Rising Cyber Threats: UK Government’s Vulnerability Exposed

Cyber attacks on government departments and Parliament from malign actors in Russia, China and Iran are becoming increasingly sophisticated and severe, the National Audit Office warns in a report published today.

Ministries are vulnerable to attack because 58 critical key IT systems in Whitehall have gaps in their cyber resistance and another 238 legacy computer systems are operating without any security updates because manufacturers have long ceased to provide them.

Geoffrey Clifton-Brown, Tory Chair of the Committee of Public Accounts, said: “Today’s NAO report must serve as a stark wake-up call to the Government to get on top of this most pernicious threat.

“We have seen too often the devastating impact of cyber-attacks on our public services and people’s lives.

 “Despite the rapidly evolving cyber threat, the Government’s response has not kept pace. Poor coordination across government, a persistent shortage of cyber skills, and a dependence on outdated legacy IT systems are continuing to leave our public services exposed.”

The bad scenario is compounded by Whitehall not being able to recruit skilled experts to combat cyberattacks as the salaries offered to staff are below those available in the private sector. As a result, a third of the permanent posts in this field are vacant.

The UK’s cyber security and resilience have been a strategic priority for the Government for at least a decade. In 2010, the new Tory and Liberal Democrat coalition described the National Security Strategy described cyberattack as a top threat and priority for action.

Money has been allocated – £650 million initially and another £1.9 billion from 2021 – and a new National Cyber Security Centre was set up. The strategy was revised in 2022.

 But up to 2023, extraordinarily departments were left to self-certify that their computer systems were secure and information was not gathered centrally. Some even cut down on programmes to improve cyber security to spend on other priorities.

In March 2024, departments still did not have fully funded plans to remediate around half of the government’s legacy IT assets (53%, or 120 out of 228), leaving these systems increasingly vulnerable to cyber-attacks.

Under-investment in technology and cyber security played a role in the severity of the cyberattack on the British Library. The library was subject to a ransomware attack in 2023 with a demand of 20 Bitcoin or £600,000. When it was not paid, the attackers released 600 gigabytes of data on the dark web, including employee details. The site was unusable for one month and it is taking two years to rebuild its computer system which has yet to be completed at a cost far in excess of £600,000.

Other examples include a Chinese state-backed cyber attack on MPs’ emails in Parliament, an attack revealing payroll details of 270,000 serving armed forces including names and bank details and a Chinese state-sponsored attack on the Electoral Commission, obtaining details of people on the electoral register which is thought to have been useful to the Chinese intelligence services.

The NAO is calling for urgent action to tackle the weaknesses in the system.

Gareth Davies, head of the NAO, said: “To avoid serious incidents, build resilience and protect the value for money of its operations, the Government must catch up with the acute cyber threat it faces.

“The Government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills; strengthens accountability for cyber risk; and better manages the risks posed by legacy IT.”

A Government spokesperson told Byline Times: 

“Many of the NAO’s findings mirror the Government’s own findings in the State of Digital Government review published last week. 

“Since July, we have taken action to repair cyber defences neglected by successive governments – introducing new legislation to give us powers to protect critical national infrastructure from cyber attacks, delivering thirty new regional cyber skills projects to strengthen the country’s digital workforce, and merging digital teams into one central Government Digital Service led by the Department for Science, Innovation and Technology. 

“And last week we went further, announcing plans to upgrade technology across Government, both strengthening our defences against attack and transforming public services as part of the Plan for Change.”