe and advancing quickly’ and that ‘the government must catch up with the acute cyber threat it faces’. 

Government cyber resilience

The last decade has seen rapid growth in the government’s digital ambitions, says the NAO, including the number of services available online, and the devices and IT systems that connect people, organisations and businesses globally.

While providing significant social and economic opportunities this broader digital footprint also makes it easier for malicious actors to cause disruption. 

To understand the extent of this threat the NAO examined key areas such as the threat to government security, progress with implementing the Government Cyber Security Strategy, challenges for departments in building cyber resilience and the government’s cyber resilience position in 2024. 

The report identifies that GovAssure, the government’s cyber assurance scheme that independently assessed 58 critical departmental IT systems, found significant gaps in cyber resilience and fundamental systems controls at low levels of maturity. 

It also says that the government doesn’t know how vulnerable at least 228 legacy IT systems are to cyber attack. In 2019 the government estimated that it used nearly half of its £4.7bn IT expenditure to keep legacy systems running. 

Other concerns include cyber skills shortages within government with one in three cyber security roles vacant or filled by temporary staff in 2023-24, financial pressures, and Departmental leaders have not consistently recognised the relevance of cyber risk to their strategic goals.

Cyber risk and building resilience

Successful cyber attacks can severely impact government organisations, public services, and people’s lives – in June last year two NHS foundation trusts postponed more than 10,000 acute outpatient procedures as a result of an attack on a supplier of pathology services to the NHS. 

“The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet the government's work to address this has been slow,” says Gareth Davies, head of the NAO. 

“To avoid serious incidents, build resilience and protect the value for money of its operations, the government must catch up with the acute cyber threat it faces.”

This can be achieved by following several recommendations, the NAO notes. In the short term (within six months), it says the government should develop, share and start using a cross-government plan for its Government Cyber Security Strategy. It should also set out how the whole of the government needs to operate differently so it can achieve its cyber security and resilience goals. 

Other recommendations include urgently strengthening governance, accountability and reporting arrangements around cyber risk, and setting out plans to tackle cyber skills gaps. 

Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today. 

Cyber Magazine is a BizClik brand