Government ‘doesn’t know how vulnerable its ancient IT systems are to cyber attack’

The government is unable to find out how vulnerable many of its IT systems are to a cyber attack because of their age, a report has found.

Analysis by the UK’s public spending watchdog has found the cyber threat to the British government is ‘severe and advancing quickly’ – but there are ‘significant gaps’ in its resilience to such attacks.

At least 228 of the IT systems used by government departments are described as ‘legacy’, meaning they are ‘ageing and outdated’, according to the report from the National Audit Office (NAO).

‘Legacy systems are often more vulnerable to cyber attack because their creators no longer update or support their use, few people have the skills to maintain them, and they have known vulnerabilities,’ it says.

The assessment from the NAO, the UK’s public spending watchdog, aimed to work out the risk of the government falling prey to an attack of the kind that brought the British Library to its knees in 2023.

Within six months of the ransomware attack, the library reported the costs directly related to it had reached £600,000. Its impacts are still felt today.

The use of legacy IT systems by the library was highlighted by the NAO as a major factor in the sheer scale of the pain inflicted by the hackers.

Between September 2023 and August 2024, there were 430 incidents managed by the National Cyber Security Centre, the report said – with 89 of those assessed as ‘nationally significant’.

‘Highly capable state and state-aligned actors, including from China, Russia and Iran, are using increasingly sophisticated methods to carry out malicious cyber activity,’ the NAO found.

The watchdog said one reason for the slow pace of improvement in the government’s IT defences was a shortage of staff, with one in three cyber security roles either vacant or filled by temps.

Departments told the report’s authors that recruitment processes and meagre salaries are among the barriers to hiring and keeping talent.

The government said many of the issues raised by the NAO were also spotted in the Department of Science, Innovation and Technology’s review into the State of Digital Government last week.

DSIT is also set to introduce a new Cyber Security and Resilience Bill to parliament later in the year, which it says will make the whole of British society – including important infrastructure – less vulnerable to attacks.

A government spokesperson said: ‘Since July, we have taken action to repair cyber defences neglected by successive governments – introducing new legislation to give us powers to protect critical national infrastructure from cyber attacks, delivering thirty new regional cyber skills projects to strengthen the country’s digital workforce, and merging digital teams into one central Government Digital Service led by the Department for Science, Innovation and Technology.

‘And last week we went further, announcing plans to upgrade technology across Government, both strengthening our defences against attack and transforming public services as part of the Plan for Change.’

Get in touch with our news team by emailing us at webnews@metro.co.uk.

For more stories like this, check our news page.