MPs find that government has a sketchy understanding of current resilience levels, with security impacted by issues including a lack of cyber expert officials and the ‘optimistic self-assessments’ of departments
The Public Accounts Committee has found that government’s resilience to cyberattacks is “far from where it needs to be”, with departmental defences having been “outpaced by hostile states and criminals”.
The newly published Government cyber resilience report from the influential group of MPs cites as its headline conclusion that “government has not kept up with the severe and rapidly evolving cyber threat”.
The report adds that this threat encompasses attacks from both nation states and cybercriminals. The scale of the risk is demonstrated by the ransomware attack on the publicly owned British Library in October 2023 – which MPs found has cost the institution £7m to date.
“Government is concerned by the growing intent of hostile states to disrupt public services and critical national infrastructure,” the report says. “Ransomware attacks by criminal groups are prolific and recovery from attacks is costly.”
In response to this conclusion, the committee recommends that the Cabinet Office writes to MPs one year from now to provide an updated assessment of “how the cyber risk to government has continued to change, how government’s approach has evolved in response, and the extent to which the gap between the cyber threat and government’s cyber resilience has grown or reduced”.
The second of the report’s core findings is that “there is a long-standing shortage in government of the experienced, technical cyber skills required”.
The committee found that “significant vacancies remain, particularly for expert cyber skills [as], right now, one in three cybersecurity roles in central government are vacant or filled by expensive contractors”.
Issues that stymie the recruitment of experts include levels of pay on offer and “civil service recruitment processes, which can take up to nine months, [and] are not quick enough”.
To address this problem, PAC recommends that, once the ongoing Spending Review process is completed in a month’s time, “the Cabinet Office should set out: how many of the estimated cyber vacancies in government that its central interventions will fill; and how it will support departments’ plans to fill the remaining gaps in their workforces”.
“It is positive to see independent verification now in place to gain a better picture on critical systems resilience. Unfortunately, this has only served to confirm that our battlements are crumbling.”
PAC chair, Sir Geoffrey Clifton-Brown
The third major conclusion of the report is that “departments have not done enough to prioritise cyber security, meaning that government’s cyber resilience is far from where it needs to be”. This has come about because agencies have “underestimated the severity of the threat, and their funding and prioritisation decisions have not reflected the urgency of the issue”.
Going forward, MPs recommend that government should ensure that security specialists have senior standing in departments’ boardroom set-ups.
The report’s third recommendation says: “The Cabinet Office should set out how it is supporting accounting officers to: improve accountability by appointing an appropriately experienced and expert chief information officer and chief security officer at senior management and board level; include cyber resilience in departmental plans and activities; and create a strong cyber security culture in their organisations.”
‘Optimistic self-assessments’
The committee’s fourth finding it that government itself “has substantial gaps in its understanding of how resilient its IT estate is to cyberattack”.
The GovAssure regime of external cyber audits for departments – which was launched across government in 2023 – has been “a clear improvement compared with the previous reliance on departments’ optimistic self–assessments”, MPs found.
“But government should have collected reliable data sooner,” the report adds. “We recognise the need to balance effort between assurance and frontline security, but there is also scope for GovAssure to assess more systems, faster. Separately, DSIT’s understanding of government’s legacy IT assets relies on self–assessments by departments. By January 2025, 28 public sector organisations had identified 319 legacy systems in use across government, rating around 25% as ‘red’ because there was a high likelihood and impact of risks occurring. However, DSIT does not know how many legacy systems there are in total.”
In response to this situation, the Cabinet Office has been asked to provide information on “what proportion of critical and legacy IT systems it has assessed so far, the optimal scale and frequency of assessment activity needed, a deadline for when this will be achieved by, and how it will prevent departments from diverting funding away from this activity”.
The penultimate finding of the committee is that “the scale and diversity of government’s supply chains, and the size of the public sector, makes it significantly harder for government to manage cyber risk”.
MPs recognised some measures already being taken to address this issue, including claims from the Cabinet Office that “it is giving departments text to include in contracts so that suppliers put appropriate cyber security measures in place, and that it plans to work with strategic suppliers to help improve government’s resilience”.
£7m
Cost so far of the 2023 cyberattack on the British Library
2030
Government’s current target for ensuring the public sector is universally resilient to
319
Number of legacy systems in use across government that have been identified so far
One in three
Proportion of government cyber roles that are currently vacant or ‘filled by expensive contractors’
In the future, the central department “should secure clear assurance from departments that they understand and are effectively managing the cyber risk from their arm’s–length bodies and supply chains”, the report recommends.
PAC’s final conclusion is that, if government is to meet its previously stated aim of ensuring that the UK public sector is ubiquitously resilient to the most-common cyberthreats by 2030, then it “will require a fundamentally different approach”.
MPs found that the Cabinet Office has thus far focused on implementing initiatives like the GovAssure audits “at the expense of… coordinating a cross–government plan that challenges departments to meet their cyber resilience targets”.
Once the current Spending Review is finished, the department is thus asked to “set out what levers and instruments the centre of government will use to take a fundamentally different approach to cyber resilience”, in the report’s final recommendation.
‘Battlements are crumbling’
Chair of the committee, Sir Geoffrey Clifton-Brown, reinforced the progress represented by the GovAssure initiative – but added that “unfortunately, this has only served to confirm that our battlements are crumbling”.
“A serious cyberattack is not some abstract event taking place in the digital sphere,”. He said. “The British Library cyberattack is a prime example of the long-lasting cost and disruption that these events can cause. Hostile states and criminals have the ability to do serious and lasting harm to our nation and people’s lives.”
Clifton-Brown added: “If the government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required. This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the civil service for greater threat awareness and digital transformation.”
To improve resilience in the future, the PAC head also reiterated the importance of “government finally grasping the nettle on offering competitive salaries for digital professionals”.
“For too long, Whitehall has been unwilling to offer attractive remuneration for experts who are able to secure high-paid work elsewhere,” he said. “Making sure that the right people are in the right jobs to defend the UK against this serious threat, and reducing the use of expensive contractors at the same time, is clearly sound value for money. This is an issue our committee will continue to scrutinise closely. It must not take a devastating attack on a critical piece of the country’s infrastructure for defensive action to be taken.”
