Cyberattack risks faced by departments and arm’s-length bodies have grown more rapidly than the government’s capacity to defend critical digital infrastructure, MPs have warned.
Members of parliament’s Public Accounts Committee said evidence now shows that departments have underestimated the severity of the threat faced from hostile states and criminals. They said the Cabinet Office believes “adversaries” are already using artificial intelligence to test government’s cyber defences.
MPs said a “significant gap” now exists between the magnitude of the cyber threat and government’s response – with cyber-resilience levels not good enough to respond and recover effectively even if an incident is detected.
Committee members based their findings on an evidence session with Cabinet Office permanent secretary Cat Little and other senior officials from the department, following a National Audit Office report on cyber resilience published in January.
The Department for Science, Innovation and Technology is now home to the Government Digital Service. But the Cabinet Office is the base for the Government Security Group, which is responsible for helping departments to improve their cyber resilience and delivering the Government Cyber Security Strategy 2022-2030.
Departments are responsible for their own cyber resilience and for ensuring their sectors and ALBs to meet strategic resilience targets.
In their report, which was published on Friday, MPs praised the Cabinet Office for the introduction of its GovAssure system for independently assessing the cyber resilience of departments’ critical IT systems.
However, they noted that a GovAssure assessment of 72 critical systems across 35 organisations last year had found cyber resilience to be “substantially lower” than the Cabinet Office had expected and that “fundamental weaknesses” existed.
MPs said departments had “multiple fundamental control failures” in risk management and response planning.
Separately, MPs noted that DSIT’s understanding of legacy IT assets relies on self-assessments by departments.
The committee said DSIT had reported that by January, 28 public sector organisations had identified 319 legacy systems in use across government, with around 25% rated as “red” because of “a high likelihood and impact of risks occurring”.
MPs said DSIT had reported that it did not know how many legacy assets there are in total across government, and that 15% of organisations it spoke to as part of the State of digital government review did not know the what the situation is for their own legacy IT.
They said DSIT and the Cabinet Office had reported that information on legacy systems is "not easy to access and was spread across arm’s-length and other public bodies”, and that departments have limited resources to understand and fix legacy systems.
MPs said it is “unacceptable that the centre of government does not know how many legacy IT systems exist in government and therefore cannot manage the associated cyber risks”.
PAC chair Sir Geoffrey Clifton-Brown said a serious cyberattack is not an “abstract event” only affecting the digital sphere. He pointed to an October 2023 attack on the British Library, which is estimated to have cost the organisation £7m so far, as an example of the long-lasting cost and disruption cyberattacks can cause.
“Government departments are beginning to wake up to the serious cyber threat they face. It is positive to see independent verification now in place to gain a better picture on critical systems resilience. Unfortunately, this has only served to confirm that our battlements are crumbling,” he said.
“If the government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required. This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the civil service for greater threat awareness and digital transformation.”
Clifton-Brown added that part of the solution would be departments “finally grasping the nettle” and offering competitive salaries to digital professionals – and that the panel was encouraged to hear the Cabinet Office was now thinking along such lines.
“For too long, Whitehall has been unwilling to offer attractive remuneration for experts who are able to secure high-paid work elsewhere,” he said.
“Making sure that the right people are in the right jobs to defend the UK against this serious threat, and reducing the use of expensive contractors at the same time, is clearly sound value for money. This is an issue our committee will continue to scrutinise closely.”
He added: “It must not take a devastating attack on a critical piece of the country’s infrastructure for defensive action to be taken.”
Among their recommendations, MPs said that after the conclusion of the 2025 Spending Review, the Cabinet Office should set out what “levers and instruments” the centre of government will use to take a “fundamentally different approach” to cyber resilience.
They also asked the department to set out how many of the digital vacancies in government its centrally led programmes will fill, and how line departments will be supported to plug the remaining gaps in their workforces.
Additionally, the MPs called on the Cabinet Office to set out detailed plans for how it will build on its existing knowledge of legacy IT systems in government – and the “optimal scale and frequency” of assessment work that will be required.
A government spokesperson welcomed the PAC report and said ministers will consider its findings.
“Just this week, we announced action to boost our country's cybersecurity, helping to grow the economy and create jobs through the Plan for Change," they said.
“This includes backing for the rollout of cutting-edge CHERI technology which could prevent up to 70% of the most common cyberattacks.
“Last month, we also unveiled details of our cybersecurity and resilience bill which will be introduced to parliament later this year, ensuring our critical national infrastructure and digital economy are better protected and less vulnerable to attack.”