Senior leaders give a frank assessment of how and why government ‘should be extremely worried’ about the security threat landscape, particularly as hostile states become ‘more aggressive and more careless’
In the face of a vast and ever-diversifying cyberthreat, no matter how fast departments move, “there will always be a gap” in their ability to meet the latest dangers, according to the government’s operations leader.
Giving evidence to parliament’s Public Accounts Committee last week, civil service chief operating officer Cat Little was asked for details of how “government [is] keeping up with and ultimately staying ahead of that growing and changing threat”.
In response, Little – who also serves as permanent secretary of the Cabinet Office – said that the threat in question “has significantly evolved: it has become more sophisticated, and the circumstances have changed very rapidly”.
This acceleration has meant that “over the last few years, we already had a gap in our ability to respond”. To try and outpace the threat and narrow the cyber gap, “we are having to work twice or three times as hard to evolve and constantly be as on the front foot as possible”, the COO said.
“But my honest assessment is that there always will be a gap,” she added. “No matter how quickly we close down our risks and mitigate them, our ability to keep up is increasingly a challenge. I would not want the committee to think that we were not trying to close that gap, but we are running against the tide constantly.”
Little acknowledged the existence of some significant challenges facing government’s cyber efforts – including the prevalence and complexity of legacy systems, and issues encountered by departments in recruiting and retaining the necessary expertise.
“I think we have a genuine challenge on how we keep pace,” she said. “Our best effort is to keep evolving, to close that gap as much as we can, and to do it with the best possible value for money with taxpayer resources.”
Related content
- Legacy IT reviews have found almost 80 government systems at ‘critical’ risk level
- How GovAssure is bringing ‘rigour and objectivity’ to departments’ cyber credentials
- Cyber Essentials: Updated government procurement policy advises ‘alternative controls’ are required to secure legacy tech
Elsewhere in the evidence session, government chief security officer Vincent Devine was asked: “How worried should we be about the cyber threat to the government?”
He responded: “I think we should be extremely worried.”
The security head endorsed the headline conclusion of a recent National Audit Office report on government cyber-resilience, which found that the threat facing Whitehall is “severe and advancing quickly”.
“Over the last three years, the threat has grown and evolved,” Devine added. “Our adversaries, who are both hostile states and criminals, have developed capability more rapidly than we expected. Their risk appetite has changed, particularly with some hostile states; I will not name names here. They have been more aggressive and more careless in their attacks than we had expected. Finally, the nature of the threat is evolving. We have been principally concerned in the past about the loss of Government information—classic espionage—or about cybercrime, which again is information based. We are now also worried about the risk of disruption of essential services. I think the fact that the threat has surprised us with its pace is underpinning most of the analysis in [the NAO] report.”
Discussing the threats posed by hostile nation states, Bella Powell, cyber director at the Cabinet Office-based Government Security Group, said that “we have two categories that we are particularly concerned about”.
“With espionage, a really good example of the type of action we see is a campaign of activity by the Russian GRU that was called out by the National Cyber Security Centre last year,” she told MPs. “That was a campaign of espionage activity that included data exfiltration, website defacement and data leakage activity. It is a really clear insight into the scale of activity that is conducted by nation states for espionage. Disruptive and destructive activity is an area of increasing concern for us. In February 2024, the NCSC and its international partners co-signed an advisory warning of activity by a group known as Volt Typhoon, a Chinese state-affiliated actor that has been identified as conducting pre-positioning activity on US critical national infrastructure, with the potential to escalate that to disruptive and destructive activity. That is a clear indicator of the scale of threat from Chinese state actors and their intent to disrupt essential services.”
