More than 200 legacy systems have been identified in a national audit highlighting the ‘severe and advancing’ cybersecurity threat to UK government services.
Spending watchdog the National Audit Office has released a new report in which it says the UK Government does not know how vulnerable at least 228 ‘legacy’ systems are to cyberattack.
It stated that the government estimated that it used nearly half of its £4.7 billion IT expenditure in 2019 to keep legacy systems running.
And that: “Legacy systems are often more vulnerable to cyberattack because: their creators no longer update or support their use; few people have the skills to maintain them; and they have known vulnerabilities.”
Between September 2020 and August 2021, around 40% (around 310) of the 777 incidents managed by the National Cyber Security Centre because of their potential severity, were aimed at public sector organisations, including central and local government; emergency and health services; and law enforcement.
The NCSC assessed that 89 of the 430 incidents it managed because of their potential severity, between September 2023 and August 2024, were “nationally significant”. Cyberattacks can affect every aspect of an organisation’s operation and recovery is often lengthy and costly. In Scotland, there have been serious cyber incidents that have affected the likes of the Scottish Environment Protection Agency, Western Isles Council and NHS Dumfries and Galloway.
The report, published this week, lists examples of cyberattacks between 2021 and 2024, at UK level, including: in June 2024, a cyberattack on a supplier of pathology services to the NHS in south-east London led to two NHS foundation trusts postponing 10,152 acute outpatient appointments and 1,710 elective procedures. The British Library, which experienced a cyberattack in October 2023, has already spent £600,000 rebuilding its services and expects to spend many times more as it continues its recovery work. Under-investment in technology and cyber was a key factor in the British Library cyber incident.
However, in April 2024, the Government Security Group (GSG) recommended to ministers that departments strengthen their accountability for cyber risk through improved reporting and risk management. In 2024, GovAssure data showed that departments were not meeting their responsibility to be cyber resilient. Additionally, the government ‘did not have sufficient oversight of the cyber resilience of the wider public sector, which lead government departments are responsible for’.
Successive governments have been working for at least a decade to build the UK’s cyber resilience, including publishing a strategy for improving government organisations’ cyber security in January 2022. This strategy included a target for key government organisations to be “significantly hardened to cyber attack by 2025”. But government has not improved its cyber resilience fast enough to meet this aim.
One reason for this is shortages of cyber skills within government. In 2023-24:
- one in three cyber security roles in government were vacant or filled by temporary staff (contingent labour);
- more than 50% of cyber roles in several departments were vacant; and
- 70% of specialist security architects in post were temporary staff.
Ministers are being urged by NAO to produce a cross-department plan for the implementation of the government’s cybersecurity strategy in the next six months, and to close skills gaps within a year.
Gareth Davies, head of the NAO, said: “The risk of cyberattack is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow.
“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.
“The government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills; strengthens accountability for cyber risk; and better manages the risks posed by legacy IT.”
The National Cyber Security Centre and the global Five Eyes Intelligence Alliance will participate in Futurescot’s annual Cyber Security conference in Glasgow on February 25.
