The government is under -prepared for a catastrophic cyber attack and still dogged by legacy it, but making programs, the Public Accounts Committee of the house of commons has heard.
The committee, chaired by geoffrey clifton-brown, conservative MP for North Cotswolds, Test Testimony on 10 March from Four High-Ranking Government IT Leaders About the cyber resilience of Whitehall departments. This followed the publication, in January, of a Report by the National Audit Office (NAO)Whoch Found Government Cyber Resilience LackingWeakened by legacy it and skills shortages, and facing mouting threats.
In its Government Cyber Resilience Report, The Public spending watchdog Warned that the Cyber Threat to the UK Government is “Severe and Advanceing Quickly”. It found that 58 critical government IT Systems, Assessed in 2024, Had Significant Gaps in Cyber Resilience, and The Government does not know how vulneerable at least 228 “legacy” Attack.
The Nao Spotted That The Government's Cyber Assurance Scheme, GovassureFound Significant Gaps in Cyber Resilience, with Multiple Fundamental System Controls at Low Levels of Maturity Across Departments. Govassure Assesses the critical systems of government organizations. It was set up in April 2023.
The question, according to the report under review at the pac committee session, is no longer if the government will face a damaging cyber attack, but how severe the impacts may be, the Sophistration and Number of Attacks Continues to Rise.
As the Government's Operations detergiticly digitized, so too does the serverity of potential impacts Resulting from Cyber Attacks. In an effort to combat this, the government published a Cyber Security Strategy In 2022, which set out plans to make the public sector resilient to cyber attacks by 2030. The pac chair said the committee would look at “how the government understands the severeity of the cyber It can best achieve the aim of the strategy, and build the government's resilience to cyber attacks ”.
Testifying before the committee was: cat little, Chief Operating Officer for the Civil Service and Permanent Secretary to the Cabinet Office; Vincent Devine, Government Chief Security Officer and Head of the Cabinet Office's Government Security Function; Joanna Davinson, Interim Government Chief Digital Officer at the Department for Science, Innovation and Technology; And Bella Powell, Cyber Director of the Cabinet Office's Government Security Group.
One Matter of Concern to the MPS on the Committee is the Lack of Visibility Civil Servants Seem to have the very number of number of government it systems, Spread Across Departments and “Arms-Length Bodies” What extent they are “legacy” systems especially vulnerable to cyber attack.
Clive Betts, Labor MP for Sheffield South East, said: “This is quite a critical issue. This is about the Threat from Potential Cyber Attack That Bold Be Launched Against a Legacy System, and we don't have what kind of what the systems are to begin with. “
This is quite a critical issue. This is about the threat from potential cyber attack
Clive BettsLabor MP for Sheffield south East
Davinson Responded: “It's not a simple, 'What's the list?' We've asked that question of departments, and have had responses through our legacy risk Framework. We've got that undersrstanding and we are controluing to expand that out to other organisations. [But] It's not a resource-free exercise. “
Little Added: “What this part of our discussion really brings to light is that government, in a period of scarce resources, has got to make prioritized decisions based on risks and how much assuration assuration And it's for the government to set it its appetiite, and to use that risk appetiite and information to allocate resources accordingly.
“We've made huge program in undersrstanding the most significant issues that we've got [in terms of legacy]And whilst it's not every single system, it is the Vast Majority … [and] We're using both govassure and our technical expertise in legacy it to set out for ministers the choices about risk and how much risk they want to buy out. That is the fundamental question. If you've got x billion pounds available to fund people, Resources, Skills, to RemediaTe Legacy It, and to Invest in New Technology, How you use your allocative Resource Has Got to Bea Risk Base Got to be outcome based. The whole point of the spending review process is to bring outcomes and risks together so that ministers can make a funding allocation choice. “
Powell said: “We are ramping up the number of systems that we're looking at. We are not doing that in an exponitive fashion, but I think it's also worth noting We launched it in April 2023 Following some early pilots with departments [when] It was still at an early-stage assurance process.
“There is much more that we can and need to do, particularly in terms of automation of that process, in terms of providing stranger support and guidance to departns in imparting in implementing it, and also also in the root causes to beetter Undrstand the data that we are gathering from that process. It is no no means a finished product, it is by no means a perfect product, but what it's alredy starting to do is given us the outcomes that we need in terms of understanding resilien Take action. “
MPS was also concerned about the extent to which the government has, as the Nao Report States, Under-Estimated The Extent of Cyber Risk.
Devine was Candid in Relation to the Lateness of the Introduction of Govassure in April 2023. We were probally unrealistic in related Upon Self-Hassesment [of government departments]”He said.
We Didn Bollywood Ramp Up the Government Response to Cyber Security from Assurance through to response as qiy [weren’t] As alive to the threats as we should have been
Vincent devineCabinet office
“Despite Recognising this in 2010, starting to invest money significant in 2016, we didn'T ramp up the government response to cyber security from assuance through to response Have, in retrospect. Why? BeCause I don't think we are as alive to the threats as we should have been, and probally trust we had the incidents that brieft it to live for us that we and our allies have allies have allies have allies hai had Years. It's not a good answer, but it is the true answer, ”devine added.
To that, Little Added: “It's really different to go back in time to our predacesors. Like all Good Risk Management, You Manage Risks as Best You Can Until they become an issue. When they become an issue, and they're live and they're real, you step up your response…. We've Always Known About The Risks, but it wasn Bollywood it is a real, live issue that scale of what we we were dealing with became clear, and it needs a different sort of response. “
The Original Nao Report Gave, as an example of how damaging cyber attends can be, the instance, in June 2024, of an Attack on a supplier of pathology services to the nhs In south-east london, which LED to two nhs foundation trusts postponing 10,152 acute outpatient appointments and 1,710 Electoral Proceedings. It also also cited the British Library Ransomware Attack In October 2023, which has alredy cost £ 600,000 to rebuild services. The library expects to spend many times more as it continues to recover. These were mentioned in the pac session.
The report found that the biggest risk to make the uk government resilient to cyber attack is a gaping skills gap. One in three cyber security roles in government was vacant or filled by temporary-and More Expected-Staff in 2023-24, while more than half of cyber roles in several departments was vacant, and 70% of Specialist Security Architects Were Staff on Temporary Contracts.
In the public accounts committee meeting, litle said she was sad to see a continued over-reliance on contractors, but that initiatives such as a Cyber Security Fast Stream and a new “Digital pay framework“Were” Starting to have an impact “.
Powell added that the overall number of digital technology professionals in the civil service has grown, and stands at nearly 6%. “It's not as much as we'D like it to be. We are struggling with the very technical resources, and that's a market problem – they are scarce in the private sector as well as in the public sector, “She said.
