Critical UK Government Systems at High Risk, Warn Auditors

The British government fell short of its goal of significantly fortifying civilian IT systems to withstand cyberattacks by 2025, warned auditors in a report highlighting that much of officialdom runs on legacy systems.

See Also: Essential Elements to Consider when Choosing a Micro-Segmentation Solution

The United Kingdom vowed in a 2022 strategy for cybersecurity to significantly upgrade the defenses of critical functions against cyberattacks over the next three years. The entire public sector, the strategy said, should be resilient to known vulnerabilities and attack methods no later than 2030.

Not happening, finds analysis by the Government Audit Office in a Wednesday report that lays much of the blame on legacy systems. Data from 2019 shows nearly half of the government IT budget goes to keeping legacy systems running – systems whose presence is actually leading to a degradation in resilience rather than improvements.

“The resilience of the hundreds of ageing legacy IT systems that departments still use is likely to be worse, and departments have no fully funded remediation plans for half of these vulnerable systems,” auditors wrote. As of last March, governmental departments reported relying on at least 228 legacy systems, of which more than a quarter have a high likelihood of experiencing an adverse operational and security incident. Civil servants told auditors they lack budget to fund improvement, although auditors say that departmental leaders “have not always recognized how cyber risk is relevant to their strategic goals.”

The United Kingdom experienced a spike in cybersecurity incidents during 2024 that laid bare the frayed nature of U.K. defenses. Incidents included a June 2024 ransomware attack on a U.K. National Health Service IT vendor that led to blood shortage. Auditors warned that cyberattacks can have “a real risk to public safety and have devastating consequences for individuals” (see: UK Reports 50% Spike in ‘Nationally Significant’ Incidents).

“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces,” said Gareth Davies, head of the National Audit Office.

The 2022 strategy’s first goal of protecting critical systems is already out of reach, auditors say, calling the 2030 goal of ramping up all systems to weather attacks “ambitious.” National security systems were out of scope for the auditors’ review, which examined systems only at the “official” level of classification, the lowest possible.

Auditors say a review of 58 systems underpinning critical functions found “multiple fundamental system controls” lacking, including asset management, protective monitoring and response planning.

An approach for improving cybersecurity that banks on the uptake of secure by design principles won’t pay dividends quickly enough to meet the 2022 strategy’s timeframes, auditors said.

A Cabinet Office spokesperson said the government has been working to bolster its IT infrastructure security since July 2024. A proposed plan includes introducing legislation to bolster cybersecurity later this year. The Cyber Security and Resilience Bill would mandate measures such as mandatory patching for critical infrastructure operators (see: UK Labour Introduces Cyber Security and Resilience Bill).

Security experts called the report a wake-up call for the U.K. government to act promptly.

The government needs better visibility into its legacy systems, said Oz Alashe, CEO and founder of London-based behavioral risk firm CybSafe.

“Without a clear understanding of what those systems are, we don’t know what we don’t know. Starting detailed data collection is a positive step because tackling the problem begins with understanding it,” Alashe said.