Cyber threats: Government defences have been outpaced by hostile states and criminals
9 May 2025
Government resilience to cyberattack far from where it needs to be as PAC calls for details of fundamentally different approach to meet aim of shielding wider public sector by 2030.
- Read the report
- Read the report (PDF)
- Read all publications related to this inquiry
- Public Accounts Committee
Government defences have not kept up with the severe and rapidly evolving cyber threat. In a report on cyber resilience, the Public Accounts Committee (PAC) is warning that hostile states and criminals have developed their capability to disrupt public services and critical national infrastructure faster than government expected.
Alarmingly, the government estimates that risky 'legacy' IT systems make up 28% of the public sector's IT estate, and substantial gaps also still remain in its understanding of the estate’s resilience to attack. By January 2025, 319 legacy systems had been identified as in use across government, ‘red’-rating around 25% as having a high likelihood and impact of risks occurring; but government does not know how many legacy systems there are in total.
The Cabinet Office, which is responsible for leading on implementing the government’s cyber security strategy, acknowledged to the PAC’s inquiry that there is now a significant gap between cyber threat and government’s response to it. It also stressed the importance of resilience, so that even if government does not detect an incident it is still able to respond and recover effectively. Government’s current cyber resilience levels are not good enough to do this, according to the Cabinet Office. The report finds that government’s cyber resilience is far from where it needs to be as Departments have underestimated the severity of the threat, having not until recently been given a clear picture of it and what they should do about it by the Cabinet Office. Funding and prioritisation decisions in Departments have not reflected the urgency of the issue.
The resilience of Departments’ critical IT systems is now independently verified, in a positive move by the Cabinet Office – but the report warns this has shown that Departments' cyber resilience is lower than expected and has fundamental weaknesses. Government’s work to date has not been sufficient to meet its own aim of “critical functions [being] significantly hardened to cyberattack by 2025.” The very ambitious aim for the whole of government and wider public sector to be "resilient to known vulnerabilities and attack methods no later than 2030" is only achievable with a fundamentally different approach in future.
Government finds it hard to compete with the private sector for the best talent in cyber security. This is in part because it has not been willing to pay market-rate salaries, which would save money over the longer term compared to using contractors, especially if it helps to reduce risk. While government has successfully expanded its digital profession to 23,000 people, or 6% of the total civil service, one in three cyber security roles in central government are vacant or filled by expensive contractors. Improvements could also be made in diversity in the cyber security community; only 20% of such professionals in government are women. The amount Departments can pay cyber security professionals is set to increase, and the Committee’s report calls on the Cabinet Office to set out how many of the cyber vacancies in government its interventions will fill.
Chair comment
Sir Geoffrey Clifton-Brown MP, Chair of the Committee, said: “Government Departments are beginning to wake up to the serious cyber threat they face. It is positive to see independent verification now in place to gain a better picture on critical systems resilience. Unfortunately, this has only served to confirm that our battlements are crumbling. A serious cyberattack is not some abstract event taking place in the digital sphere. The British Library cyberattack is a prime example of the long-lasting cost and disruption that these events can cause. Hostile states and criminals have the ability to do serious and lasting harm to our nation and people’s lives.
“If the Government is to meet its own ambition to harden resilience in the wider public sector, a fundamental step change will be required. This will involve infusing every top team with the required digital expertise, with cyber and digital specialists at the top level of every department, both management and boards to bring about a change in thinking throughout the civil service for greater threat awareness and digital transformation.
“Part of this will be government finally grasping the nettle on offering competitive salaries for digital professionals, and we were encouraged to hear the Cabinet Office thinking in these terms. For too long, Whitehall has been unwilling to offer attractive remuneration for experts who are able to secure high-paid work elsewhere. Making sure that the right people are in the right jobs to defend the UK against this serious threat, and reducing the use of expensive contractors at the same time, is clearly sound value for money. This is an issue our Committee will continue to scrutinise closely. It must not take a devastating attack on a critical piece of the country’s infrastructure for defensive action to be taken.”
Further information
Image: Adobe Stock