MoD cybersecurity worst in Whitehall, figures reveal
'Utterly unacceptable' says MP
The UK Ministry of Defence has by far the worst protected IT systems of any Whitehall department, with 11 "red-rated" systems.
A red rating is the lowest possible security score, signifying that the system is "at a critical level of risk, where the likelihood of encountering issues or failures is significant, and the potential impact of these issues could be severe." Systems generally fall into the red-rating category because of the presence of out-dated or legacy components.
For comparison, the next most vulnerable technology belongs to The Department for Work and Pensions which had six red-rated systems. Thirty-four systems across government departments are red-rated.
The figures were released to Parliament following a question by Matt Rodda, Labour MP for Reading East and shadow minister for AI and intellectual property, who asked about the number of red-rated systems across Whitehall departments.
As reported by the Daily Telegraph, in response to the data, Rodda said: "The scale of this problem is utterly unacceptable. The Ministry of Defence, the department chiefly responsible for the security of Britain, should simply not have this many critical failures in its systems. We can't even get the basics right."
His assessment was backed up by Conservative former defence minister Tobias Ellwood and former armed forces minister Mark Francios, both of whom called for an urgent review.
The findings come after a highly critical report by the Joint Committee on the National Security Strategy titled A hostage to fortune: ransomware and UK national security, which found that "large swathes of UK critical national infrastructure (CNI) remain vulnerable to ransomware, particularly in sectors still relying on legacy IT systems."
It added: "Given the poor implementation of existing cyber resilience regulations, the Government should scope the feasibility of establishing a cross-sector regulator on CNI cyber resilience."
The report, released in December, singled out the Home Office for criticism, saying the former home secretary Suella Braverman had shown "no interest in the topic".
Recent years have seen a steady stream of negative stories about MoD cybersecurity, including the compromise of a supplier by Russian ransomware operatives LockBit, a National Audit Office report saying that outdated IT systems at the MoD could lead to supply problems for frontline troops, and a fine for a data breach that could have cost the lives of Afghans working with UK forces.
Describing on the revelation that the MoD has the worst protected IT systems as "extremely worrying", Jake Moore, global cybersecurity advisor at security vendor ESET said that while upgrading legacy systems is onerous and expensive, it's an issue that cannot be avoided.
"Costs are often seen as the reason behind a slower uptake on such fixes," he said. "But now it is seen as a serious risk, it should hopefully be recognised as essential investments in national security and a critical step towards safeguarding the country's digital infrastructure."