No tracking. No cookies
Subscriptions
Subscriptions
Byline Times is an independent, reader-funded investigative newspaper, outside of the system of the established press, reporting on ‘what the papers don’t say’ – without fear or favour.
To support its work, subscribe to the monthly Byline Times print edition, packed with exclusive investigations, news, and analysis.
The Government is losing the battle to criminal gangs and hostile states to protect people’s data and critical infrastructure, a report by MPs says today.
MPs on the Commons Public Accounts Committee call for a completely new approach to thwart growing numbers of cyber attacks and ransomware demands after a Cabinet Office commissioned independent verification report found that far more IT systems used by departments are too weak to resist attacks.
The Government estimates that risky ‘legacy’ IT systems make up 28% of the public sector’s IT estate, and substantial gaps also remain in its understanding of the estate’s resilience to attack.
By January 2025, 319 legacy systems had been identified as in use across government, ‘red’-rating around 25% as having a high likelihood and impact of risks occurring. But, the Government does not know how many legacy systems there are altogether.
Some Government IT systems are still running on Windows 3.1 — a programme developed by Microsoft in 1992 which it stopped supporting in 2001 — 24 years ago.
Under the last Conservative Government it was hoped that the system would be secure by the end of this year but it is now estimated that Government and the wider public sector will have to wait until 2030 for full protection.
Sir Geoffrey Clifton-Brown MP, Conservative Chair of the Committee, said: “Government Departments are beginning to wake up to the serious cyber threat they face. It is positive to see independent verification now in place to gain a better picture on critical systems resilience.
Unfortunately, this has only served to confirm that our battlements are crumbling. A serious cyberattack is not some abstract event taking place in the digital sphere.
Sir Geoffrey Clifton-Brown, MP
He continued: “Unfortunately, this has only served to confirm that our battlements are crumbling. A serious cyberattack is not some abstract event taking place in the digital sphere.
“The British Library cyberattack is a prime example of the long-lasting cost and disruption that these events can cause. Hostile states and criminals have the ability to do serious and lasting harm to our nation and people’s lives.
“If the Government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required. This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the civil service for greater threat awareness and digital transformation.”
The report states: “Government has been unwilling to pay the salaries necessary to hire the experienced and skilled people it desperately needs to manage its cyber security effectively. Commendably, government has increased its digital workforce to 23,000 people. However, one in three cyber security roles remain either vacant or filled by expensive contractors.”
As a result IT staff are lured away by the private sector — one example given to MPs was a City of London police sergeant who specialised in IT who took a £250,000 job with a large bank.
Evidence given to MPs from John Edwards, the Information Commissioner, shows the scale of the problem. His office said over the last five years data controllers reported a total of 19,892 incidents including 1592 categorised as cyber incidents.
The number of cyber incidents reported within these sectors in a given year has increased from 164 in 2019 to 309 in the first three quarters of 2024 with a peak in 2021 of 369.
His office added that of the cyber incidents reported by central government, local government, health, justice and regulation, the vast majority concerned either phishing or ransomware attacks: 543 reports were categorised as ransomware and 471 as phishing, together representing 64% of cyber related incidents in those sectors.
ENJOYING THIS ARTICLE? HELP US TO PRODUCE MORE
Receive the monthly Byline Times newspaper and help to support fearless, independent journalism that breaks stories, shapes the agenda and holds power to account.
We’re not funded by a billionaire oligarch or an offshore hedge-fund. We rely on our readers to fund our journalism. If you like what we do, please subscribe.
Evidence from the private sector which has recently seen cyber attacks on retailers Marks and Spencer, Co-op, and Harrods, show that much more money is spent than by government to make their systems compliant.
The Institute of Corporate Resilience said some £34 billion a year was spent – and in one area the money was three times higher than the combined IT budgets of GCHQ, MI5 ,MI6 and the National Crime Agency which had to deal with cyber attacks.
A Government spokesperson told Byline Times: “Just this week, we announced action to boost our country’s cyber security, helping to grow the economy and create jobs through the Plan for Change. This includes backing for the rollout of cutting-edge CHERI technology which could prevent up to 70% of the most common cyber-attacks.
“Last month we also unveiled details of our Cyber Security and Resilience Bill which will be introduced to Parliament later this year, ensuring our critical national infrastructure and digital economy are better protected and less vulnerable to attack.”