Red AlertSeveral Major Government Departments Vulnerable to Cyber Attack
Sam Bright reveals the security gaps at the heart of the Whitehall machine
Major cyber security issues persist at major Government departments, while threats of Russian online aggression intensify, Byline Times can reveal.
We reviewed the 2020/21 annual reports of every major Government department, finding a worrying cyber security trend – with almost every department portraying the issue as a major and worsening risk.
HMRC
Evaluating its ‘strategic risks’, HMRC places security in the ‘red’ category – meaning that there is a relatively high risk that “business and critical services will fail because we do not operate our security processes and controls or manage our infrastructure and vulnerabilities effectively enough to protect HMRC, our customers, people and assets from harm or misuse.”
HMRC reports that it had “critical levels” of older, legacy IT systems last year, meaning that it was “more vulnerable to cyber and security threats”.
“In January 2021 the Committee of Public Accounts concluded that the department had spent too much of its IT budget on patching up legacy systems rather than modernising them,” the HMRC annual report states.
As a result, the department undertook work to decommission three-quarters of its obsolete IT systems. However, HMRC acknowledges that reducing the cyber security risk has been “challenging” – in particular due to the “evolving threat from cyber criminals”.
Cabinet Office
As Byline Times has previously reported, there are longstanding cyber security issues at the Cabinet Office – with its 2019/20 report admitting that there is a risk of cyber security incidents within the department due to old IT systems.
This problem is further highlighted in its 2020/21 report – namely that there is “an intensifying risk of cyber security incidents within Cabinet Office due to the vulnerability of legacy IT systems”.
The department says that this issue is being managed through a “multi-layered approach with a coherent and detailed departmental roadmap” – though the specifics are not spelled out in the report.
Ministry of Justice
The Ministry of Justice says that it has made “good progress” in improving its cyber security over the past year. However, even despite this, it says that: “ensuring our technology is fit for purpose remains a risk that significantly above our tolerance levels, with sustained investment is required to rationalise and modernise ageing systems and infrastructure.”
Home Office
The Home Office notes that: “There is a risk that vulnerabilities in peoples, processes and technologies could be exploited accidentally or intentionally leading to a breach in confidentiality, integrity or availability of Home Office information, systems and environments.”
However, the department does not elaborate on the precise nature of these vulnerabilities.
Other Departments
A number of other major Government departments – including the Department of Health and Social Care, the Department of Business and Industrial Strategy, the Department for Education, the Department for International Trade, the Department Environment, Food and Rural Affairs, the Ministry of Defence, and the Foreign, Commonwealth and Development Office – all mention cyber security as a significant risk, though all are vague about whether internal IT flaws are exacerbating the risk.
The first ‘key risk’ mentioned by the Department for Education’s annual report, for example, is cyber security. A “sustained cyber-attack could result in the loss of access to critical systems and services, as well as a loss of critical departmental data”, it states.
The nature of the threat has also been elevated – in March 2020 it was rated as “critical/possible” by the department, rising in March 2021 to “crisis/likely”.
“The department is boosting its ability to identify and monitor threats in near
real time and is set to make a significant investment in increasing the cyber
security capabilities,” it says.
Moreover, this weekend, the Guardian reported that out-of-date IT systems are causing “chaos” in the Foreign Office – hampering the UK’s response to the threat of Russia as it mobilises to invade Ukraine. Insiders told the Guardian that officials are working on different types of computers with separate security systems – due to the merger in 2020 of the Foreign Office and the Department for International Development – meaning they are often not compatible with each another.
The Context
The UK National Cyber Security Centre (NCSC) has warned organisations to “bolster their cyber security resilience in response to malicious cyber incidents in and around Ukraine” in the past few weeks – with a cyber attack causing the websites of two Ukrainian banks, Privatbank and Oshadbank, to crash last week.
Ukraine was also hit by a “massive cyber attack” in mid-January that targeted some 70 Government websites.
Indeed, cyber attacks have become a new tool in the Russia’s military armoury. The 2020 Intelligence and Security Committee report into Russian interference in the UK stated that GCHQ assesses Russia to be a “highly capable cyber actor with a proven capability to carry out operations which can deliver a range of impacts across any sector.”
In particular, the report noted, Russia is able and willing to interfere in elections globally, and its “cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a matter of grave concern, and poses an immediate and urgent threat to our national security.”
Russia has amassed more than 150,000 troops at the Ukrainian border – “the biggest force we have seen in Europe for decades”, according to NATO Secretary General Jens Stoltenberg. “They have enough troops and enough capabilities to launch a full fledge invasion of Ukraine with very little or no warning time,” Stoltenberg has said.
The UK Government has been forceful in its support for Ukraine – with Boris Johnson saying over the weekend that we stand “four-square behind their sovereignty and independence”. However, as Byline Times has reported, the Government has aided Russia by approving arms sales to the country, and visas to its oligarchs.
The vulnerability of our Government departments to cyber attacks may be yet another way in which we are aiding Putin’s regime.