The UK Government is at “critical risk” of cyber attack and is not able to keep up with rapidly evolving threats from hostile states.
Four senior Cabinet Office officials have said years of inactivity, underfunding, and recruitment problems have exposed the UK to a growing threat of cyber warfare from hostile states and international criminals.
As part of a parliamentary probe into UK resilience, the officials said government departments are languishing with vulnerable legacy IT systems and a lack of expertise in how to defend themselves.
Bella Powell, cyber director at the Government Security Group (GSG) – a small taskforce within the Cabinet Office aimed at protecting government departments – said resilience levels across the UK are “substantially lower” than anticipated, while the “escalating threat” from hostile states such as Russia and China have become a “substantial risk”.
She added: “The sum total is that we are at critical risk at the moment.”
Cat Little, the Permanent Secretary at Cabinet Office, and chief operating officer at Civil Service, said officials are “running against the tide” to fill the gap between the threat from cyber attacks and UK defences.
“In order to keep pace, we are having to work twice or three times as hard to evolve and constantly be as on the front foot as possible, but my honest assessment is that there always will be a gap,” she said.
The comments came during an evidence session at Parliament’s Public Accounts Committee (PAC) scrutinising the UK’s preparedness for a catastrophic cyber attack. The session examined the findings of a 2024 report on the issue by the National Audit Office (NAO) which found UK resilience lacking on several fronts.
square NEWS Big ReadCyber attacks, arson and spy ships: How Putin's hybrid war threatens the UK
Read More
Giving evidence in the session, head of the government’s chief security office, Vincent Devine, said “we should be extremely worried” because the UK has not been “as alive to the threat as we should have been”, despite recognising the issue more than a decade ago.
He said: “Government departments have faced a lot of demands over the last 10 years. Probably we did not prioritise cyber security sufficiently, and it was not brought alive to us by serious incidents in the way that it has been in recent years.”
David Omand, the former head of the Government Communications Headquarters (GCHQ), told The i Paper that Cabinet Office officials were right to highlight the cyber risk to government systems from hostile state attack.
He said: “It is all of us that will suffer from that lack of resilience in systems on which we depend. But the same is true of known resilience gaps in the wider critical national infrastructure controlled by the private sector, and in our continuing everyday vulnerability to criminal attacks including ransomware.
“It is time for cyber security to rise up the agenda as a business issue for all organisations, public, private and not-for-profit.”
It comes after a year of significant increase in cyber warfare incidents from international criminals and hostile states on UK critical services and businesses. Last year, a catastrophic cyber attack on the NHS caused over 10,000 appointments and operations to be cancelled.
Months later, the UK ambulance service was targeted by Russian hackers, risking disruption to their communication systems. Similar incidents have impacted government departments, including the Foreign Office and the Ministry of Defence.
The i Paper revealed the attacks were the work of a Kremlin-protected group of cyber hackers in what has been seen as a “major escalation” of cyber warfare tactics by Moscow.
Intelligence sources have long warned the UK is “running blind” on cyber resilience, but the recent admissions by Government officials have brought the scale of the challenge into focus.
As tensions in Europe increase over the war in Ukraine, Russia’s hybrid war on the West has intensified.
During a October speech, the director-general of MI5, Ken McCallum, announced that Russia was on a mission to cause “mayhem” across the UK and we should “expect further testing – and in places defeating – of the West’s cyber defences”.
Powell, cyber director at the GSG, told the PAC that Russia and China pose “substantial risks” to the UK with significant concerns about espionage and data exfiltration activities by the GRU, Russia’s main intelligence agency, and disruptive campaigns from Chinese state actors.
Devine added the threat had “grown and evolved” in the past three years – a subtle nod to the start of the Ukraine war. Hostile states, he added, have developed their capability more rapidly, and become more “aggressive and careless” in their attacks.
“We have been principally concerned in the past about the loss of Government information—classic espionage—or about cyber crime, which again is information based,” he said. “We are now also worried about the risk of disruption of essential services.”
A former Government cyber security official said “it’s always been known” that the intent of hostile actors can change and evolve, but added there “wasn’t really any preparation for that.”
“With Ukraine, the idea of any leverage over Russian-speaking organised crime groups or Russian state actors evaporated overnight. Three years later and there is no real response.”
Recruitment
Competing against private industry in a market offering much higher salaries than the civil service can provide, government cyber expertise has fallen short.
The NAO report found that skills gaps posed the “biggest risk” to UK cyber resilience, with one in three cyber security roles in government vacant or filled by temporary staff in 2023-24.
Little told the PAC there are “significant vacancies” across government, and said she was “saddened” by an over-reliance on contractors and external staff.
The Government recently introduced a new digital pay framework, designed to be more competitive with private industry. However, Little said there are still “very scarce” competitive salaries in a “very hot market.”
“We have got to pay these people more,” she said. “If we are going to deliver on our ambitions, we need the leadership and the technical expertise there to do it.”
Legacy IT
A major weakness to UK defence against cyber attacks is the Government’s use of Legacy IT systems – outdated computing software that doesn’t allow for growth.
These systems are deemed as a potential vulnerability because of their perceived inability to update defences on the systems, increasing fears they could provide backdoors into Whitehall for hackers.
The PAC heard that, as of January, there were 319 Legacy IT systems still running across government, and “almost a quarter” of them were “red-rated” – deemed the highest risk of attack, operational failure, or inability to meet departmental objectives.
Joanna Davinson, Interim Government Chief Digital Officer at the Cabinet Office, said that almost a third of public sector IT is classed as legacy with 15 per cent of organisations not aware of the risks their system poses.
Little said that the gap in awareness was “not acceptable”, adding that more funding was needed from central government to update systems.
“What this part of our discussion really brings to light is that the Government, in a period of scarce resources, have to prioritise decisions based on risks and how much assurance is desired,” she said.
Labour MP and member of the PAC, Lauren Edwards called on the Prime Minister to view cyber resilience as part of the UK’s defence strategy.
She told The i Paper: “The Cabinet Office has a big job on its hands. The international political landscape is unsettled and changing swiftly – the Government must make it a top priority to ensure that all departments are resilient enough to withstand growing cyber-attacks from hostile nation-state actors as well as criminals.
“Cyber resilience needs to be viewed as a crucial part of the UK’s defence strategy, with strong messages from the Prime Minister down.
“An urgent priority is to attract cyber specialists onto the government payroll and to have in place a plan to develop these skills in our young people. There will be a cost to this – but the cost of failing to improve our government’s cyber defences could be so much more in the long run.”
Read More Details
Finally We wish PressBee provided you with enough information of ( The UK is unprepared and vulnerable to Russian cyber attacks. Here’s why )
Also on site :
- Term Sheet Next: How Facebook’s former chief revenue officer is coaching the next generation of startup founders
- Popular Dunkin’ Menu Item Gets a ‘Glow-Up’ in Limited-Edition Release
- Germany: Life imprisonment sentence for Syrian doctor Alaa Moussa