The government will miss its a target for its “critical functions to be significantly hardened to cyberattack by 2025” as it struggles to overcome issues including staffing gaps and ageing IT, a new National Audit Office report says.
That ambition was set out in the Government Cyber Security Strategy published three years ago. But auditors have found that “progress is slow and cyber incidents with a significant impact on government and public services are likely to happen regularly”.
As of March 2024, there were about 228 significant legacy IT systems used across departments “and the government does not know how vulnerable these are to cyberattack”, according to the NAO.
The public spending watchdog added that “departments have no fully funded remediation plans for half of these vulnerable systems” – meaning that the 2025 cyber-resilience target will be missed.
In the face of threat that is already “severe and advancing quickly”, the NAO added that “the government’s cyber resilience levels are lower than it previously estimated, and departments have significant gaps in their system controls that are fundamental to their cyber resilience”.
Across 2023/24, “several departments’ cyber security teams” had less than half the intended number of staff, the report found. Across the whole of the civil service, one in three cyber posts were either unfilled or being delivered by temporary staff.
Various “fundamental” areas of security – including asset management, protective monitoring and response planning – were assessed as having “low levels of maturity”.
“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces,” the office said. “The government will continue to find it difficult to do so until it successfully addresses the long-standing shortage of cyber skills, strengthens accountability for cyber risk, and better manages the risks posed by legacy IT.”
The longer-term goals of the Government Cyber Security Strategy – including that all public bodies will be “resilient to known vulnerabilities and attack methods no later than 2030” – remain in play, but are now “ambitious”, according to the NAO.
The audit organisation recommends that, within the next six months, the Government Security Group (GSG) within the Cabinet Office should “develop, share and start using a cross‑government implementation plan” for the strategy.
In the first half of 2025, GSG should also “set out how the whole of government needs to operate differently, and what is needed for this transformation to be effective”, the NAO recommends.
The security body should also “strengthen… the focus on improving cyber resilience outcomes” of the GovAssure programme of independent audits of departments’ cyber posture. This should be accompanied by work with the digital centre of government to “take a more rigorous approach to understanding and mitigating the risk to government organisations’ cyber resilience caused by legacy IT systems”.
The final recommendation for the centre of government is to “design regular communications to ensure that senior leaders and other decision-makers across government understand the cyber threat, how it is relevant to their business outcomes and what they can do about it”.
The NAO also provides two recommendations for actions to be taken by individual departments. The first is that they “should urgently strengthen their own governance, accountability and reporting arrangements around cyber risk”.
The second is that “working in alignment with GSG’s government skills strategy, departments should make and enact plans to fill the cyber skills gaps in their workforces”.
The head of the NAO, Gareth Davies, reiterated the report’s finding that “the risk of cyberattack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow”.
“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces,” he added. “The government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills; strengthens accountability for cyber risk; and better manages the risks posed by legacy IT.”
In response to the report, government indicated that it would consider the NAO’s findings. It also pointed to the work that has taken place in the past six months – led by the new digital centre of government in the Department for Science, Innovation and Technology – to better understand and grow Whitehall tech skills.
“Many of the NAO’s findings mirror the government’s own findings in the State of Digital Government review published last week,” a government spokesperson added.
“Since July, we have taken action to repair cyber defences neglected by successive governments – introducing new legislation to give us powers to protect critical national infrastructure from cyberattacks, delivering thirty new regional cyber skills projects to strengthen the country’s digital workforce, and merging digital teams into one central Government Digital Service led by the Department for Science, Innovation and Technology.
"And last week we went further, announcing plans to upgrade technology across government, both strengthening our defences against attack and transforming public services as part of the Plan for Change.”