Head of the government’s specialist public sector cyber efforts warns of a number of challenges, including those caused by legacy systems ‘not designed to be secure from the ground up’
A senior cyber resilience leader in the Scottish Government has highlighted the challenge of the need for public bodies to continually move the “baseline” of security levels in order to keep up with threats.
There has been increased focus on public sector cybersecurity credentials in recent weeks following the publication of a National Audit Office report which found that the UK government’s cyber resilience was “lower” than estimated, and warned it would fail to keep up with the rate of attacks on Whitehall that are “likely to happen regularly”.
A situation that Paul Chapman, head of public sector cyber for the Scottish Government’s cyber resilience unit, said is also likely to be the case north of the border.
“As I look across political bodies, a lot of the old challenges are still there,” he said. “The legacy we grew up with. We’ve not designed the systems to be secure from the ground up. We’ve grown them over time and that brings with it a whole bunch of flaws and risks that we’re still dealing with.”
He added: “We have to move that [cybersecurity] baseline all the time. And that’s not easy. It’s not cheap. It’s very resource intensive. And the independent assurance piece that goes with it has changed a lot over the last few years too.
Related content
- How GovAssure is bringing ‘rigour and objectivity’ to departments’ cyber credentials
- Cyber Essentials: Updated government procurement policy advises ‘alternative controls’ are required to secure legacy tech
- Departments to undergo independent audits of cyber resilience
“And in the face of tightening budgets and skills becoming more and more difficult to get access, there’s lots to do.”
Speaking at the Public Sector Cyber Scotland event in held in Edinburgh last week by PublicTechnology sister publication, Chapman added: “The National Audit Office report last week from the UK government point of view wasn’t great. I can only imagine that we see a lot of the same issues that are flagged up in the Scottish public sector. So, maintaining a decent baseline and getting to a decent baseline is really a challenge.”
The NAO concluded that, after limited progress in tackling persistent problems, the UK government will miss its previously stated target for its “critical functions to be significantly hardened to cyberattack by 2025”.
As of March 2024, there were about 228 significant legacy IT systems used across departments “and the government does not know how vulnerable these are to cyberattack”, according to the NAO.
The public spending watchdog added that “departments have no fully funded remediation plans for half of these vulnerable systems” – meaning that the 2025 cyber-resilience target will be missed.
A version of this story originally appeared on PublicTechnology sister publication Holyrood
