Scores of Critical UK Government IT Systems Have Major Security Holes

The UK government’s spending watchdog has raised grave concerns about the cyber-resilience of critical IT systems across departments, highlighting major gaps in system controls and visibility.

The warnings came from the National Audit Office (NAO) in its Government cyber resilience report published today.

It revealed that a 2024 assessment by the government’s new cyber assurance scheme, GovAssure, found that 58 critical departmental IT systems had “significant” gaps in cyber resilience, creating “extremely high” risk.

“The data highlighted multiple fundamental system controls that were at low levels of maturity across departments including asset management, protective monitoring, and response planning,” the report noted.

There were also 228 legacy IT systems reported in March 2024, according to the NAO. Of these, 28% were “red-rated” – meaning there was “a high likelihood and impact of operational and security risks occurring.”

Read more on government security: Lawmakers Slam UK Government’s “Ostrich Strategy” for Cybersecurity

However, more concerning still is that the Cabinet Office Government Security Group (GSG), which oversees central government security, did not include legacy systems in GovAssure. This is because many of the latter’s recommended system controls would not be applicable to legacy systems.

The end result is a huge visibility gap – the GSG and Central Digital and Data Office (CDDO) simply don’t know the security risk to government from these legacy systems, or how well it is being managed.

The NAO blamed resource constraints and skills shortages for much of the shortfall in visibility and resilience, arguing that this has slowed “centrally led interventions” even as the threat from hostile nations and cybercrime groups escalates.

Departments have also not met their responsibilities, often funding other priorities over cyber, the NAO added.

It doesn’t help that, according to the report, in 2023-24:

• A third of cybersecurity roles in central government were either vacant or filled by temporary staff
• In several departments, over 50% of cybersecurity roles were unfilled
• 70% of specialist security architects in post were temporary staff

“The risk of cyber-attack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow. To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces,” argued NAO chief, Gareth Davies.

“The government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills, strengthens accountability for cyber risk, and better manages the risks posed by legacy IT.”

A New Approach

The NAO recommended that:

• Within six months, the GSG develops, shares and starts using a cross‑government implementation plan for the Government Cyber Security Strategy: 2022–2030
• The GSG sets out within six months how the whole of government can “operate differently” to meet its security and resilience goals
• The GSG strengthens GovAssure’s focus on improving cyber resilience
• The GSG works closer with the CDDO to better understand and mitigate legacy IT risks
• The GSG communicates regularly with departmental leaders on the importance of cybersecurity and how they can improve it
• Government departments urgently strengthen cyber-risk governance, accountability and reporting arrangements
• Departments align with GSG to fill skills gaps

“The findings of the NAO report make for sobering reading and reinforce the urgent need for radical policy thinking to ensure that cybersecurity and resilience sit at the heart of what government does,” said James Morris, CEO of non-profit Cybersecurity Business Resilience (CSBR).

“Policy [must be] driven across government and operationalized rapidly to counter the growing threat landscape.”

Ian Stretton, director of consultancy Green Raven, argued that the NAO’s focus on skills shortages misses the point.

“A frank, honest discussion is urgently needed, about how the whole of government can use new and emerging cybersecurity technology to understand where attacks are most likely to land, and about how resources can be efficiently deployed at such points to repel attacks,” he added.

“Threat intelligence is the key – just as our security services successfully keep the country safe from terrorist acts based on sophisticated intelligence-gathering. I hope that such a discussion might be part of what the NAO means by ‘operate differently,’ in its recommendation.”

Image credit: Ascannio / Shutterstock.com