Auditors Warn That Key UK Government Systems Are Under Significant Threat

In a recent report, auditors have revealed that the British government is unlikely to meet its 2025 target for significantly improving the cybersecurity of civilian IT systems against potential cyber threats. The audit highlights a widespread dependency on legacy systems, which are proving to be detrimental to the overall resilience of government operations.

Documents from 2022 outlined a strategy aimed at upgrading defenses against cyberattacks across critical public sector functions by 2030. However, a report by the National Audit Office (NAO) indicates that progress has stalled, with much of the existing IT budget allocated toward maintaining outdated systems. This emphasis on legacy infrastructure is detrimental, as it not only siphons resources but also contributes to an overall decline in cyber resilience.

The auditors have noted that nearly half of the current government IT budget is devoted to keeping these legacy systems operational. There are currently at least 228 identified legacy systems in use, with many recognized as highly susceptible to security breaches. Civil servants themselves have indicated that budgets do not support necessary upgrades, and several leaders within departments have not adequately acknowledged the relevance of cybersecurity risks to their strategic objectives.

Moreover, the report discusses a significant surge in cybersecurity incidents throughout 2024, which exposed substantial weaknesses in the UK’s overall cyber defenses. One alarming incident involved a ransomware attack on an IT vendor servicing the National Health Service, resulting in critical blood shortages. The auditors emphasized the serious implications of cyber threats, warning that they pose tangible risks to public safety and can have catastrophic effects on individuals.

As the head of the NAO, Gareth Davies concluded that urgent action is imperative. He stated that to prevent serious incidents and protect operational integrity, the government must enhance its defenses in light of escalating cyber threats. The initial goal of safeguarding critical systems is already beyond reach, and the ambition to strengthen all systems by 2030 is being deemed overly optimistic given the current state of affairs.

The auditors’ assessment of critical function systems detected numerous missing fundamental controls, such as effective asset management and protective monitoring. The NAO suggests that relying on a “secure by design” approach may not yield timely results to meet the outlined strategy timelines.

In response, a spokesperson from the Cabinet Office disclosed that efforts to enhance IT security have been ongoing since July 2024, with plans for new legislation aimed at strengthening cybersecurity expected later this year. The proposed Cyber Security and Resilience Bill is set to enforce mandatory measures, including the requirement for critical infrastructure operators to implement regular patching.

Experts in cybersecurity have labeled the report a critical wake-up call for the UK government, stressing that a comprehensive understanding of legacy systems is essential for effective remediation. Oz Alashe, CEO of CybSafe, highlighted the importance of detailed data collection to address existing vulnerabilities, indicating that enhancement of cybersecurity measures cannot proceed without first comprehensively understanding the current landscape.

The context of this situation aligns with the MITRE ATT&CK framework, where tactics such as initial access and persistence could potentially be instrumental in exploiting the weaknesses inherent in the legacy systems that government departments rely on. The revelation serves as a compelling reminder that prompt and decisive action is essential for strengthening cybersecurity infrastructure in the face of evolving threats.