UK ‘falling significantly behind’ cybersecurity goals, NAO

2025 resilience targets unlikely to be met even by 2030

The UK is falling significantly behind on its 2022 Cyber Security Strategy to harden important systems against cyberattacks by 2025.

A highly critical report by the National Audit Office (NAO) says that even meeting those targets by 2030 would be "ambitious".

The report focuses on the resilience of ministerial and non-ministerial departments' IT systems, and those of their arm's-length bodies, with "official" security classification, rather than local government or businesses.

In 2023 and 2024, Government departments identified 72 IT systems critical to running the most important services. Independent cybersecurity reviewers subsequently found "significant gaps" in 58 of these.

“The data highlighted multiple fundamental system controls that were at low levels of maturity across departments including asset management, protective monitoring, and response planning,” the report notes.

“The government does not have a detailed understanding of the resilience of its legacy IT systems,” it adds.

The government estimated that it used nearly half of its £4.7 billion IT expenditure in 2019 to keep legacy systems running, but the security of those systems is poor.

Of 228 legacy systems identified, 63 were rated red, signifying a “high likelihood and impact of operational and security risks occurring”.

A primary cause of the malaise is a shortage of cybersecurity professionals within government.

The government finds it difficult to recruit and retain enough people with cyber skills and to upskill its existing workforce. The report notes that one in three cyber roles in central government was either vacant or filled by temporary staff, at considerable cost to taxpayers. In some departments cyber vacancies are as high as 50%.

Pointing to recent attacks on public bodies including the MoD, the NHS, the Electoral Commission and Parliament, the report says departments have not taken sufficient ownership or accountability for cyber resilience risk, and have failed to share information efficiently.

The NAO recommends the urgent implementation of a cross-government plan to implement the Cyber Security Strategy, bolster legacy IT and tackling the cyber skills gap.

“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces,” it says.

“The government will continue to find it difficult to do so until it successfully addresses the long-standing shortage of cyber skills, strengthens accountability for cyber risk, and better manages the risks posed by legacy IT.”