Cyber threats to UK Government ‘severe and advancing quickly’, watchdog says

The UK Government is under pressure to improve its defence capabilities after finding its cyber resilience levels are “lower” than estimated.

The National Audit Office (NAO) has said the threat of cyber-attacks on Whitehall is “severe and advancing quickly”, with multiple outdated IT systems in use and attacks “likely to happen regularly”.

The spending watchdog warned ministers to take the report as a “wake up call” to fix the cyber skills crisis and “significant gaps” in cyber resilience.

NAO revealed more than half of the roles in several departments’ cyber security teams were vacant last year, and 228 “legacy” IT system were still in operation as of March 2024.

The report comes amid a cybersecurity crisis across the UK, with public services being a target for high-profile attacks. Last month, the Ministry of Defence was hit by an attack which led to the passwords of almost 600 employees leaked on the dark web, while last summer thousands of patient appointments were cancelled after cybercriminals targeted two London NHS trusts.

North of the border, there has also been a rise in cyber breaches including last year’s attack on NHS Dumfries and Galloway which saw a “large volume” of its data published on the dark web.

Between September 2023 and August 2024, the National Cyber Security Centre (NCSC) managed more than 400 cyber incidents because of their potential severity, of which 89 were considered to be “nationally significant”.

And last month the NCSC sounded a note of caution on the rising threat of cybercrime, pointing to a “widening gap between the increasingly complex threats and our collective defensive capabilities in the UK, particularly around our critical national infrastructure”.

The NAO report warned officials that progress was “slow” and that “cyber incidents with a significant impact on government and public services are likely to happen regularly”.

Head of NAO Gareth Davies said: “The risk of cyber-attacks is severe, and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow.

“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.

“The government will continue to find it difficult to catch up until it successfully addresses the long-standing shortage of cyber skills, strengthens accountability for cyber risk, and better manages the risks posed by legacy IT.”

Tory MP Geoffrey Clifton-Brown, who chairs the public accounts committee said the government had “not kept pace” with the “rapidly evolving cyber-threat”.

He added: “Poor coordination across government, a persistent shortage of cyber-skills and a dependence on outdated legacy IT systems are continuing to leave our public services exposed. Today’s NAO report must serve as a stark wake-up call to government to get on top of this most pernicious threat.”

Improving cyber resilience was a key part of Labour’s legislative plans for the 2024-2025, with the King’s Speech announcing a Cyber Security and Resilience Bill to strengthen the UK’s defences and protect public services. However, the bill is yet to be introduced to parliament.

Holyrood has contacted the UK Government for comment.