Cyberattacks will continue disrupting UK public services if the government doesn’t U-turn on a ‘severe underestimation’ of its vulnerabilities, a group of MPs has warned in yet another damning report on the issue.

The Public Accounts Committee (PAC) found “substantial gaps” in the public sector’s resilience to a cyber attack, citing a hoard of legacy systems and poor security culture leaving the government “far from where it needs to be” on cybersecurity.

The committee’s report said: “There is now a substantial gap between the threat and the government’s ability to respond. Cyber attackers are already disrupting public services, and will continue to do so without significant improvements to government’s resilience.”

As a result, it deemed the Cabinet Office’s plan for the whole government to be resilient to known threats by 2030 as “very ambitious”, and said the office had admitted it did not even expect to have critical functions be “significantly hardened” by the end of this year, as it had planned.

“Unacceptable” lack of oversight

While the committee praised an investigation into the resilience of the Cabinet Office’s “critical IT systems”, it expressed alarm that similar work was not being carried out for the legacy systems believed to make up 28% of the public sector’s IT estate.

PAC heard that government departments have self-identified 319 legacy IT systems across their operations but said it was “unacceptable” the Department for Science, Innovation and Technology (DSIT) did not have a concrete figure.

A “more complete and reliable assessment” of the issue was needed if the government was to take “informed decisions about finding, prioritisation and risk”, it said.

See also: UK ministers didn’t understand national cyber resilience when elected - GCHQ

This lack of oversight also extended to the “complex and difficult” job of managing the sector’s IT supply chain, with departments telling PAC they did not have the funding or resources to understand resilience across their sectors.

In his written evidence, Professor of Cybersecurity Daniel Dresner said the “adversarial relationships” between government and its suppliers left its systems “in the shadow of genuinely malevolent adversaries” more willing to collaborate “toward mutual goals.”

A shortage of skills

One of the least surprising points made by PAC was the government’s inability to keep pace with the private sector on hiring staff with the “technical cyber skills” it needs, “in part because it has not been willing to pay market-rate salaries.”

The committee noted it had “frequently reported on” the issue and seen little improvement, with a third of cyber roles unfilled or covered by expensive contractors despite the Prime Minister’s claim he would get “the best of the best on AI working across government.”

The PAC MPs recognised the work by the Cabinet Office and DSIT to raise salary levels for cyber professionals, but said the government could actually save money spent on contractors if it just paid market-rate salaries in the first place.

See also: Ministry of Justice in a “better place” with IT systems - how did it get there

Overall, the “funding and prioritisation decisions” made by departments had failed to reflect the urgency of their cybersecurity issues, PAC said, describing a poor culture across government that also led to a lack of data sharing and inability to “defend as one.”

Chris Dimitriadis, chief global strategy officer at IT governance association ISACA, said the government should follow industry and push a “cultural shift towards cybersecurity as an enterprise-wide issue” from the top-down.

“Adversaries can attack any area of the businesses, and everyone should be equipped to identify and report suspicious activity,” he said.

What can be done?

While the problems outlined in PAC’s report are vast, the MPs involved made a number of recommendations for the government to turn around its poor efforts.

Targeting its comments at the Cabinet Office, the committee said that following the 2025 spending review, it should outline the “levers and instruments” it will use to “take a fundamentally different approach to cyber resilience.”

The department should also ensure all departments understood the cyber risks in their supply chain and improve accountability by hiring “appropriately experienced” CIOs and CISOs to create a strong cyber security culture.

PAC called for an assessment of the government’s approach to the changing cyber risks within a year and said the Cabinet Office needed to set out its support for filling remaining cyber vacancies.

So will anything change? Andrew Churchill, policy director at The CSBR policy centre, which gave evidence for the report, struck a less than optimistic tone in his response to The Stack but had some faith.

He cited evidence CSBR presented to DSIT in 2023 on its vulnerabilities and “the need for government to adopt financial services industry best practice, yet the DSIT persists with probably not 'good practice'.

“We hope that the forthcoming Cyber Security and Resilience Bill can finally reverse this approach.”

See also: “I just starved the legacy, it was untenable anyway” BT’s CDIO Harmeen Mehta on taking mainframes to the cloud

The link has been copied!