The National Audit Office (NAO) has issued a stark warning regarding the UK government’s vulnerability to cyber threats, highlighting critical gaps in resilience and the urgency of addressing them.
A newly released report reveals that 58 key government IT systems assessed in 2024 exhibited significant deficiencies in cyber resilience, while 228 legacy systems remain unassessed for vulnerability, posing a substantial risk to public services.
In 2023-24, one in three government cybersecurity roles were vacant or filled by temporary staff, with some departments reporting that over half of their cyber roles remained unfilled.
The shortage of cybersecurity skills, coupled with outdated IT infrastructure, was flagged as a major factor contributing to the slow progress in bolstering defences. According to the NAO, financial constraints have forced many departments to scale back critical cybersecurity work, leaving 53% of legacy IT systems without fully funded remediation plans.
The report points to the British Library cyber attack in 2023, which cost £600,000 in recovery expenses, as an example of the consequences of underinvestment. Similarly, a 2024 cyber attack on an NHS supplier led to the postponement of over 10,000 outpatient appointments, underscoring the real-world impact of cyber vulnerabilities.
Gareth Davies, head of the NAO, stated: “The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow. To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.”
To address the crisis, the NAO recommended that the government develop a cross-departmental implementation plan within six months, improve cyber risk accountability, and fill critical skills gaps within a year. It also stressed the importance of interdepartmental cooperation, noting that departments often fail to share lessons learned from cyber incidents.
Despite the government’s 2022 Cyber Security Strategy aiming to significantly harden systems by 2025, the NAO concluded that the current rate of progress falls short. Departments have blamed civil service pay limitations and cumbersome recruitment processes for their inability to hire qualified cybersecurity personnel, further compounding the issue.
Without urgent intervention, the report warns, the government’s cybersecurity strategy risks falling behind, leaving public services vulnerable to further disruption.
Probably only take us ten years…
More mission creep, the UK armed forces are the last people that should have anything to do with cyber security. This is an issue for IT departments and the police.
How many battalions are we prepared to disband to pay for enhanced IT security for the British library?
If government needs a Cyber force it should be paid for by the Home Office and not the MOD.
This article appears to aimed at the civil service and not the armed forces.
These are civilian roles.
I don’t agree there, Jim.
Cyber attacks could disable military assets in the field as much as CNI at home, so field based Cyber capability is needed – so units consisting of the Royal Signals and Intelligence Corps.
And as for CNI at home, that includes MoD and military communications infrastructure as well as wider civilian.
In that sphere, look into what the GOSCC, CSOC and the CERT do as just three examples at Corsham who oversee and defend the military.
The Army, the Royal Navy and the RAF also have existing Cyber elements elsewhere defending military networks.
And the term Cyber, as I understand it, also overlaps into EW and EM effects, also other niche areas which parts of the military deal with.
“If government needs a Cyber force it should be paid for by the Home Office and not the MOD.”
A real can of worms. There are already Cyber units in the Home Office, FC&DO, Police, Security Service, SIS, GCHQ, the MoD, DSTL, as well as the military, as it threatens assets over such a wide area. I think the Cabinet Office and other areas of government too, so it is not simply the job of the Home Office.
Some of these have been combined into the NCF – National Cyber Force, whose job adverts for its expansion on the military side go under a different term online which I won’t repeat here.
I also would not agree to losing Infantry Battalions to fund Cyber but I do support comprehensive Cyber abilities for the military, MoD, and Intelligence Community, and they do not need to be defending the British Library.
I would have thought GCHQ would be the experts in this field. I certainly hope so.
They are. In both Offensive and Defensive Cyber, GCHQ are assisted by the military who work alongside them, by means of Joint Cyber Units, which are tri service in their establishment. One at Cheltenham, one at Corsham, and one reserve one elsewhere and also called the JCRF. The Offensive side may be one of the roles of the CSOC at Cheltenham which was operational as far back as 2009.
There is also the NCSC, that takes the lead in defensive Cyber, which is a part of GCHQ, and used to be known back in the day as the CESG.
Acronyms…
CSOC Cyber Security Operations Centre.
NCSC National Cyber Security Centre, over 2 floors in Nova building in Victoria.
CESG Communications and Electronics Security Group, was located in the offices at Benhall until they were torn down to build the current “Donut”
JCRF Joint Cyber Reserve Force.
Lots of other GCHQ involvement of course which is classified so way over my head, and rightly so.
If the government paid market rate salaries, those cybersecurity roles would soon be filled
No surprises eh? Continued yap from politicians and no action. You almost hope the lights will go out to wake the idiots up.