Sam Bright reveals the security gaps at the heart of the Whitehall machine

Major cyber security issues persist at major Government departments, while threats of Russian online aggression intensify, Byline Times can reveal.

We reviewed the 2020/21 annual reports of every major Government department, finding a worrying cyber security trend – with almost every department portraying the issue as a major and worsening risk.

HMRC

Evaluating its ‘strategic risks’, HMRC places security in the ‘red’ category – meaning that there is a relatively high risk that “business and critical services will fail because we do not operate our security processes and controls or manage our infrastructure and vulnerabilities effectively enough to protect HMRC, our customers, people and assets from harm or misuse.”

HMRC reports that it had “critical levels” of older, legacy IT systems last year, meaning that it was “more vulnerable to cyber and security threats”.

“In January 2021 the Committee of Public Accounts concluded that the department had spent too much of its IT budget on patching up legacy systems rather than modernising them,” the HMRC annual report states.

As a result, the department undertook work to decommission three-quarters of its obsolete IT systems. However, HMRC acknowledges that reducing the cyber security risk has been “challenging” – in particular due to the “evolving threat from cyber criminals”.

Cabinet Office

As Byline Times has previously reported, there are longstanding cyber security issues at the Cabinet Office – with its 2019/20 report admitting that there is a risk of cyber security incidents within the department due to old IT systems.

This problem is further highlighted in its 2020/21 report – namely that there is “an intensifying risk of cyber security incidents within Cabinet Office due to the vulnerability of legacy IT systems”.

The department says that this issue is being managed through a “multi-layered approach with a coherent and detailed departmental roadmap” – though the specifics are not spelled out in the report.

Ministry of Justice

The Ministry of Justice says that it has made “good progress” in improving its cyber security over the past year. However, even despite this, it says that: “ensuring our technology is fit for purpose remains a risk that significantly above our tolerance levels, with sustained investment is required to rationalise and modernise ageing systems and infrastructure.”

Home Office

The Home Office notes that: “There is a risk that vulnerabilities in peoples, processes and technologies could be exploited accidentally or intentionally leading to a breach in confidentiality, integrity or availability of Home Office information, systems and environments.”

However, the department does not elaborate on the precise nature of these vulnerabilities.

Other Departments

A number of other major Government departments – including the Department of Health and Social Care, the Department of Business and Industrial Strategy, the Department for Education, the Department for International Trade, the Department Environment, Food and Rural Affairs, the Ministry of Defence, and the Foreign, Commonwealth and Development Office – all mention cyber security as a significant risk, though all are vague about whether internal IT flaws are exacerbating the risk.

The first ‘key risk’ mentioned by the Department for Education’s annual report, for example, is cyber security. A “sustained cyber-attack could result in the loss of access to critical systems and services, as well as a loss of critical departmental data”, it states.

The nature of the threat has also been elevated – in March 2020 it was rated as “critical/possible” by the department, rising in March 2021 to “crisis/likely”.

“The department is boosting its ability to identify and monitor threats in near
real time and is set to make a significant investment in increasing the cyber
security capabilities,” it says.

Moreover, this weekend, the Guardian reported that out-of-date IT systems are causing “chaos” in the Foreign Office – hampering the UK’s response to the threat of Russia as it mobilises to invade Ukraine. Insiders told the Guardian that officials are working on different types of computers with separate security systems – due to the merger in 2020 of the Foreign Office and the Department for International Development – meaning they are often not compatible with each another.


The Context

The UK National Cyber Security Centre (NCSC) has warned organisations to “bolster their cyber security resilience in response to malicious cyber incidents in and around Ukraine” in the past few weeks – with a cyber attack causing the websites of two Ukrainian banks, Privatbank and Oshadbank, to crash last week.

Ukraine was also hit by a “massive cyber attack” in mid-January that targeted some 70 Government websites.

Indeed, cyber attacks have become a new tool in the Russia’s military armoury. The 2020 Intelligence and Security Committee report into Russian interference in the UK stated that GCHQ assesses Russia to be a “highly capable cyber actor with a proven capability to carry out operations which can deliver a range of impacts across any sector.”

In particular, the report noted, Russia is able and willing to interfere in elections globally, and its “cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a matter of grave concern, and poses an immediate and urgent threat to our national security.”

Russia has amassed more than 150,000 troops at the Ukrainian border – “the biggest force we have seen in Europe for decades”, according to NATO Secretary General Jens Stoltenberg. “They have enough troops and enough capabilities to launch a full fledge invasion of Ukraine with very little or no warning time,” Stoltenberg has said.

The UK Government has been forceful in its support for Ukraine – with Boris Johnson saying over the weekend that we stand “four-square behind their sovereignty and independence”. However, as Byline Times has reported, the Government has aided Russia by approving arms sales to the country, and visas to its oligarchs.

The vulnerability of our Government departments to cyber attacks may be yet another way in which we are aiding Putin’s regime.

OUR JOURNALISM RELIES ON YOU

Byline Times is funded by its subscribers. Receive our monthly print edition and help to support fearless, independent journalism.

New to Byline Times? Find out more about us

SUBSCRIBE TO THE PRINT EDITION

A new type of newspaper – independent, fearless, outside the system. Fund a better media.

Don’t miss a story! Sign up to our newsletter (and get a free edition posted to you)

Our leading investigations include: empire & the culture warBrexit, crony contractsRussian interferencethe Coronavirus pandemicdemocracy in danger, and the crisis in British journalism. We also introduce new voices of colour in Our Lives Matter.

More stories filed under Russian Interference

Landmark Ruling in Strasbourg as MPs Challenge UK Government over Failure to Investigate Russian Interference in Brexit

, 19 January 2023
'Nothing less than the future of democracy is at stake' says Caroline Lucas as a cross-party coalition and The Citizens win an unprecedented hearing over electoral safety and national security

EXCLUSIVE More Russian Linked Lobbying in UK Parliament

, 13 December 2022
Further investigations by Iain Campbell reveal key Russian businessmen tied to Parliamentary groups involved in tech and healthcare data

EXCLUSIVE Close Associate of Roman Abramovich Key Partner of UK Parliamentary Group

, 30 November 2022
A businessman with ties to the sanctioned Russian oligarch is listed as a partner and advisor to a Westminster group containing senior MPs and peers

More stories filed under Fact

Hundreds of ‘Toxic’ North Sea Oil Spills Since 2019

, 31 January 2023
Sam Bright reports on the scale of pollution being pumped into the North Sea

Majority of Brits Report Winter Crisis is Impacting Health and Wellbeing 

, 31 January 2023
New ONS data reveals how cold homes and food insecurity is impacting people's physical and emotional health

For Thousands of Young Children, Poverty is All they have Known

, 27 January 2023
New data from the Joseph Rowntree Foundation reveals the extent of poverty in families

More from the Byline Family