The government’s digital infrastructure is under siege from increasingly sophisticated cyber threats, according to a landmark report - Government Cyber Resilience - published by the National Audit Office (NAO) this morning.
Described as “severe and advancing quickly,” these threats highlight a troubling gap between the rapid evolution of hostile cyber activities and the government’s ability to protect its operations and essential public services.
A central finding of the NAO’s evaluation is that the government’s new cyber assurance initiative, GovAssure, revealed significant gaps in the resilience of critical departmental IT systems. The review, which independently assessed 58 major systems by mid-2024, uncovered fundamental control deficiencies across multiple departments. Furthermore, the government remains unaware of the vulnerabilities present in at least 228 legacy IT systems still in use.
This lack of cyber preparedness poses grave risks. The NAO’s report cited the June 2024 cyber attack on an NHS pathology service supplier in south-east London.
The incident forced two NHS trusts to postpone more than 10,000 outpatient appointments and nearly 2,000 elective procedures, illustrating the real-world consequences of cyber insecurity.
Another case study involved the British Library, which, after a cyber attack in October 2023, incurred £600,000 in recovery costs and continues to spend heavily on rebuilding its systems.
“This skills gap significantly undermines the government’s efforts to keep pace with an increasingly dangerous cyber threat landscape,” said Gareth Davies, head of the NAO. “Without addressing these long-standing workforce shortages, it will be exceedingly difficult to strengthen resilience against attacks.”
In addition to staffing challenges, the report highlighted a lack of clear coordination among government entities responsible for cyber security. The NAO noted that roles and responsibilities remain poorly understood, making it harder to establish a unified approach to risk management. Departmental leaders often fail to see cyber risk as integral to their strategic objectives, further weakening the overall response.
Financial pressures also play a role. Departments reported scaling back cyber resilience programs due to funding constraints. More than half of the government’s legacy IT assets lack fully funded remediation plans, leaving them increasingly exposed. The NAO stressed that under-investment in technology and cyber defences contributed directly to the severity of incidents such as the British Library’s attack.
The NAO’s report offers a series of urgent recommendations. In the next six months, the government must adopt a comprehensive cross-departmental implementation plan for the Government Cyber Security Strategy and clearly outline the structural changes needed to achieve resilience goals. Within the next year, it should also develop and execute plans to close the cyber skills gap across departments.
Geoffrey Clifton-Brown MP, Chair of the Committee of Public Accounts, underscored the gravity of the situation: “We have seen too often the devastating impact of cyber-attacks on our public services and people’s lives. Despite the rapidly evolving cyber threat, government’s response has not kept pace. Today’s NAO report must serve as a stark wake-up call to government to get on top of this most pernicious threat.”
The findings come at a time when the government has set ambitious targets for cyber resilience, aiming to have key government functions “significantly hardened” against cyber attacks by 2025. Yet, the NAO’s analysis makes clear that progress is not on track. With aging systems, a persistent skills shortage, and a lack of coordination, the UK government’s ability to protect its digital infrastructure and the public services it underpins remains in jeopardy.
Davies concluded: “The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly. To avoid serious incidents, build resilience, and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.”
As the government moves forward, the NAO’s report will likely serve as both a sobering reminder of the current vulnerabilities and a blueprint for urgent action. The stakes are clear: without immediate and decisive steps, the UK’s public services and the citizens who rely on them will remain at significant risk.