The National Audit Office (NAO) has issued a stark warning regarding the UK government’s vulnerability to cyber threats, highlighting critical gaps in resilience and the urgency of addressing them.
A newly released report reveals that 58 key government IT systems assessed in 2024 exhibited significant deficiencies in cyber resilience, while 228 legacy systems remain unassessed for vulnerability, posing a substantial risk to public services.
In 2023-24, one in three government cybersecurity roles were vacant or filled by temporary staff, with some departments reporting that over half of their cyber roles remained unfilled.
The shortage of cybersecurity skills, coupled with outdated IT infrastructure, was flagged as a major factor contributing to the slow progress in bolstering defences. According to the NAO, financial constraints have forced many departments to scale back critical cybersecurity work, leaving 53% of legacy IT systems without fully funded remediation plans.
The report points to the British Library cyber attack in 2023, which cost £600,000 in recovery expenses, as an example of the consequences of underinvestment. Similarly, a 2024 cyber attack on an NHS supplier led to the postponement of over 10,000 outpatient appointments, underscoring the real-world impact of cyber vulnerabilities.
Gareth Davies, head of the NAO, stated: “The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow. To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.”
To address the crisis, the NAO recommended that the government develop a cross-departmental implementation plan within six months, improve cyber risk accountability, and fill critical skills gaps within a year. It also stressed the importance of interdepartmental cooperation, noting that departments often fail to share lessons learned from cyber incidents.
Despite the government’s 2022 Cyber Security Strategy aiming to significantly harden systems by 2025, the NAO concluded that the current rate of progress falls short. Departments have blamed civil service pay limitations and cumbersome recruitment processes for their inability to hire qualified cybersecurity personnel, further compounding the issue.
Without urgent intervention, the report warns, the government’s cybersecurity strategy risks falling behind, leaving public services vulnerable to further disruption.
Probably only take us ten years…
More mission creep, the UK armed forces are the last people that should have anything to do with cyber security. This is an issue for IT departments and the police.
How many battalions are we prepared to disband to pay for enhanced IT security for the British library?
If government needs a Cyber force it should be paid for by the Home Office and not the MOD.
This article appears to aimed at the civil service and not the armed forces.
These are civilian roles.
No I disagree also , although I do see your angle , however , if it’s cyber security and system guarding you have to consider what information and details exactly are being protected and whether any of that is let’s say “data not for the public knowledge’ ie controlled then it needs to be the military fronting this because of sensitive information etc …
It all depends on what’s being guarded ,,
I don’t agree there, Jim. Cyber attacks could disable military assets in the field as much as CNI at home, so field based Cyber capability is needed – so units consisting of the Royal Signals and Intelligence Corps. And as for CNI at home, that includes MoD and military communications infrastructure as well as wider civilian. In that sphere, look into what the GOSCC, CSOC and the CERT do as just three examples at Corsham who oversee and defend the military. The Army, the Royal Navy and the RAF also have existing Cyber elements elsewhere defending military networks. And the… Read more »
But why would we think anyone looking for a job in uniform would be the kind of code monkey you need running cyber. They are very different fields. If cyber is required which I believe it is then I see no reason it should be a uniformed military branch.
I think, as I mentioned, how one defines what “Cyber” actually comprises. The military has lots of units of “code monkeys” they couldn’t deploy effectively without them, and some need to be military. Would you have civilians deployed into the field with the Field Army? Or with the RAFs 90SU when it deploys forward to an FOB and it’s CSOC specialists protect RAF networks. Or the RN example, up at Portsdown is a RN Cyber outfit. And they deploy on ships and subs. Cyber specialists are throughout the military already, mate. The JCRF is desperate for people with the niche… Read more »
I would have thought GCHQ would be the experts in this field. I certainly hope so.
They are. In both Offensive and Defensive Cyber, GCHQ are assisted by the military who work alongside them, by means of Joint Cyber Units, which are tri service in their establishment. One at Cheltenham, one at Corsham, and one reserve one elsewhere and also called the JCRF. The Offensive side may be one of the roles of the CSOC at Cheltenham which was operational as far back as 2009. There is also the NCSC, that takes the lead in defensive Cyber, which is a part of GCHQ, and used to be known back in the day as the CESG. Acronyms…… Read more »
If the government paid market rate salaries, those cybersecurity roles would soon be filled
Basically
No surprises eh? Continued yap from politicians and no action. You almost hope the lights will go out to wake the idiots up.
I’m not surprised half the vacancies are left unfilled when they are offering 60k for a head of Cyber Security when you can get 80k on civvie street
Well done NAO for publicising our weaknesses to our enemies! However, they probably know already! Still… just saying!
No schiesse Sherlock !!!
If an autistic kid in his bedroom can hack Nasa the world has a lot of problems when state sponsored nerds are unleashed with the help of A.I.
The rise and fall of civilizations is rooted in the rise and fall of moral values.
♾️❤️☮️